Skip to content

Conversation

@tim-yung
Copy link
Contributor

Summary

This PR implements OAuth 2.0 Token Exchange (RFC 8693) for MetaMCP and adds a comprehensive test suite to ensure production readiness. The feature enables seamless single sign-on between external systems and MetaMCP server by allowing exchange of validated external JWT tokens for MCP-compatible access tokens.

Background & Problem Statement

External systems required the ability to convert validated Supabase JWT tokens into MCP server access tokens through OAuth 2.0 Token Exchange. The existing MetaMCP OAuth infrastructure only supported Authorization Code Flow, missing the token exchange grant type required for machine-to-machine authentication patterns.

Implementation Details

🔄 OAuth 2.0 Token Exchange (RFC 8693)

New Grant Type Support:

  • Grant type: urn:ietf:params:oauth:grant-type:token-exchange
  • Subject token validation via Supabase /auth/v1/user endpoint
  • Full RFC 8693 compliance with proper error handling
  • Integration with existing OAuth infrastructure (90% code reuse)

Key Features:

  • Provider-agnostic JWT validation interface for future extensibility
  • Non-breaking changes to existing OAuth functionality
  • Proper namespace routing: /metamcp/{endpoint}/oauth/token
  • Standards-compliant error responses

🏗️ Architecture Solutions

Routing Challenge: Initial attempt created double paths (/oauth/oauth/token). Solution was to create separate namespace OAuth router that handles /token when mounted at /:endpoint/oauth, maintaining clean URL structure.

Middleware Integration: Added targeted JSON/URL-encoded parsing for OAuth endpoints within the /metamcp/* path structure while preserving existing global middleware behavior.

🧪 Comprehensive Test Suite (81 Tests)

Implemented production-ready testing following industry best practices:

Test Categories:

  • Unit Tests (38): OAuth utilities, token generation, JWT validation, repositories
  • Integration Tests (43): End-to-end token exchange flows, user management, client handling
  • Security Tests: OWASP-compliant SQL injection prevention, XSS protection, JWT security validation
  • Edge Cases: Boundary conditions, error scenarios, network failures

Testing Infrastructure:

  • Vitest framework with TypeScript support
  • MSW (Mock Service Worker) for Supabase service mocking
  • Custom test utilities and domain-specific assertions
  • Coverage thresholds: 80% lines, 80% functions, 75% branches
  • <1 second execution time (81/81 tests passing)

Security Validation:

  • Comprehensive input validation testing with security payloads
  • JWT structure and signature verification
  • Authentication bypass prevention
  • Information disclosure prevention
  • Rate limiting validation

API Usage

Token Exchange Request

POST /metamcp/{endpoint}/oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=urn:ietf:params:oauth:grant-type:token-exchange
&subject_token=<supabase-jwt>
&subject_token_type=urn:ietf:params:oauth:token-type:access_token
&client_id=mcp_default
&resource=http://localhost:12009/mcp

Success Response

{
  "access_token": "mcp_token_...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "scope": "admin"
}

How to Test

Prerequisites

# Install dependencies including new test dependencies
pnpm install

# Set up environment variables
cp example.env .env
# Add SUPABASE_URL and SUPABASE_ANON_KEY to .env

Running Tests

# Run complete test suite
pnpm test

# Run with coverage
pnpm run test:coverage

For detailed testing documentation and OAuth feature usage, see:

  • OAuth 2.0 Token Exchange: README-oauth.md
  • Test Suite Details: apps/backend/src/__tests__/README.md

Security Considerations

  • Token Validation: All external JWTs validated via official provider APIs
  • Rate Limiting: Existing OAuth rate limiting applies to token exchange
  • CORS: Proper CORS configuration for cross-origin requests
  • Input Validation: Comprehensive validation prevents injection attacks
  • Token Storage: Leverages existing secure token storage infrastructure

Breaking Changes

None. This is a purely additive feature that maintains full backward compatibility with existing OAuth clients.

Environment Variables

New required environment variables for Supabase integration:

SUPABASE_URL=https://your-project.supabase.co
SUPABASE_ANON_KEY=your-supabase-anon-key

Production Readiness

RFC 8693 Compliance: Full specification compliance
Security Tested: OWASP-compliant security validation
Performance: <1 second test execution, minimal runtime overhead
Error Handling: Comprehensive error scenarios covered
Documentation: Complete implementation and testing documentation
Non-Breaking: Existing functionality preserved

Future Enhancements

The implementation provides a foundation for:

  • Multi-provider support (Auth0, Firebase, etc.)
  • Enhanced audit logging for compliance
  • Token introspection extensions
  • Refresh token support following existing patterns

Add support for RFC 8693 OAuth 2.0 Token Exchange to enable single sign-on
with external identity providers like Supabase. This allows clients to exchange
valid JWT tokens from external providers for MetaMCP access tokens.

