Authentication and authorization(身份验证与授权)¶
Ontology MCP (OMCP) is built on top of the OAuth 2.0 configuration of the Developer Console application that exposes it. When an MCP client connects to your Ontology MCP server, it authenticates using the same OAuth 2.0 client and authorization server that handle all other requests to your application; there is no separate authentication system to configure for MCP.
The application restrictions, permissions, and OAuth client settings you have already defined for your Developer Console application also apply to requests made through Ontology MCP. Tokens issued for MCP access are scoped to the operations and resources you have granted to the application.
Supported grant types¶
Ontology MCP supports the two OAuth 2.0 grant types that Foundry exposes for third-party applications. Choose the grant type that matches how your MCP client will act on behalf of users:
- Authorization code grant: Use this grant type when the MCP client should act on behalf of an end user. Each user explicitly consents to the requested scopes, and the resulting access token is scoped to that user's permissions in Foundry. This is the appropriate choice for interactive agents and editors where individual users sign in to access ontology resources.
- Client credentials grant: Use this grant type for non-interactive, service-to-service workflows where the MCP client acts as a service user rather than on behalf of a specific end user. The client authenticates with a client ID and client secret, so it must be a confidential client capable of safely storing the secret. This is the appropriate choice for backend services and integrations such as Microsoft Copilot Studio.
You can enable one or both grant types on the same Developer Console application, depending on the MCP clients you intend to support. Configure the redirect URLs, scopes, and client secrets for each grant type from the OAuth & Permissions page of your application in Developer Console.
For a full description of the OAuth 2.0 flows, endpoints, and parameters that Foundry supports, see Writing OAuth2 clients for Foundry.
Scopes and restrictions¶
Access tokens issued to MCP clients are restricted by the scopes configured on your Developer Console application. Make sure that the application is granted the operations required by the ontology resources that you expose through MCP, and that the requesting user or service user has the necessary permissions on the underlying objects, actions, and queries.
中文翻译¶
身份验证与授权¶
Ontology MCP(OMCP)基于开发者控制台应用的 OAuth 2.0 配置构建,并由该应用对外暴露。当 MCP 客户端连接到您的 Ontology MCP 服务器时,它使用与处理应用其他所有请求相同的 OAuth 2.0 客户端和授权服务器进行身份验证;MCP 无需单独配置身份验证系统。
您已为开发者控制台应用定义的应用限制、权限和 OAuth 客户端设置同样适用于通过 Ontology MCP 发出的请求。为 MCP 访问颁发的令牌(token)的作用域仅限于您已授予该应用的操作和资源。
支持的授权类型¶
Ontology MCP 支持 Foundry 为第三方应用提供的两种 OAuth 2.0 授权类型(grant type)。请根据 MCP 客户端代表用户执行操作的方式选择合适的授权类型:
- 授权码授权: 当 MCP 客户端需要代表最终用户执行操作时,使用此授权类型。每个用户明确同意所请求的作用域,生成的访问令牌(access token)的作用域限定为该用户在 Foundry 中的权限。这是交互式代理和编辑器(需要个人用户登录以访问本体资源)的合适选择。
- 客户端凭证授权: 对于非交互式的服务间工作流,当 MCP 客户端作为服务用户(service user)而非代表特定最终用户执行操作时,使用此授权类型。客户端使用客户端 ID(client ID)和客户端密钥(client secret)进行身份验证,因此必须是能够安全存储密钥的机密客户端(confidential client)。这是后端服务和集成(例如 Microsoft Copilot Studio)的合适选择。
您可以在同一个开发者控制台应用中启用一种或两种授权类型,具体取决于您打算支持的 MCP 客户端。在开发者控制台应用的 OAuth 与权限 页面中,为每种授权类型配置重定向 URL、作用域和客户端密钥。
有关 Foundry 支持的 OAuth 2.0 流程、端点和参数的完整说明,请参阅为 Foundry 编写 OAuth2 客户端。
作用域与限制¶
颁发给 MCP 客户端的访问令牌受开发者控制台应用中配置的作用域限制。请确保应用已获得通过 MCP 暴露的本体资源所需的操作权限,并且请求用户或服务用户对底层对象、操作和查询拥有必要的权限。