The initial remote MCP specification was pretty painful, but the June spec and the upcoming November spec are much more workable - MCP auth is (mostly) just OAuth now. MCP Clients are OAuth clients and can be granted access tokens and managed just like any other 3rd party app integration.
I'd love to hear more about the specific issues you're running into with the new version of the spec. (disclaimer - I work at an auth company! email in bio if you wanna chat)
Basically, I'm trying to just create a protected MCP server that works with ChatGPT. That's it. Nothing fancy.
So far, I was not able to do it. And there are no examples that I can find. It's also all complicated by the total lack of logs from ChatGPT detailing the errors.
I'll probably get there eventually and publish a blog...
ChatGPT provides a new Apps SDK that makes things easier. The MCP server does need a proper Authorization Server to do OAuth, including DCR and OIDC metadata support, but those are the best way to do what they are trying to do. Anything else I have considered would be much worse security and discovery wise.
I'd love to hear more about the specific issues you're running into with the new version of the spec. (disclaimer - I work at an auth company! email in bio if you wanna chat)