MCP OAuth in Practice: Lessons from Building Authentication for AI Agents
Blog post from Semaphore
Semaphore is evolving from a traditional CI/CD platform into a foundation for AI-powered developer workflows, with a focus on secure and flexible authentication via OAuth. This change is necessitated by the transition of MCP servers from local to remote infrastructure, where traditional API keys fall short. Implementing OAuth in this context presents challenges due to the rapidly evolving MCP ecosystem, inconsistencies in agent behavior, and complexities in client registration and discovery. The team found that real-world testing across different agents is crucial, as theoretical specifications often fail to capture practical nuances. While Keycloak was initially used for identity management, the need for fine-grained authorization led Semaphore to develop its own internal authorization logic, emphasizing developer control over automation. This work is foundational for extending Semaphore's capabilities into agent-driven workflows and secure automation, aiming to create programmable, intelligent workflows without compromising transparency or control.