MCP Proxy Listener
MCP Proxy Listener
The MCP Proxy Listener is a consumer component that enables ConnectPlaza users to handle all MCP traffic for both ConnectPlaza embedded MCP Servers (using our MCP Server Listener) as well as external MCP Servers.
For external user this MCP Proxy will contain all Tools and Resources exposed by all MCP Servers in one bundled proxy gateway. This is achieved by configuring all external MCP url’s that are in need to bundled together. This way it is no longer necessary for AI Agents to connect to various MCP Servers directly and point-to-point, but can do this through this single entrypoint.
All MCP Servers will be combined in a single view that can be accessed directly. Also a central form of Governance using Oauth2 can be applied on all configured MCP endpoints.
Example configuration:
- McpServer_1
- Tool_A
- Tool_B
- McpServer_2
- Tool_C
- Tool_D
Would be converted into a single MCP Server containing these tools.
- McpServer_1_Tool_A
- McpServer_1_Tool_B
- McpServer_2_Tool_C
- McpServer_2_Tool_D
At startup the MCP Proxy Listener will auto connect to all configured MCP Servers to collect all Tools and Resources. If the MCP Server is unreachable, has no Tools/Resources or has any fault otherwise, this connection will be re-attempted 5 times before skipping the MCP Server from its list.
Every MCP Proxy will be connected to the HTTP Host and Port and together with the Context path (which defaults to /). The Server will automatically add /sse to the context path for Server Sent Events mode. This will form an unique triplet and therefor internally one MCP Server. Proxies which are configured on other Host, Port or Context path will automatically open a new MCP Server. Each MCP Proxy will expose all Tools and Resources available on all configured target endpoints. When all MCP Proxies that form a MCP Server are either undeployed or destroyed, and all Tools and Resources are deregistered, the MCP Server itself will automatically be removed.
Currently the MCP Proxy Listener supports both HTTP with SSE (Server-sent Events) and Streamable HTTP, it does not support STDIO as the MCP Client must access the Agent through HTTP(S). As with other HTTP based Listeners this Consumer also support TLS and supports either BASIC authentication or Oauth2 based authentication identical to the REST Listener. For more information see the REST Listener’s security documentation which applies here.
The MCP Proxy Server allows you to process any response from any of the configured MCP Servers through the flow it sits at as a Consumer. This is optional and can be turned on as needed. If activated this flow must also use a Message Reply Producer.
In the table below, you will find an explanation of these properties. All attributes with a ‘*’ are mandatory.
|
Attribute |
Description |
|
Name* |
By default, we fill this out with the technical ‘tag’, followed by a serial number. Changing the name is optional. |
|
Enabled |
Set this value to true, if you want this service to be enabled. |
|
Hostname |
Hostname used to create the endpoint |
|
Port |
Port number. The default is the Jetty port. |
|
Context Path |
Path on which to open webservice endpoint. A custom Context Path should always start with a forward slash (/). So for instance: "/CustomPath". |
|
Transport Type |
Defines the transport type of the MCP Client. Can be set to either SSE (Server Sent Events) or Streamable HTTP. When set to STREAMABLE, the defined Context Path will be used to register the MCP Server Listener. |
|
Method |
Specify which HTTP Methods are allowed (GET/POST/HEAD/OPTIONS/PUT/PATCH/DELETE/TRACE). You may also use a comma separated list. Input can be done by clicking in the lower part of the box. A drop-down menu will appear and you can select, or type your selection: |
|
MessagePart Out |
Name of the MessagePart in a ConnectMessage where the content of the file is being stored. |
|
Response Timeout |
Time in milliseconds to wait before time-out. |
|
Enable TLS |
Enables TLS Connector. When set to true, the keystore value and alias value should be set. Otherwise, the defaults will be used. |
|
Certificate alias in Keystore
|
This attribute is only visible when the attribute Enable TLS has value true. Set the certificate alias for the selected server certificate. Should exist in defined keystore. |
|
Key password
|
This attribute is only visible when advanced mode is enabled, and the attribute Enable TLS has value true. Password for the certificate key. If left empty the default key password will be used. |
|
Keystore location
|
This attribute is only visible when advanced mode is enabled, and the attribute Enable TLS has value true. The location of the keystore. Should be a path to the keystore JKS file. If left empty the default keystore will be used. |
|
Keystore password
|
This attribute is only visible when advanced mode is enabled, and the attribute Enable TLS has value true. Password of the keystore. If left empty the default keystore password will be used. |
|
Authentication Realm |
Provide an Authentication file from Resources to specify configured Authentication for selected Scheme. See chapter on Providing Authentication for HTTP/WS Listeners. For more information, follow this link. |
|
Authentication Scheme |
Select desired Authentication Schema (NONE, BASIC, JDBC, LDAP, OAUTH2_OIDC_ISSUER_URI, OAUTH2_OIDC_JWK_SET_URI). See chapter on Providing Authentication for HTTP/WS Listeners and the section on OAuth2/OIDC security on this page. For more information, follow this link. |
|
Issuer URI |
If Authentication Scheme is set to OAUTH2_OIDC_ISSUER_URI, you are required to provide an OAuth2/OIDC issuer url. See the section above on OAuth2/OIDC Security. |
|
JWK Set URI |
If Authentication Scheme is set to OAUTH2_OIDC_JWK_SET_URI, you are required to provide a JSON Web Key (JWK) Set URI. See the section above on OAuth2/OIDC Security. |
|
OAuth2/OIDC Scope |
If Authentication Scheme is set to OAuth2/OIDC, you can optionally specify that access tokens are required to have a certain scope. In the case of JWTs this is a scope included in the scopes claim. Note that you can currently only specify a single scope. If left empty, no further requirements are imposed on access tokens. |
|
JWT Claim Expression |
Only available if Authentication Scheme is set to OAuth2/OIDC. The JSON Web Token (JWT) claim expression can be used to allow or deny requests based on the claims inside the access token (provided it is a JWT) used by OAuth2/OIDC. See the documentation above for more information. |
|
Include JWT in ConnectMessage |
NOTE: This attribute is only visible when the attribute Authentication Scheme has value OAUTH2_OIDC_ISSUER_URI, or OAUTH2_OIDC_JWK_SET_URI. If enabled, the JWT claims will be included in the ConnectMessage as a text messagepart. The JWT claims will be in JSON format. You can use JSONPath expressions to extract specific claims from the messagepart. |
|
JWT Claims MessagePart Name |
NOTE: This attribute is only visible when the attribute Include JWT in ConnectMessage has value true. The name of the message part that will contain the JWT claims. |
|
MCP Server Details |
A set of items containing every MCP Server that this Proxy should connect to. All respective Tools and Resources will published into this Proxies MCP Server. |
|
MCP Server Name |
This will specify the unique name of this MCP Server. This name cannot be reused in other configured Servers. All discoverde Tools and Resources will be prefixed by this name. |
|
MCP Server URL |
Specify the URL to this MCP Server for the Proxy to connect to. |