Front-Door Auth #696
Draft
Front-Door Auth #696
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR implements "Front-Door Authentication" for the Arcade MCP server, adding OAuth 2.1-compliant server-level authentication for HTTP transport. The implementation validates Bearer tokens on every HTTP request before processing MCP protocol messages, enabling secure HTTP transport with tool-level authorization and OAuth discovery support.
Key Changes:
- Added JWT-based token verification with JWKS support for validating Bearer tokens
- Implemented OAuth 2.0 Protected Resource Metadata (RFC 9728) for client discovery
- Added support for multiple authorization servers with flexible configuration via environment variables or code
Reviewed changes
Copilot reviewed 28 out of 29 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| libs/tests/arcade_mcp_server/test_server_auth.py | Comprehensive test suite for JWT verification, RemoteOAuthProvider, middleware, and multi-authorization server scenarios |
| libs/tests/arcade_mcp_server/test_server.py | Added authenticated user context to HTTP transport tests |
| libs/tests/arcade_mcp_server/test_mcp_app.py | Updated tests to include server_auth_provider parameter |
| libs/arcade-mcp-server/pyproject.toml | Added python-jose and httpx dependencies |
| libs/arcade-mcp-server/arcade_mcp_server/worker.py | Integrated auth middleware and OAuth discovery routes |
| libs/arcade-mcp-server/arcade_mcp_server/types.py | Extended SessionMessage to carry authenticated user info |
| libs/arcade-mcp-server/arcade_mcp_server/transports/http_streamable.py | Modified to extract and pass authenticated user from scope |
| libs/arcade-mcp-server/arcade_mcp_server/settings.py | Added ServerAuthSettings for environment-based configuration |
| libs/arcade-mcp-server/arcade_mcp_server/session.py | Updated to handle authenticated user context per request |
| libs/arcade-mcp-server/arcade_mcp_server/server_auth/ | New module with base classes, JWT verifier, RemoteOAuthProvider, and ASGI middleware |
| libs/arcade-mcp-server/arcade_mcp_server/server.py | Enhanced to use authenticated user from front-door auth for tool context |
| libs/arcade-mcp-server/arcade_mcp_server/mcp_app.py | Added auth parameter and removed duplicate .env loading |
| libs/arcade-mcp-server/arcade_mcp_server/fastapi/auth_routes.py | OAuth discovery endpoint implementation |
| libs/arcade-mcp-server/arcade_mcp_server/context.py | Added authenticated_user to Context initialization |
| examples/mcp_servers/authorization/ | Complete example server demonstrating front-door auth with Docker setup |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.