FastMCP认证客户端:安全连接的企业级方案
项目地址: https://gitcode.com/GitHub_Trending/fa/fastmcp 在当今AI应用快速发展的时代,安全连接已成为企业级应用的核心需求。FastMCP认证客户端提供了完整的认证解决方案,支持Bearer Token和OAuth 2.1协议,确保MCP(Model Context Protocol)服务器与客户端之间的安全通信。
认证机制概览
FastMCP支持两种主要的认证方式:
| 认证类型 | 适用场景 | 安全性 | 交互方式 |
|---|---|---|---|
| Bearer Token | 服务账户、API密钥、CI/CD | 高 | 非交互式 |
| OAuth 2.1 | 用户授权应用 | 极高 | 交互式(浏览器) |
Bearer Token认证实战
Bearer Token认证适用于服务到服务的通信场景,提供简单高效的认证机制。
基础配置示例
from fastmcp import Client
# 最简单的Bearer Token配置
async with Client(
"https://api.example.com/mcp",
auth="your-secret-token-12345",
) as client:
result = await client.call_tool("process_data", {"input": "test"})
print(f"处理结果: {result.text}")
高级配置选项
from fastmcp import Client
from fastmcp.client.auth import BearerAuth
from fastmcp.client.transports import StreamableHttpTransport
# 使用BearerAuth类进行显式配置
bearer_auth = BearerAuth(token="your-secret-token-12345")
# 自定义传输配置
transport = StreamableHttpTransport(
"https://api.example.com/mcp",
auth=bearer_auth,
timeout=30.0,
headers={
"User-Agent": "Enterprise-MCP-Client/1.0",
"X-Correlation-ID": "req-123456"
}
)
async with Client(transport) as client:
# 执行认证操作
await client.ping()
print("✅ 认证成功")
自定义头部认证
对于需要特殊头部格式的认证场景:
from fastmcp import Client
from fastmcp.client.transports import StreamableHttpTransport
# 自定义认证头部
async with Client(
transport=StreamableHttpTransport(
"https://api.example.com/mcp",
headers={
"X-API-Key": "your-api-key-abcdef",
"X-Client-ID": "client-123",
"X-Timestamp": "20240830040042"
},
),
) as client:
tools = await client.list_tools()
print(f"可用工具数量: {len(tools)}")
OAuth 2.1认证深度解析
OAuth 2.1提供了更高级的安全特性,特别适合需要用户授权的场景。
OAuth认证流程图
基础OAuth配置
from fastmcp import Client
# 最简单的OAuth配置
async with Client("https://secure.example.com/mcp", auth="oauth") as client:
await client.ping()
print("OAuth认证成功")
完整OAuth配置示例
from fastmcp import Client
from fastmcp.client.auth import OAuth
# 完整OAuth配置
oauth_config = OAuth(
mcp_url="https://secure.example.com/mcp",
scopes=["read:data", "write:data", "admin:tools"],
client_name="企业数据处理器",
token_storage_cache_dir="/opt/app/oauth-cache",
callback_port=8080,
additional_client_metadata={
"company": "Example Corp",
"environment": "production"
}
)
async with Client("https://secure.example.com/mcp", auth=oauth_config) as client:
# 获取服务器信息
server_info = await client.get_server_info()
print(f"服务器名称: {server_info.name}")
print(f"服务器版本: {server_info.version}")
企业级最佳实践
令牌管理策略
from pathlib import Path
from fastmcp.client.auth.oauth import FileTokenStorage
class EnterpriseTokenManager:
def __init__(self, base_cache_dir: Path = Path("/enterprise/oauth-cache")):
self.base_cache_dir = base_cache_dir
async def clear_server_tokens(self, server_url: str):
"""清理特定服务器的令牌"""
storage = FileTokenStorage(
server_url=server_url,
cache_dir=self.base_cache_dir / "tokens"
)
await storage.clear()
print(f"已清理 {server_url} 的令牌缓存")
async def clear_all_tokens(self):
"""清理所有服务器的令牌"""
FileTokenStorage.clear_all(cache_dir=self.base_cache_dir / "tokens")
print("已清理所有令牌缓存")
async def rotate_tokens(self, server_url: str):
"""令牌轮换策略"""
await self.clear_server_tokens(server_url)
print(f"已启动 {server_url} 的令牌轮换流程")
# 使用示例
token_manager = EnterpriseTokenManager()
# await token_manager.rotate_tokens("https://api.example.com/mcp")
错误处理与重试机制
import asyncio
import backoff
from fastmcp import Client
from fastmcp.exceptions import AuthenticationError, TransportError
class ResilientMCPClient:
