Overview
The MCP Provider enables AI agents to discover and invoke tools and APIs through the Model Context Protocol while Maverics enforces:
Capability-based access control using OPA policies
OAuth 2.0 token exchange for audience transformation
Session management and connection lifecycle
Comprehensive logging of agent actions
This allows AI language models need to invoke enterprise APIs on behalf of users while maintaining security boundaries and audit trails.
Key Components
This pattern uses three Maverics components:
MCP Provider - Protocol server handling MCP transport and OAuth authorization
MCP Bridge Apps - Convert existing APIs into MCP tools with policy enforcement
MCP Proxy Apps - Protect existing MCP servers with policy enforcement
OIDC Provider - Token exchange
This pattern implements the Model Context Protocol specification.
Prerequisites
Completed the Maverics Storage Configuration Guide
Define services to include in your Identity Fabric
You can choose identity or attribute providers to include in your Identity Fabric. Leveraging services from cloud based IDPs such as Microsoft Entra ID, Okta, Auth0, and Ping, open source providers such as Keycloak or WS02, and on prem services like LDAP, ensures that your application has what it needs for a secure authentication and authorization user flow. For providers not on the list, Maverics supports generic SAML and OIDC connections.
From your IDP, you will need to register a new application. From Maverics, you will create a new identity fabric configuration. You can then use it in a user flow for authentication.
Configuration Options
Field | Description |
|---|---|
Enabled | The Enabled toggle turns on integration with MCP servers, allowing dynamic authentication, model selection, and endpoint management for AI agents and external services. |
Transports (HTTP Stream) - Stream Endpoint | An HTTP stream transport enables real-time, continuous data flow between the MCP Bridge and AI agents through persistent HTTP connection, allowing bidirectional communication and immediate transmission of events and responses. In the Stream Endpoint field, specify the URL path where clients will connect to receive updates. |
Session Header Name | The HTTP header name prefix used to identify an HTTP Stream session. |
Session Timeout | The maximum period of inactivity before a session is automatically closed. This helps prevent idle or orphaned connections from consuming resources. |
Allow Client Termination | When the toggle is enabled, this allows clients to close their own stream sessions when disconnecting or shutting down. If the toggle is enabled, only the server can end the session. |
OAuth 2.0 Discovery - Discovery Endpoint | The endpoint where the MCP provider exposes its own OAuth-protected resource metadata for discovery. |
Authorization Server - Well-Known Endpoint | The OpenID Connect well-known endpoint of the authorization server used to validate tokens. |
Refresh Interval | How often the MCP Provider refreshes metadata from the authorization server (for example: JWKS keys, issuer info). |
JWT Token Validation - Expected Audiences | Defines the list of acceptable audience URLs for access tokens. |
Clock Skew Allowance | Time tolerance allowed when validating token expiry or issuance to account for clock differences between systems. |
Deploy an MCP provider
From the Deployments Manager go the Orchestrator Settings section to define the settings for your MCP provider.
Configure an OIDC provider
A Maverics OIDC provider can be deployed with your MCP provider or as a standalone deployment. This enables the issuance of tightly scoped tokens governed by OPA policies, including support for OAuth 2.0 On-Behalf-Of (OBO) flows. This critical for maintaining identity context when agents delegate tasks to other agents or services. Follow the steps in the OIDC configuration guide to deploy a OIDC provider.