Docs for external MCP guardrails#618
Conversation
Signed-off-by: Art Berger <art.berger@solo.io>
Deploying agentproxy with
|
| Latest commit: |
2a82be6
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://e96bd986.agentproxy.pages.dev |
| Branch Preview URL: | https://adb-extmcp.agentproxy.pages.dev |
| @@ -0,0 +1,88 @@ | |||
| Use MCP guardrails (also called ExtMCP) to apply external authorization and external processing to Model Context Protocol (MCP) requests. An external gRPC policy server inspects, allows, mutates, or denies individual MCP method calls, such as `tools/call` and `tools/list`, using MCP request context instead of generic HTTP metadata. | |||
There was a problem hiding this comment.
| Use MCP guardrails (also called ExtMCP) to apply external authorization and external processing to Model Context Protocol (MCP) requests. An external gRPC policy server inspects, allows, mutates, or denies individual MCP method calls, such as `tools/call` and `tools/list`, using MCP request context instead of generic HTTP metadata. | |
| Use MCP guardrails (also called ExtMCP) to apply external authorization and external processing to Model Context Protocol (MCP) requests. An external gRPC policy server inspects, allows, mutates, or denies individual MCP method calls, such as `tools/call` and `tools/list`, by using the MCP request context instead of generic HTTP metadata. |
|
|
||
| {{< reuse "agw-docs/snippets/agentgateway-capital.md" >}} already supports [external authorization]({{< link-hextra path="/security/extauth/basic" >}}) and [external processing (ExtProc)]({{< link-hextra path="/traffic-management/extproc" >}}) for HTTP traffic. Both call out to an external gRPC server so that you can centralize authorization and request or response mutation outside the proxy. However, these integrations operate on raw HTTP. To make a decision about an MCP tool call, the external server must reassemble the HTTP body, parse the JSON-RPC envelope, and handle MCP framing itself. | ||
|
|
||
| MCP guardrails solve this by calling out at the MCP method layer instead of the HTTP layer. The ExtMCP protocol is modeled on Envoy's ext_authz, but the external server receives a structured, MCP-native payload: the JSON-RPC method name, the target backend, the request or response parameters, and selected request headers. The server can then make a decision based on the actual tool, prompt, or resource being accessed, without re-implementing MCP semantics. |
There was a problem hiding this comment.
| MCP guardrails solve this by calling out at the MCP method layer instead of the HTTP layer. The ExtMCP protocol is modeled on Envoy's ext_authz, but the external server receives a structured, MCP-native payload: the JSON-RPC method name, the target backend, the request or response parameters, and selected request headers. The server can then make a decision based on the actual tool, prompt, or resource being accessed, without re-implementing MCP semantics. | |
| MCP guardrails solve this challenge by calling out at the MCP method layer instead of the HTTP layer. The ExtMCP protocol is modeled on Envoy's `ext_authz` filter, but the external server receives a structured, MCP-native payload, including the JSON-RPC method name, the target backend, the request or response parameters, and selected request headers. The server can then make a decision based on the actual tool, prompt, or resource that is being accessed, without re-implementing MCP semantics. |
| * Rewrite request parameters or response results to redact sensitive data or inject context. | ||
| * Centralize MCP authorization logic in an external service that you already operate. | ||
|
|
||
| ### Sequence diagram |
There was a problem hiding this comment.
| ### Sequence diagram | |
| ### How it works |
| participant Client as MCP client | ||
| participant AGW as agentgateway | ||
| participant Ext as ExtMCP server | ||
| participant MCP as MCP target |
There was a problem hiding this comment.
| participant MCP as MCP target | |
| participant MCP as MCP backend |
| AGW->>MCP: Forward (possibly mutated) request | ||
| MCP-->>AGW: Result | ||
| AGW->>Ext: CheckResponse (result) | ||
| Ext-->>AGW: Pass or Mutated result |
There was a problem hiding this comment.
| Ext-->>AGW: Pass or Mutated result | |
| Ext-->>AGW: Pass or return mutated response |
| Client->>AGW: tools/call (JSON-RPC) | ||
| AGW->>Ext: CheckRequest (method, tool, params, headers) | ||
| alt Allowed or mutated | ||
| Ext-->>AGW: Pass or Mutated params |
There was a problem hiding this comment.
| Ext-->>AGW: Pass or Mutated params | |
| Ext-->>AGW: Pass request or return mutated params |
| AGW->>Ext: CheckResponse (result) | ||
| Ext-->>AGW: Pass or Mutated result | ||
| AGW-->>Client: Result | ||
| else Denied |
There was a problem hiding this comment.
wondering if there is another alternative route where the authorization error comes up after it checks the response
|
|
||
| ### Phases | ||
|
|
||
| The `methods` map controls when each method runs through a processor. Set a phase for each method that you want to send to the server. |
There was a problem hiding this comment.
the sections before the steps start are heard to understand as it talks about settings that you don't know where they are coming from. I think it would be good to have a sample agw policy and tell people that this is where you set it. then you dive into individual settings
There was a problem hiding this comment.
also wondering if all of those concepts should live on a separate page. the page is pretty long
There was a problem hiding this comment.
might also be good to explain the methods block and that this refers to the API calls in the MCP spec
There was a problem hiding this comment.
looking at the policy, maybe you change the IA and start from the processor perspective. say that the processor defines the actions to take for a particular request/ response. and then you explain that each processor must be enforced by an ExtMCP server. that you can have multiple ExtMCP and each does a specific manipulation. and then for each processor, you say that you need to define the phase when this manipulation is supposed to happen, the method and the actual action.
There was a problem hiding this comment.
can we also add a link to the ExtMCP spec so that people know what to do to make their server compliant
| appProtocol: agentgateway.dev/mcp | ||
| EOF | ||
| ``` | ||
|
|
There was a problem hiding this comment.
maybe add verification steps?
| methods: | ||
| tools/call: Request | ||
| tools/list: Response | ||
| EOF |
There was a problem hiding this comment.
can we add a description for this block
methods:
tools/call: Request
tools/list: Response
it is a little hard to understand for me what this is actually doing
There was a problem hiding this comment.
added a table after the config
| - backendRefs: | ||
| - name: ext-mcp | ||
| port: 4445 | ||
| --- |
There was a problem hiding this comment.
it is a little hard to understand where this hostname is coming from and where this is used. also do you always create an httproute or only to apply the policy? because the policy does not seem to reference the httproute
|
|
||
| ### Step 6: Optional: Set a timeout for the policy server {#timeout} | ||
|
|
||
| The guardrails callout has no deadline by default. If the policy server is slow or cold, the request can hang instead of letting `failureMode` engage. To bound the call, set a request timeout on the policy server with a `backend.http.requestTimeout` policy. |
There was a problem hiding this comment.
what happens if the timeout is happening. will the call just fail? (aka what does the MCP client see?)
Signed-off-by: Art Berger <art.berger@solo.io>
2 participants
Closes #609