Description
Setting up RBAC controls on remote MCP server leads to inconsistent results. The <Requirement Name="Role" ... does not seem to be applied correctly (users without the role can invoke the tools).
Setup
I'm defining a remote MCP server with password authentication, serving a toolset. The config.toml file does not include passwords for the endpoint (only for the general server definition) and authentication is being handled by an Authentication : Basic .... header (accessing with Langchain MultiServerMCPClient).
The toolset has certain tools with <Requirement Name="Role" value="..."> .
Expected behavior
Only users with the required role can discover restricted tools.
Only users with the required role can invoke restricted tools.
Discovery, metadata, and execution should reflect the same authenticated user context.
Actual behavior
Users without the required role can discover restricted tools.
Users without the required role can invoke restricted tools.
Behavior is inconsistent across runs: tools may work once and then fail on immediate retry, or change behavior after restart or after access by another user.
Troubleshooting
- I've confirmed that the user login is correct with a tool to Echo the current username.
- Trying to troubleshoot this has thrown up inconsistent results, for example changing the role of one user led to another user failing to invoke the tools, or tools not working when a server restarts.
- The tool metadata confirms the requirement is being parsed, just not applied.
- Observed behavior suggests discovery/session state may be leaking or being cached across users. If a privileged user hits the endpoint first, later users may see tools they should not. If an unauthorized user hits first, later authorized users may fail to discover tools.
Version
I originally noticed issues with this on IRISHealth version 142, have since upgraded to 144-Community and still have issues. I thought this was working on an earlier version though.
Description
Setting up RBAC controls on remote MCP server leads to inconsistent results. The
<Requirement Name="Role" ...does not seem to be applied correctly (users without the role can invoke the tools).Setup
I'm defining a remote MCP server with password authentication, serving a toolset. The config.toml file does not include passwords for the endpoint (only for the general server definition) and authentication is being handled by an
Authentication : Basic ....header (accessing with Langchain MultiServerMCPClient).The toolset has certain tools with
<Requirement Name="Role" value="...">.Expected behavior
Only users with the required role can discover restricted tools.
Only users with the required role can invoke restricted tools.
Discovery, metadata, and execution should reflect the same authenticated user context.
Actual behavior
Users without the required role can discover restricted tools.
Users without the required role can invoke restricted tools.
Behavior is inconsistent across runs: tools may work once and then fail on immediate retry, or change behavior after restart or after access by another user.
Troubleshooting
Version
I originally noticed issues with this on IRISHealth version 142, have since upgraded to 144-Community and still have issues. I thought this was working on an earlier version though.