MCP spec 2025-06-18: Authorization updates and contributors

Spring AI MCP Security brings about the MCP Specification Implementation for OAuth2.0/2.1 with 1. Dynamic Client Registration 2. Authroization Server Metadata 3. Protected Resource Metadata With this when the MCPClient sends request to MCPServer for initialization (Versioning and Capabilities negotiation), it gets denied with Resource Metadata information and the MCPClient is redirected to OAuth authorization server for to register and get access token to be used for MCPServer requests https://lnkd.in/gBQ-WDrc

If you’ve upgraded your Proxmox environment to version 9 and noticed your backups failing, the issue may be the older Veeam Plug-In for Proxmox VE which isn't compatible with Proxmox 9. The good news is that last week Veeam released an updated version of the plug-in, which now provides full support for Proxmox 9. Last weekend, I tested this new release in my lab, and I can confirm that backups are now working again. I wrote a blog post with my full test results, check it out here: 🔗https://lnkd.in/g-3J-ziC 𝐁𝐎𝐍𝐔𝐒: If you're new to Proxmox or want to learn more, I have a 3 part install and configure series on Youtube which can also be found in the blog post above. Proxmox Server Solutions Veeam Software #proxmox #veeam #backup #virtualization

⚡ Build secure, remote MCP servers in a few clicks with Vercel and Descope Try out the MCP with Next.js and Descope Template to build an MCP server with: ✅ Auth protection ✅ Configurable user consent screens ✅ Dynamic Client Registration Start building: https://lnkd.in/gXEcQNU7 P.S. Stop by the Descope booth at Vercel Ship AI today to see this template (and a lot more) in action!

Thinking through 𝐌𝐂𝐏 𝐆𝐚𝐭𝐞𝐰𝐚𝐲 𝐩𝐚𝐭𝐭𝐞𝐫𝐧𝐬: do you need more than JWT authentication? Tool-level authorization? Complete decoupling of client and backends? Virtualized MCP servers? The more I work with customers adopting Model Context Protocol (MCP), the more I see the light bulb going off 💡 when discussing MCP proxying needs. I've covered in the past how MCP Authorization spec misses the point [1] for enterprise use cases. And we see users trying to implement API gateways in front of their MCP servers [2]. So what are the prevailing patterns? 🔹 Simple passthrough / JWT validation 🔹 Tool-level authorization / RBAC 🔹 Version decoupling from backend MCP servers 🔹 Virtual MCP services 👉 𝐒𝐢𝐦𝐩𝐥𝐞 𝐩𝐚𝐬𝐬𝐭𝐡𝐫𝐨𝐮𝐠𝐡 / 𝐉𝐖𝐓 𝐯𝐚𝐥𝐢𝐝𝐚𝐭𝐢𝐨𝐧 is straight forward. You can use any HTTP gateway for this. The gateway doesn't need to understand the MCP protocol. Just enforce JWT validation (ie, check the Authorization HTTP header for a bearer and validate it against a JWKS) 👉 𝐓𝐨𝐨𝐥-𝐥𝐞𝐯𝐞𝐥 𝐚𝐮𝐭𝐡𝐨𝐫𝐢𝐳𝐚𝐭𝐢𝐨𝐧 𝐑𝐁𝐀𝐂 requires understanding the JSON-RPC payload of the HTTP messages. Fine-grained filtering of tool-responses or tool-calls requires understanding the details of the MCP protocol. API gateway *may* get away with doing this one off [2] but recommended to use a dedicated MCP gateway 👉 𝐕𝐞𝐫𝐬𝐢𝐨𝐧 𝐝𝐞𝐜𝐨𝐮𝐩𝐥𝐢𝐧𝐠 may be impossible with an API gateway and needs a dedicated MCP gateway. Basically, the gateway becomes the actual MCP server acting as a dedicated proxy to backends taking care of exchanging versioning differences (impl, protocol, etc) 👉 𝐕𝐢𝐫𝐭𝐮𝐚𝐥 𝐌𝐂𝐏 𝐬𝐞𝐫𝐯𝐢𝐜𝐞𝐬 requires a dedicated MCP gateway. In this pattern, the MCP gateway is the MCP server acting as a proxy to multiple backend MCP servers in a "federated" or "aggregated" view. That is a client connects up to single endpoint (MCP gateway) and can get access to multiple backend MCP servers without realizing the actual backend MCP servers. Governance and policy can be applied from a central spot (MCP gateway). Check out agentgateway for an OSS (The Linux Foundation) MCP gateway that solves these patterns. See comments for references. #mcpgateway #a2agateawy #llmgateway #mcp #modelcontextprotocol

