Skip to content

Commit 0271cf3

Browse files
nicholascioliswcollardDaleSeo
authored
feat: add mcp auth (#210)
feat: add auth This commit adds support for OAuth authn/z flows at the MCP protocol level. Co-authored-by: Samuel Collard <[email protected]> Co-authored-by: Dale Seo <[email protected]>
1 parent 4f690ee commit 0271cf3

File tree

12 files changed

+837
-10
lines changed

12 files changed

+837
-10
lines changed

.changesets/feat_nc_authnz.md

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
### feat: add mcp auth - @nicholascioli PR #210
2+
3+
The MCP server can now be configured to act as an OAuth 2.1 resource server, following
4+
guidelines from the official MCP specification on Authorization / Authentication (see
5+
[the spec](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization)).
6+
7+
To configure this new feature, a new `auth` section has been added to the SSE and
8+
Streamable HTTP transports. Below is an example configuration using Streamable HTTP:
9+
10+
```yaml
11+
transport:
12+
type: streamable_http
13+
auth:
14+
# List of upstream delegated OAuth servers
15+
# Note: These need to support the OIDC metadata discovery endpoint
16+
servers:
17+
- https://auth.example.com
18+
19+
# List of accepted audiences from upstream signed JWTs
20+
# See: https://www.ory.sh/docs/hydra/guides/audiences
21+
audiences:
22+
- mcp.example.audience
23+
24+
# The externally available URL pointing to this MCP server. Can be `localhost`
25+
# when testing locally.
26+
# Note: Subpaths must be preserved here as well. So append `/mcp` if using
27+
# Streamable HTTP or `/sse` is using SSE.
28+
resource: https://hosted.mcp.server/mcp
29+
30+
# Optional link to more documentation relating to this MCP server.
31+
resource_documentation: https://info.mcp.server
32+
33+
# List of queryable OAuth scopes from the upstream OAuth servers
34+
scopes:
35+
- read
36+
- mcp
37+
- profile
38+
```

Cargo.lock

Lines changed: 172 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

crates/apollo-mcp-server/Cargo.toml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,11 +13,16 @@ apollo-federation.workspace = true
1313
apollo-mcp-registry = { path = "../apollo-mcp-registry" }
1414
apollo-schema-index = { path = "../apollo-schema-index" }
1515
axum = "0.8.4"
16+
axum-extra = { version = "0.10.1", features = ["typed-header"] }
1617
bon = "3.6.3"
1718
clap = { version = "4.5.36", features = ["derive", "env"] }
1819
figment = { version = "0.10.19", features = ["env", "yaml"] }
1920
futures.workspace = true
21+
headers = "0.4.1"
22+
http = "1.3.1"
2023
humantime-serde = "1.1.1"
24+
jsonwebtoken = "9"
25+
jwks = "0.4.0"
2126
lz-str = "0.2.1"
2227
regex = "1.11.1"
2328
reqwest.workspace = true
@@ -35,9 +40,11 @@ tokio.workspace = true
3540
tracing.workspace = true
3641
tracing-subscriber = { version = "0.3.19", features = ["env-filter"] }
3742
tokio-util = "0.7.15"
43+
tower-http = { version = "0.6.6", features = ["cors"] }
3844
url.workspace = true
3945

4046
[dev-dependencies]
47+
chrono = { version = "0.4.41", default-features = false, features = ["now"] }
4148
figment = { version = "0.10.19", features = ["test"] }
4249
insta.workspace = true
4350
rstest.workspace = true

0 commit comments

Comments
 (0)