feat(MCP): OAuth 2.0 support for HTTP transport#7692
Open
khvn26 wants to merge 1 commit into
Open
Conversation
Pass-through OAuth 2.0 protected resource for HTTP transport: serves RFC 9728 metadata, 401 + WWW-Authenticate on missing credential, any-scheme Authorization forwarded to the API. Tests migrated to respx. beep boop
|
The latest updates on your projects. Learn more about Vercel for GitHub. 3 Skipped Deployments
|
Contributor
Docker builds report
|
Contributor
Playwright Test Results (oss - depot-ubuntu-latest-arm-16)
Details
Playwright Test Results (oss - depot-ubuntu-latest-16)
Details
Playwright Test Results (private-cloud - depot-ubuntu-latest-arm-16)
Details
Playwright Test Results (private-cloud - depot-ubuntu-latest-16)
Details
|
Contributor
Visual Regression19 screenshots compared. See report for details. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Thanks for submitting a PR! Please check the boxes below:
docs/if required so people know about the feature.Changes
Closes Flagsmith/flagsmith-private#147
Adds OAuth 2.0 support for the MCP server's HTTP transport, as a pass-through resource server — the API stays the authorisation server and sole validator.
FlagsmithResourceAuth: serves Protected Resource Metadata (RFC 9728) advertising the Flagsmith AS and themcpscope, and returns401 + WWW-Authenticatewhen a request carries no credential, so MCP clients can discover and complete the OAuth flow.Authorizationheader,BearerOAuth token orApi-Key, is accepted and forwarded upstream. No introspection.transport=httpand no staticFLAGSMITH_API_TOKENis configured. stdio, a static token, and a forwarded--headerall stay pure pass-through.MCP_SERVER_URLsetting for the public resource URL advertised in the metadata.How did you test this code?
make test(100% coverage),make lint,make typecheck— all green.401+WWW-Authenticatepointing at/.well-known/oauth-protected-resource/mcp.https://api.flagsmith.comas the AS and themcpscope.Api-Keyheader over HTTP → forwarded → real data (gate is scheme-agnostic).claude mcp add --transport http …→/mcp→ log in at Flagsmith → authenticated tool calls).