Key features:
- RFC 8693 compliant token exchange endpoint at /oauth/token
- Namespace-specific OAuth endpoint for scoped access
- Supabase JWT validation with extensible provider support
- Automatic user account linking and creation
- Auto-creation of default OAuth client when needed
- Backward compatible with existing Better Auth flow

Implementation details:
- Added validateSubjectToken() for external JWT validation
- Created UsersRepository with email-based account linking
- Enhanced token endpoint to support 'token-exchange' grant type
- Added namespace OAuth router for isolated token exchange
- Automatic mcp_default client creation for fallback scenarios

Tested with LangGraph integration - successfully exchanges Supabase tokens
for MetaMCP access tokens and maintains session across tool invocations.
- Mount namespace OAuth endpoints in public router at /{endpoint}/oauth
- Add Supabase environment variables to configuration
- Update turbo.json to include Supabase env vars in global env
- Improve repository query formatting and tool mapping logic
- Add JSON/URL-encoded parsing for OAuth endpoints

These changes complete the OAuth 2.0 Token Exchange integration by making
the endpoints accessible through the public API and providing necessary
configuration examples.
Add comprehensive documentation for the new Supabase SSO integration:

- README.md: Add mention of OAuth 2.0 Token Exchange for Supabase SSO
- README-oauth.md: Add complete Token Exchange section with:
  - Sequence diagram for token exchange flow
  - Configuration instructions for Supabase
  - Usage examples and curl commands
  - Feature overview and implementation notes

Documentation focuses specifically on Supabase integration to avoid
confusion and provides clear guidance for setup and usage.
Add complete testing infrastructure for OAuth 2.0 Token Exchange feature with industry-standard best practices:

## Testing Infrastructure
- Vitest configuration with coverage thresholds (80% lines, 80% functions, 75% branches)
- MSW for external service mocking (Supabase JWT validation)
- Test isolation and clean state management
- Fast execution (<1 second for 81 tests)

## Test Coverage (81 tests total)
- Unit tests (38 tests): OAuth utils, repository logic, data validation
- Integration tests (43 tests): Token exchange flows, user management, error handling
- Security tests: OWASP-compliant validation, SQL injection prevention, XSS protection
- Edge cases: Boundary conditions, concurrent access, race conditions

## Security Testing
- Input validation (SQL injection, XSS, boundary values)
- JWT security (structure validation, signature verification)
- Authentication bypass prevention
- Information disclosure protection
- Rate limiting validation

## Developer Experience
- Custom test utilities and domain-specific assertions
- Centralized constants and configuration
- Comprehensive documentation with best practices guide
- Type-safe implementations with full TypeScript support

## Key Features Tested
- RFC 8693 compliant token exchange
- Supabase JWT validation with error handling
- User auto-creation and account linking
- Default OAuth client management
- Proper error response formatting
- Content-type support (JSON/form-encoded)

The test suite provides production-ready validation for the OAuth 2.0 Token Exchange implementation with comprehensive security coverage and excellent performance characteristics.
@tim-yung tim-yung changed the title feat: Add comprehensive OAuth 2.0 Token Exchange with full test suite feat: Add comprehensive OAuth 2.0 Token Exchange with Supabase and with full test suite Sep 17, 2025
@zhjch05
Copy link
Contributor

zhjch05 commented Sep 21, 2025

Thank you very much for contributing this large PR with tests. But I am a little bit confused and would like to learn more about the initiative, because previously the community already adds OIDC/SSO support within the framework of better-auth, so is this needed and why we need this Supabase integration?

Or is this for the MCP endpoint OAuth - for that one there is a spec required by MCP and I manually implemented the OAuth for MetaMCP MCP endpoints, is that something doesn't work and a dependency of Supabase is really needed?

@tim-yung
Copy link
Contributor Author

Hi James,

Thanks again for the amazing app!

I wanted to clarify my intent of this PR. My use case is allowing a backend service to access the MetaMCP API on behalf of a user who has already authenticated on the frontend (in my case, with a Supabase JWT).

To do that securely, the backend needs to exchange the user's JWT for an MCP access token. This requires the standard OAuth token-exchange grant type, which I saw wasn't supported yet. (Please feel free to clarify if I've missed anything!)

This is purely for programmatic API access and is separate from the existing Better Auth OIDC flow for the web UI. I started with Supabase for token validation because it's what my client uses, but I designed the interface to be generic so others like Auth0 or Firebase could be added easily.

Hope this helps explain the motivation! Let me know if you have any questions or concerns about the implementation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants