<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Model Context Protocol on</title><link>https://eunus.dev/tags/model-context-protocol/</link><description>Recent content in Model Context Protocol on</description><generator>Hugo -- gohugo.io</generator><lastBuildDate>Thu, 02 Jul 2026 00:00:00 +0600</lastBuildDate><atom:link href="https://eunus.dev/tags/model-context-protocol/index.xml" rel="self" type="application/rss+xml"/><item><title>Model Context Protocol Series 2A — OAuth 2.1 for MCP: Connecting Claude to Your Real Users with OpenIddict</title><link>https://eunus.dev/blog/model-context-protocol-series-2a-oauth-2.1-for-mcp-connecting-claude-to-your-real-users-with-openiddict/</link><pubDate>Thu, 02 Jul 2026 00:00:00 +0600</pubDate><guid>https://eunus.dev/blog/model-context-protocol-series-2a-oauth-2.1-for-mcp-connecting-claude-to-your-real-users-with-openiddict/</guid><description>Series 1 ended with a working MCP server — but every tool call it made to the backend used a service account with admin access and no tenant context. Which means Claude could, in theory, pull data from any tenant in the system. No audit trail. No permission boundaries. Just a skeleton key with your API&amp;rsquo;s address on it.
That&amp;rsquo;s not a security model. That&amp;rsquo;s a liability.
This post replaces the service account with OAuth 2.</description></item><item><title>Model Context Protocol Series 2B — The Bridge Middleware That Lets Claude Debug and Fix Its Own Tools</title><link>https://eunus.dev/blog/model-context-protocol-series-2b-the-bridge-middleware-that-lets-claude-debug-and-fix-its-own-tools/</link><pubDate>Thu, 02 Jul 2026 00:00:00 +0600</pubDate><guid>https://eunus.dev/blog/model-context-protocol-series-2b-the-bridge-middleware-that-lets-claude-debug-and-fix-its-own-tools/</guid><description>Series 2A wired up the full OAuth 2.1 stack: discovery endpoints, mock Dynamic Client Registration, JWT validation, bearer token forwarding. Every piece of it works — right up until Claude Code opens the browser to log in, and OpenIddict slams the door:
error: invalid_request error_description: The specified 'redirect_uri' is not valid for this client application. This post is about the one component that fixes it — a single bridge middleware — and why it earns its own post: it is the piece nobody else builds, because almost everyone tests their MCP OAuth against a client that never triggers the problem.</description></item><item><title>Model Context Protocol Series 1 — Building a Production MCP Server in .NET with HTTP Transport</title><link>https://eunus.dev/blog/model-context-protocol-series-1-building-a-production-mcp-server-in-.net-with-http-transport/</link><pubDate>Thu, 18 Jun 2026 00:00:00 +0600</pubDate><guid>https://eunus.dev/blog/model-context-protocol-series-1-building-a-production-mcp-server-in-.net-with-http-transport/</guid><description>I was building a multi-tenant SaaS platform on ABP Framework and kept hitting the same wall: I wanted Claude to create tenants, query bookings, and manage configuration — not by generating code for me to run, but by calling the actual API directly. Like giving an AI assistant a real key to the backend, not a stack of printed instructions.
That&amp;rsquo;s exactly what MCP enables. But once I started digging, every tutorial I found showed stdio — a local process Claude spawns and kills.</description></item><item><title>MCP-First Development: Letting AI Write, Run, and Maintain Your Tests</title><link>https://eunus.dev/blog/mcp-first-development-letting-ai-write-run-and-maintain-your-tests/</link><pubDate>Thu, 02 Jul 2026 00:00:00 +0600</pubDate><guid>https://eunus.dev/blog/mcp-first-development-letting-ai-write-run-and-maintain-your-tests/</guid><description>I didn&amp;rsquo;t set out to change how I test my own code. It happened because of a task that started as plumbing work and ended up rewiring how I think about building anything at all.
I&amp;rsquo;d been asked to build an MCP server on top of a live production system, under strict rules: no touching the backend, no touching the existing frontend. Just wrap what was there so an AI could call it.</description></item></channel></rss>