Skip to main content
Glama

OAuth-Protected CTERA MCP Server

by ronier83
GitHub
Python
OverviewInspectNewEndpointsSchemaRelated ServersReviewsScore
Need Help?View Source CodeReport Issue

OAuth-Protected CTERA MCP Server

This is a secure Model Context Protocol (MCP) server that implements OAuth 2.1 authentication using Scalekit as the authorization server. The server provides CTERA Portal management capabilities with enterprise-grade security, ensuring proper authentication and authorization for all CTERA operations.

What is MCP?

MCP (Model Context Protocol) is a protocol designed for communication between LLMs and tools or resources. This implementation adds enterprise-grade security through OAuth 2.1 authentication, making it suitable for production deployments where access control is critical.

MCP

Features

  • OAuth 2.1 Authentication: Secure access using Scalekit authorization server
  • MCP Compliance: Implements the MCP authorization specification
  • CTERA Portal Management: Provides secure CTERA Portal operations and file management
  • Session Management: Automatic CTERA session handling with refresh capabilities
  • Token Validation: Validates access tokens with proper audience checking
  • Security Best Practices: Implements PKCE, proper error handling, and token audience validation

Prerequisites

  1. Scalekit Account: Sign up at Scalekit
  2. CTERA Portal: Access to a CTERA Portal instance with valid user credentials
  3. Python 3.11+: Required for running the server

Setup

1. Install Dependencies

pip install -e .

2. Configure Environment Variables

Copy the example environment file and configure your settings:

cp .env.example .env

Edit .env with your actual values:

# Scalekit OAuth Configuration SCALEKIT_ENVIRONMENT_URL=https://your-company.scalekit.com SCALEKIT_CLIENT_ID=your_scalekit_client_id SCALEKIT_CLIENT_SECRET=your_scalekit_client_secret SCALEKIT_RESOURCE_METADATA_URL=https://your-company.scalekit.com/resources/your_resource_id/.well-known/oauth-protected-resource SCALEKIT_AUDIENCE_NAME=your_resource_id METADATA_JSON_RESPONSE={"authorization_servers":["https://your-company.scalekit.com/resources/your_resource_id"],"bearer_methods_supported":["header"],"resource":"http://localhost:10000/mcp","scopes_supported":["ctera:read","ctera:admin","user:read"]} # CTERA Portal Configuration ctera.mcp.core.settings.scope=admin ctera.mcp.core.settings.host=your-ctera-portal.com ctera.mcp.core.settings.user=your_ctera_username ctera.mcp.core.settings.password=your_ctera_password ctera.mcp.core.settings.port=443 ctera.mcp.core.settings.ssl=true # Server Configuration PORT=10000

3. Configure Scalekit

In the Scalekit dashboard:

  1. Navigate to MCP servers and click Add MCP server
  2. Configure your server:
    • Server name: "CTERA Portal MCP Server"
    • Resource identifier: Your server URL (e.g., http://localhost:10000/mcp)
    • Allow dynamic client registration: Enable this
    • Access token lifetime: 300-3600 seconds
    • Scopes: ctera:read, ctera:admin, user:read

Running the Server

python src/server.py

The server will start on http://localhost:10000 (or your configured port).

API Endpoints

OAuth Discovery Endpoints

  • GET /.well-known/oauth-protected-resource/mcp - Resource metadata for MCP client discovery

MCP Endpoints

  • POST / - Main MCP endpoint (requires authentication)

Available CTERA Tools

The following tools are available through the MCP interface:

  1. ctera_portal_who_am_i - Get information about the currently authenticated CTERA user
  2. ctera_portal_list_dir - List contents of a directory in CTERA Portal
  3. ctera_portal_browse_team_portal - Browse to a specific Team Portal tenant (admin only)
  4. ctera_portal_browse_global_admin - Browse to global administration scope

Authentication Flow

  1. Discovery: MCP client discovers authorization server via /.well-known/oauth-protected-resource
  2. Registration: Client registers with authorization server (if using dynamic registration)
  3. Authorization: User authorizes the client through OAuth 2.1 flow
  4. Token Usage: Client includes access token in Authorization: Bearer <token> header
  5. Validation: Server validates token with Scalekit and checks audience

Error Handling

The server returns proper HTTP status codes and WWW-Authenticate headers:

  • 401 Unauthorized: Missing or invalid token
  • 403 Forbidden: Valid token but insufficient permissions
  • 503 Service Unavailable: Unable to validate token with authorization server

Security Features

  • Token Audience Validation: Ensures tokens are issued specifically for this server
  • PKCE Support: Protects against authorization code interception
  • Proper Error Responses: Returns WWW-Authenticate headers as required by MCP spec
  • Scope-based Authorization: Controls access to specific functionality

