This is the final post in a three-part series on MCP Authorization following the June 2025 revisions. In the first two posts, we built an MCP server with the HTTP transport and implemented the right OAuth token handling and verification. Up until now, we used a local identity provider (IdP) and in this post, we’ll make the right updates to use a production IdP. For this post, we’ll use the Keycloak project, but the same can be done with any other OAuth capable IdP.
