A walkthrough of how IBM watsonx Orchestrate enables MCP tools to act on behalf of users using OAuth On-Behalf-Of (OBO) flows and SSO. Users authenticate once via an identity provider (Okta), and agents transparently pass JWT tokens to MCP tools. The post covers setting up FastMCP with JWT verification, implementing RBAC via Orchestrate plug-ins that check user roles before agent invocation, configuring OAuth token exchange connections, and embedding a secure web chat widget in custom frontends. Code examples cover the MCP server setup, role-checking plugin, CLI commands for connection configuration, and the embedded chat script.
Table of contents
ExampleMCP ToolsRole based AccessOpenID ConnectMCP SetupOAuth OBO SetupEmbedded Web ChatNext StepsSort: