Skip to content

Feature/oauth 2.1 support #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 21 commits into
base: main
Choose a base branch
from
Open

Feature/oauth 2.1 support #10

wants to merge 21 commits into from

Conversation

westonbrown
Copy link
Collaborator

OAuth 2.1 Authentication Integration for MCP Gateway

  • Adds comprehensive OAuth 2.1 authentication with support for AWS Cognito, Okta, and generic OAuth providers
  • Implements fine-grained scope-based authorization with server-level and tool-level access control
  • Maintains full compatibility with both SSE and StreamableHTTP transport protocols
  • Provides secure session management with JWT validation and PKCE support

Features

🔐 Multi-Provider OAuth 2.1 Support

  • AWS Cognito: Full implementation with group-based permissions
  • Okta: Complete integration with tenant-based authentication
  • Generic OAuth: Configurable for any OAuth 2.1 compliant provider
  • PKCE Security: Authorization code flow with Proof Key for Code Exchange

🎯 Granular Access Control

  • Registry permissions: mcp:registry:admin, mcp:registry:read
  • Server permissions: mcp:server:{name}:execute, mcp:server:{name}:toggle
  • Tool permissions: mcp:server:{name}:tool:{tool}:execute
  • Automatic group-to-scope mapping from identity provider groups

🚀 Full Protocol Compatibility

  • SSE Transport: /api/execute/{service} endpoints with streaming support
  • StreamableHTTP: /api/streamable/{service} endpoints for bidirectional communication
  • Dynamic Nginx configuration for proxy routing
  • Service credential pass-through via HTTP headers and direct parameters

🛡️ Enterprise Security

  • JWT signature verification with JWKS endpoint validation
  • Session invalidation tracking prevents token reuse after logout
  • Strong SECRET_KEY validation with cryptographic requirements

Technical Implementation

  • Secure session fingerprinting using unique session IDs prevents logout conflicts
  • Middleware-based authentication with request-level user context
  • OAuth state management with CSRF protection and cache-busting parameters
  • Provider abstraction allowing easy addition of new identity providers

Test Plan

  • ✅ OAuth login flow with Cognito integration
  • ✅ Scope-based authorization enforcement
  • ✅ Session management and logout functionality
  • ✅ Multi-transport protocol support (SSE + StreamableHTTP)
  • ✅ Server toggle permissions and tool execution
  • ✅ JWT validation and signature verification

@westonbrown
Add OAuth 2.1 Authentication with Scope-Based Access Control
26c7bea 
This commit implements OAuth 2.1 authentication with support for multiple identity providers, scope-based access control, and both SSE and StreamableHTTP transport protocols. Key changes include:

- Complete OAuth 2.1 implementation with authorization code flow and PKCE
- Support for AWS Cognito, Okta, and generic OAuth providers
- Fine-grained scope-based access control for server and tool access
- Support for both SSE (/api/execute/) and StreamableHTTP (/api/streamable/) transports
- Comprehensive documentation in README.md and new oauth.md guide

Tests show 100% success rate with both admin and limited users, confirming:
- Proper authentication and authorization flows
- Correct scope-based access restrictions
- Working transport protocols for SSE and StreamableHTTP
@westonbrown
Add OAuth 2.1 infrastructure and UI components
5aee97b 
This commit adds the necessary infrastructure for OAuth 2.1 support:

- Docker configuration with OAuth environment variables
- Updated entrypoint script with OAuth integration
- Nginx configuration for OAuth endpoints
- Updated dependencies in pyproject.toml
- UI templates with OAuth login flow integration
- Updated startup script
@westonbrown
Refined logout logic;
accf788
@westonbrown
Cleaned up Dockerfile and entrypoint regressions
9750e8b
@westonbrown
Improved JWT validation and secret key validation logic;
567503f
@westonbrown westonbrown added the enhancement New feature or request label May 22, 2025
westonbrown and others added 16 commits May 22, 2025 01:27
@westonbrown
Refined DockerFile; Removed unnecessary dev testing improts;
0d59cb4
@westonbrown
Removed hardcodings of Nginx reverse proxy configuration
5522072
@aarora79
Merge main branch into feature/oauth-2.1-support, resolving conflicts…
b20d906 
… in pyproject.toml, entrypoint.sh, registry/main.py, and Dockerfile
@aarora79
delete unused file
58cfebe
@aarora79
still trying to get service enable disable to work
b33e829
@aarora79
restore entrypoint
50582b0
@dheerajoruganty
fix nginx config generation
0bb10d1
@dheerajoruganty
fix: fix page redirect to /login
19c7e6e
@dheerajoruganty
fix: optimize logout page load time
69a3809
@westonbrown
Fix SSE transport by routing MCP clients through nginx proxy to resol…
d40af94 
…ve IPv6/IPv4 mismatch and dynamic service discovery issues
@aarora79
fixed the https section not updating issue in the nginx config
7535044
@aarora79
simplify dockerfile, add agents test suite, nginx can now take a host…
1198a5c 
…name, other cleanup
@aarora79
simplify dockerfile, add agents test suite, nginx can now take a host…
9bcc350 
…name, other cleanup
@aarora79
trying to get cognito working
b6bce63
@westonbrown
Fixed the the Cognito OAuth authorization URL bug that was incorrectl…
927bb65 
…y using the API endpoint causing authentication to fail with a

  "BadRequest" error
@aarora79
wokring cognito code
e5046a2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aarora79 aarora79 Awaiting requested review from aarora79

@dheerajoruganty dheerajoruganty Awaiting requested review from dheerajoruganty

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@westonbrown @aarora79 @dheerajoruganty