# nginx/default.conf server { listen 80; server_name your.domain; # Redirect to HTTPS return 301 https://$host$request_uri; } server { listen 443 ssl http2; server_name your.domain; ssl_certificate /etc/letsencrypt/live/your.domain/fullchain.pem; # replace / mount ssl_certificate_key /etc/letsencrypt/live/your.domain/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; location / { proxy_pass http://web:5000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # WebSocket support: proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } # static files can be served directly if needed }

MCP now supports OAuth 2.1 out of the box! That means proper authentication for AI agents and MCP tools is finally standardized. With OAuth 2.1 + MCP, you can now: → Dynamically register clients → Issue & verify scoped JWT tokens → Track which agent acted for which user → Plug into existing IdPs (Auth0, Clerk, Firebase, etc.) We tested with Scalekit, a lightweight OAuth layer built for MCP servers. It adds full discovery, token flow, and audit logs with minimal config. 👉 Demo using ngrok and Exa MCP Check full tutorial on YT👇 (link in comment)

New in HCP Terraform and Terraform Enterprise: Org-level user token control. Easily manage or disable user API tokens to improve security and streamline permissions. More details in the blog: https://bit.ly/473FBl2

➡️ MCP Servers create stateful sessions and return a session ID. Agents do this, and return a context ID. When a client calls back into the MCP server, they need to send the session ID (as an HTTP header). 🖍️ The MCP servers should validate that this is a valid session. It should also tie this session to the authorization context of the user/agent. That is, you don't want attacker clients connecting up, guessing session IDs, and potentially getting them right and getting access to sensitive data. A session should be tied to a user/agent and cryptographically verifiable. As an agent makes decisions, calls MCP tools, calls other agents, we should be able to track the entire workflow or the entire causality of the interactions. I wrote about this a couple weeks back, but it seems to come up regularly. Take a look here ( 👇 ) for more. #mcp #sessions #state #agent #llm #openai

Day 8: Active Directory Domain Controllers vs Active Directory > ⚙️ “Active Directory stores the data, Domain Controllers bring it to life.” To wrap up the week, we explored the relationship between Active Directory (AD) and Domain Controllers (DCs) — two terms that often sound interchangeable but aren’t the same. Here’s what I learned: Active Directory is the directory service that stores information about users, computers, and permissions. Domain Controllers are the servers that run AD and handle authentication when a user logs in. When you sign into a network, the DC checks your credentials against AD’s stored data to grant or deny access. Having multiple DCs (redundancy) ensures reliability — if one fails, others keep the system running. I like to think of it this way: > “If Active Directory is the entire library system, Domain Controllers are the librarians making sure you get the right book when you need it.” Alexandra Boateng Yeboah Romeo Rahul Sharma Eugene John-Teye Newman Mortey #MyCSEJourney6.0WithEduc8Africa #MyCSEJourneyDiary #Educ8AfricaCybersecurityAdventures #MasteringCybersecurityEssentialsWithEduc8Africa #Educ8AfricaCyberRookies6.0 #Educ8AfricaGhana #HackingMyWayToCyber6.0

🗞️ ⏰ The #MCP Digest is being sent to subscribers tomorrow at 10:45AM in your timezone! Subscribe for free here: https://lnkd.in/eW_GbQSP The MCP Digest is the best way to stay up to date with MCP news, enhance your skills with how-to guides, and understand how to make your MCP deployments secure, scalable, and successful with loads of in-depth resources. 📰 This week's edition includes: ❓ The MCP server deployment options you don't know about (but need to) 📊 MCP observability explained (and how to achieve it) 🔐 How to easily sandbox/containerize MCP servers 📽️ The latest video overview of MCP Manager, featuring new and unseen functionality 💰 Using MCP servers in your business - everything you need to know We don't send spam - we send practical stuff you can actually use. ✅ So, don't miss out - get signed up now: https://lnkd.in/eW_GbQSP