def __init__(self, server_url: str, auth_config: dict):
self.server_url = server_url
self.auth_config = auth_config
@backoff.on_exception(backoff.expo,
(AuthenticationError, TransportError),
max_tries=5,
max_time=300)
async def connect_with_retry(self):
"""带重试机制的连接方法"""
try:
async with Client(self.server_url, **self.auth_config) as client:
# 验证连接状态
if await client.ping():
print("✅ 连接建立成功")
return client
else:
raise AuthenticationError("Ping验证失败")
except Exception as e:
print(f"连接失败: {e}")
raise
async def execute_tool_safely(self, tool_name: str, parameters: dict):
"""安全执行工具方法"""
client = await self.connect_with_retry()
try:
result = await client.call_tool(tool_name, parameters)
return result.text
except Exception as e:
print(f"工具执行失败: {e}")
return None
# 使用示例
resilient_client = ResilientMCPClient(
"https://api.example.com/mcp",
{"auth": "your-token-123"}
)
# result = await resilient_client.execute_tool_safely("process_data", {"input": "test"})
安全配置检查表
为确保认证安全,请遵循以下检查表:
🔒 认证安全清单
- 使用HTTPS加密所有通信
- 定期轮换Bearer Token
- 为不同环境使用不同的认证配置
- 监控认证失败日志
- 实施速率限制防止未授权访问
- 使用合适的令牌过期时间
- 确保令牌存储目录权限安全
- 定期审计认证配置
📊 性能优化建议
from dataclasses import dataclass
from typing import Optional
import time
@dataclass
class AuthPerformanceMetrics:
connection_time: float
token_validation_time: float
request_latency: float
success_rate: float
class AuthPerformanceMonitor:
def __init__(self):
self.metrics: list[AuthPerformanceMetrics] = []
async def measure_auth_performance(self, client_config: dict):
"""测量认证性能"""
start_time = time.time()
try:
async with Client(**client_config) as client:
connection_time = time.time() - start_time
# 测量令牌验证时间
token_start = time.time()
await client.ping()
token_validation_time = time.time() - token_start
# 测量请求延迟
request_start = time.time()
await client.list_tools()
request_latency = time.time() - request_start
metrics = AuthPerformanceMetrics(
connection_time=connection_time,
token_validation_time=token_validation_time,
request_latency=request_latency,
success_rate=1.0
)
self.metrics.append(metrics)
return metrics
except Exception:
# 记录失败指标
failed_metrics = AuthPerformanceMetrics(
connection_time=time.time() - start_time,
token_validation_time=0,
request_latency=0,
success_rate=0
)
self.metrics.append(failed_metrics)
return failed_metrics
多环境部署策略
环境配置管理
import os
from enum import Enum
from typing import Dict, Any
class Environment(Enum):
DEVELOPMENT = "dev"
STAGING = "staging"
PRODUCTION = "production"
class EnvironmentConfig:
def __init__(self):
self.configs: Dict[Environment, Dict[str, Any]] = {
Environment.DEVELOPMENT: {
"mcp_url": "http://localhost:8000/mcp",
"auth": "dev-token-123",
"timeout": 10.0
},
Environment.STAGING: {
"mcp_url": "https://staging-api.example.com/mcp",
"auth": "staging-token-456",
"timeout": 15.0
},
Environment.PRODUCTION: {
"mcp_url": "https://api.example.com/mcp",
"auth": "prod-token-789",
"timeout": 30.0
}
}
def get_config(self, env: Environment) -> Dict[str, Any]:
"""获取环境配置"""
return self.configs.get(env, {})
def get_current_config(self) -> Dict[str, Any]:
"""获取当前环境配置"""
env_name = os.getenv("APP_ENV", "dev")
env = Environment(env_name)
return self.get_config(env)
# 使用示例
config_manager = EnvironmentConfig()
client_config = config_manager.get_current_config()
async with Client(**client_config) as client:
# 在当前环境下执行操作
await client.ping()
总结
FastMCP认证客户端提供了企业级的安全连接解决方案,通过Bearer Token和OAuth 2.1协议的支持,确保了MCP通信的安全性和可靠性。关键优势包括:
创作声明:本文部分内容由AI辅助生成(AIGC),仅供参考