Troubleshooting

Common Issues

  1. Client Registration Fails
    • Check that SCALEKIT_ENVIRONMENT_URL is correct
    • Ensure dynamic client registration is enabled in Scalekit dashboard
    • Verify network connectivity to Scalekit
  2. Token Validation Fails
    • Check that RESOURCE_IDENTIFIER matches what's configured in Scalekit
    • Ensure the token was issued for the correct audience
    • Verify token hasn't expired
  3. CTERA Portal Connection Fails
    • Check that CTERA Portal configuration variables are set correctly
    • Verify CTERA Portal host is accessible and credentials are valid
    • Ensure CTERA Portal supports the configured authentication scope (admin/user)

Debug Mode

For debugging, you can add logging to see detailed error messages:

import logging logging.basicConfig(level=logging.DEBUG)

Project Structure

src/ ├── server.py # Main FastAPI server with OAuth middleware ├── ctera_mcp.py # MCP server implementation with CTERA Portal integration ├── auth.py # OAuth authentication middleware ├── config.py # Configuration and environment variable management └── __init__.py # Package initialization oauth-ctera.md # Guide for OAuth end-to-end implementation

Key Implementation Details

This implementation provides enterprise-grade security for CTERA Portal management:

  1. OAuth 2.1 Security:
    • Complete OAuth 2.1 authentication using Scalekit authorization server
    • Proper WWW-Authenticate headers as required by MCP specification
    • Token validation with audience checking for enhanced security
  2. CTERA Portal Integration:
    • Secure session management with automatic refresh handling
    • Support for both admin and user scopes
    • Four production-ready CTERA Portal management tools
    • Configurable SSL/non-SSL connections
  3. Enterprise Features:
    • MCP-compliant error responses and discovery endpoints
    • Comprehensive logging and debugging capabilities
    • Environment-based configuration management
    • Production-ready error handling
  4. Security Best Practices:
    • Implements OAuth 2.1 security standards
    • Validates tokens with proper audience checking
    • Secure credential management for CTERA Portal access
    • Proper scope-based authorization

OAuth End-to-End Enhancement

For even greater security, see oauth-ctera.md for implementing OAuth authentication end-to-end, eliminating the need to store CTERA credentials in your server configuration.

The server is fully compliant with the MCP authorization specification and ready for production deployment with enterprise-grade security.

This server cannot be installed

-
security - not tested
F
license - not found
-
quality - not tested

How are these scores calculated?

hybrid server

The server is able to function both locally and remotely, depending on the configuration or use case.

Enables secure management of CTERA Portal file systems and administration through OAuth 2.1 authentication. Provides enterprise-grade access to CTERA operations including directory browsing, user management, and team portal administration with proper authentication and authorization controls.

  1. What is MCP?
    1. Features
      1. Prerequisites
        1. Setup
          1. 1. Install Dependencies
          2. 2. Configure Environment Variables
          3. 3. Configure Scalekit
        2. Running the Server
          1. API Endpoints
            1. OAuth Discovery Endpoints
            2. MCP Endpoints
          2. Available CTERA Tools
            1. Authentication Flow
              1. Error Handling
                1. Security Features
                  1. Troubleshooting
                    1. Common Issues
                    2. Debug Mode
                  2. Project Structure
                    1. Key Implementation Details
                      1. OAuth End-to-End Enhancement

                        Related MCP Servers

                        • MCP Filesystem Python

                          punkpeye
                          -
                          security
                          A
                          license
                          -
                          quality
                          This server offers secure, read-only access to directory files via the MCP, supporting file searching, .gitignore compliance, path traversal protection, and MIME type detection using the 'file://' URI scheme.
                          Last updated -
                          19
                          MIT License
                          • Apple
                          • Linux

                        • Better Auth MCP Server

                          nahmanmate
                          A
                          security
                          A
                          license
                          A
                          quality
                          Enables enterprise-grade authentication management with secure credential handling and support for multi-protocol auth, complete with tools for analyzing, setting up, and testing authentication systems.
                          Last updated -
                          8
                          33
                          AGPL 3.0
                          • Apple

                        • Okta MCP Server

                          kapilduraphe
                          A
                          security
                          A
                          license
                          A
                          quality
                          Enables Claude to interact with Okta's user management system, providing capabilities to retrieve user details, list users with filtering options, and manage user groups.
                          Last updated -
                          20
                          30
                          18
                          MIT License
                          • Apple

                        • Better Auth MCP Server

                          LexiconAlex
                          A
                          security
                          A
                          license
                          A
                          quality
                          Enterprise-grade authentication solution that provides secure credential management with encryption, multi-protocol authentication (OAuth2, SAML, LDAP), and real-time threat detection for applications.
                          Last updated -
                          8
                          AGPL 3.0

                        View all related MCP servers

                        New MCP Servers

                        MCP directory API

                        We provide all the information about MCP servers via our MCP API.

                        curl -X GET 'https://glama.ai/api/mcp/v1/servers/ronier83/mcp-ctera-oauth'

                        If you have feedback or need assistance with the MCP directory API, please join our Discord server