MCP AWS AI OAuth 2.0

Enterprise AI agent integration

Enterprise Consulting, 2026

Problem

A major enterprise platform needed to connect to an AI agent system, but the legacy platform only exposed SOAP/XML endpoints with no modern API layer. The client's security requirements were strict: no inbound ports, full OAuth 2.0 compliance, and everything had to run on their existing AWS infrastructure. Nobody had done this integration before with MCP protocol.

Approach

I designed the integration around a custom MCP server using Streamable HTTP transport. The server sits behind a Cloudflare Tunnel, so the enterprise network never opens an inbound port. Auth goes through AWS Cognito with OAuth 2.0/OIDC and PKCE, which handles both the AI platform's service-to-service calls and any user-facing flows.

The MCP server translates between the AI platform's tool-calling interface and the legacy SOAP/XML endpoints. I wrote the translation layer, the auth scaffolding, and the infrastructure-as-code for deployment. Also scoped the full AWS cost model for production (Cognito, EC2/Fargate, CloudWatch, data transfer).

Architecture

AI Platform Tool calling HTTPS MCP Server Streamable HTTP SOAP/XML adapter AWS Cognito OAuth 2.0 / PKCE Cloudflare Tunnel Zero inbound ports Enterprise API SOAP/XML endpoints Enterprise network boundary

Tech stack

Python MCP Protocol AWS Cognito Cloudflare Tunnel OAuth 2.0 / OIDC SOAP/XML Terraform

Status

Currently in PoC validation. Infrastructure cost model approved. Pending production deployment decision.

← All projects Next project →