Lokka MCP Authentication Enhancements

---

I’m excited to share some significant authentication enhancements I’ve contributed to the Lokka MCP Server for Microsoft Graph. These updates, detailed in this pull request and on NPM make an already excellent tool even more versatile.

First and foremost, a massive shout-out to Merill Fernando, the original author of Lokka MCP. Merill has done an absolutely awesome job creating and maintaining this project. His foundational work has been instrumental, and these enhancements simply build upon his implementation, providing more sophisticated authentication flows.

What’s New in Authentication? Leveraging MSAL for Flexibility

The core of these enhancements lies in providing more flexible and secure authentication options by leveraging the Microsoft Authentication Library (MSAL). MSAL simplifies the process of acquiring security tokens from the Microsoft identity platform, handling complex OAuth 2.0 and OpenID Connect protocols, token caching, and refresh mechanisms.

With these updates, Lokka MCP now supports three primary authentication methods for Microsoft Graph, accommodating a wider array of deployment scenarios:

1. Client Credentials (Service-to-Service): This is the traditional application-only authentication flow and what has been in the Lokka MCP previously. It’s ideal for background services or daemons that need to access Microsoft Graph without a signed-in user. You configure your TENANT_ID, CLIENT_ID, and CLIENT_SECRET in the Lokka MCP environment variables. This is a robust method for automated tasks where a user interaction is not feasible.
2. Interactive Delegated Authentication: This new method enables user-based authentication with an interactive login experience. When USE_INTERACTIVE is set to true, Lokka MCP can prompt a user to sign in through a browser, acquiring tokens on their behalf. This is crucial for scenarios where the MCP needs to operate with the permissions of a specific signed-in user, such as when interacting with a user’s personal mailbox or OneDrive. This flow utilises delegated permissions, meaning the MCP acts with the combined permissions granted to the application and the permissions the signed-in user possesses.
3. Client-Provided Token Authentication: This highly versatile new mode (activated by setting USE_CLIENT_TOKEN to true) allows the MCP client to directly provide a valid Microsoft Graph access token to Lokka. This decouples token acquisition from the MCP server itself. It means you can integrate Lokka MCP into existing authentication infrastructures, where a separate process or application is responsible for obtaining and managing access tokens. Lokka now includes new tools like set-access-token to programmatically update the token and get-auth-status to check the current authentication state and mode. This is particularly powerful for complex architectures or when you need fine-grained control over token lifecycle management.

These additions significantly enhance Lokka MCP’s adaptability. Whether you’re integrating with diverse Entra ID configurations, adhering to specific corporate security policies, or building custom applications that manage authentication externally, these new methods provide the necessary flexibility.

Why This Matters for You

The technical details boil down to one critical advantage: these authentication enhancements make Lokka MCP much more versatile. By embracing different MSAL-based authentication flows, Lokka can now seamlessly integrate into a broader spectrum of environments. This translates to:

• Increased Flexibility: Choose the authentication method that best fits your security posture and operational requirements.
• Wider Application Scenarios: From automated background tasks to user-specific actions, Lokka can now support more use cases.
• Simplified Integration: For those with existing token management systems, the client-provided token option streamlines integration.

The goal was to make Lokka MCP even more adaptable, ensuring it gets wider use and integration with applications administrators and endusers are building to bridge the gap between their application(s) and Microsoft Graph.

Enabling Interactive Authentication for Lokka in Claude Desktop

If you want to use Lokka in Claude Desktop with interactive authentication and delegated permissions in your claude_desktop_config.json configuration file provide Tenant_ID, Client_ID and User_Interactive as true as shown below. When you restart Claude Desktop (and start it in the future) your default browser will display the Entra Login window for your Application Registration. Login and the session will pass back to Claude Desktop.

"Lokka-Entra": {
  "command": "npx",
  "args": ["-y", "@merill/lokka"],
  "env": {
    "TENANT_ID": "<yourEntraTenantID>",
    "CLIENT_ID": "<yourLokkaAppRegClientID>",
    "USE_INTERACTIVE": "true"
  }
},

Continuing the MCP Journey

These authentication enhancements are another step in my ongoing exploration of MCPs. Check out my previous posts:

• A Have I Been Pwned MCP Server for Claude: This post dives into building an MCP to integrate with the “Have I Been Pwned” service, showcasing how MCPs can extend AI capabilities. You can read it here: https://blog.darrenjrobinson.com/a-have-i-been-pwned-mcp-server-for-claude/
• AI Inception: Building AI Solutions with AI for AI: More recently, I gave a talk on AI Inception, where I demonstrated how to build MCPs using PowerShell. This talk covered the practical aspects of creating these powerful integrations. You can find the summary here: https://blog.darrenjrobinson.com/ai-inception-building-ai-solutions-with-ai-for-ai/

I’m always looking for ways to enhance and expand the utility of MCPs, and contributing back to projects like Merill’s Lokka MCP is a fantastic way to do that.

Stay tuned for more updates and explorations in the world of AI and integration.