MCP Gateway Enterprise

Active Gateways

Loading…

Request Flow — Azure Deployment

Client connects to the gateway

Copilot CLI / VS Code Copilot / Claude points its MCP config at gw.mikegcoleman.com.
Agent signs in via Entra

Gateway returns 401 + RFC 9728 metadata pointing to Entra. The client opens a Microsoft sign-in page (OAuth 2.0 + PKCE).
Entra issues a JWT

User authenticates; Entra returns an access token scoped to api://mcpgw-mcp-gateway. Client caches it.
Tool call lands at the gateway

Every MCP request carries Authorization: Bearer <JWT>. NGINX terminates TLS and forwards to the Data Plane.
Gateway validates & identifies user

Data Plane calls the sidecar's authenticate tool, which verifies the JWT signature against Entra's JWKS and returns a principal (Entra oid).
Sidecar resolves credentials per server

On each tool call, Data Plane asks the sidecar for an Authorization header for the target server:
· DuckDuckGo: no auth → empty headers
· GitHub: PAT read from Key Vault (per-user)
· Granola: OAuth bundle read from Key Vault
First Granola call: OAuth broker flow

No bundle yet → sidecar runs discovery + DCR + PKCE, returns an auth URL. User clicks → signs in at Granola → /oauth/callback stores the token bundle in Key Vault. Retry succeeds.
Tool response returns to the agent

Upstream MCP responds; gateway proxies back. Subsequent calls reuse cached credentials (silent refresh on expiry).

💻

MCP Client

VS Code Copilot · Copilot CLI · Claude

Authorization: Bearer <Entra JWT>

🪪

Microsoft Entra ID

issues JWT to client · validates via OIDC discovery
OAuth 2.0 + PKCE

User authentication

☁ Azure VNet

⎈ AKS Cluster

🌐

NGINX Ingress

gw.mikegcoleman.com · TLS / Let's Encrypt

management only

🛠

Control Plane

admin API
config & catalogs

checking…

🔀

Data Plane

validates JWT via sidecar
routes MCP traffic

checking…

plugin calls (authenticate · get_connection_headers · oauth-*)

🔌

entra-sidecar

JWT validation · credential delegation
OAuth broker (DCR + PKCE)

Authorization injected per server

🦆

DuckDuckGo MCP

in-cluster · no auth
empty headers

🐙

GitHub MCP

in-cluster · per-user PAT
static credential pattern

🔐

Azure Key Vault

per-user GitHub PATs
OAuth token bundles
pending OAuth state

↑ accessed by entra-sidecar via workload identity

🗄

Azure PostgreSQL

gateway state
tenants · sessions · audit

↑ accessed by Control Plane & Data Plane (private endpoint)

egress to upstream MCP endpoints & external APIs (internet)

🦆

api.duckduckgo.com

called by DuckDuckGo MCP

🌐

api.github.com

called by GitHub MCP

📝

mcp.granola.ai

OAuth-protected MCP
(no in-cluster wrapper)

🔄 First Granola call (per user, per ~90 days)

Sidecar discovers Granola's OAuth metadata, dynamically registers an OAuth client (RFC 7591 DCR), generates a PKCE challenge, and returns an auth URL. User clicks it → signs in at mcp-auth.granola.ai → IdP redirects to https://gw.mikegcoleman.com/oauth/callback → NGINX routes to sidecar:5555 → token bundle persisted in Key Vault. Subsequent calls inject the cached access token; refresh tokens rotate it silently as needed.