Skip to content

MCP auth flow #58

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Mar 25, 2025
Merged

MCP auth flow #58

merged 8 commits into from
Mar 25, 2025

Conversation

laskoviymishka
Copy link
Contributor

@laskoviymishka laskoviymishka commented Mar 25, 2025
edited
Loading

  1. Middleware Integration

    • MCP Tools automatically injects authorization middleware
    • Middleware checks for valid session token in requests

  2. Initial Access

    • When user accesses protected endpoint without token:
      • System returns 401 with OAuth authorization URL
      • User is prompted to follow the authorization link
      • OAuth flow initiates through configured provider

  3. Session Management

    • After successful OAuth authorization:
      • System creates a session for the user
      • OAuth token is securely stored and associated with session
      • User receives session token for subsequent requests

  4. Protected Operations

    • All subsequent requests include session token
    • Middleware automatically validates session
    • OAuth token is used internally for protected operations
    • Session persists until explicitly terminated or timeout

Authorization Sequence Diagram

sequenceDiagram
    participant User
    participant MCP_Tools as MCP Tools Middleware
    participant Connector_DB as Connector DB
    participant OAuth as OAuth Provider
    
    Note over User, OAuth: Initial access without authorization
    
    User->>MCP_Tools: Request to protected resource (no token)
    MCP_Tools->>MCP_Tools: Check for session token
    MCP_Tools-->>User: 401 Unauthorized + Authorization URL
    
    Note over User, OAuth: OAuth authorization process
    
    User->>OAuth: Follow authorization link
    OAuth->>User: Authorization/consent page
    User->>OAuth: Enter credentials and consent
    OAuth->>MCP_Tools: Redirect with authorization code
    MCP_Tools->>OAuth: Exchange code for access token
    OAuth-->>MCP_Tools: Access token
    
    Note over User, OAuth: Session management
    
    MCP_Tools->>MCP_Tools: Create user session with unique ID
    MCP_Tools->>MCP_Tools: Store OAuth token linked to session ID
    
    Note over User, OAuth: Subsequent requests
    
    User->>MCP_Tools: Request inside session ID
    MCP_Tools->>MCP_Tools: Validate session ID and retrieve associated OAuth token
    MCP_Tools->>Connector_DB: Request with OAuth token
    Connector_DB-->>MCP_Tools: DB response
    MCP_Tools-->>User: Response to client
Loading

Contributor Agreement

By submitting this pull request, I affirm that:

  • I have reviewed, fully understand, and agree to abide by the terms of the Contributor License Agreement detailed in CONTRIBUTING.md.

@laskoviymishka
draft auth flow
784c9db 
Make agent-centric auth flow draft

We wrap a tool, if auth needed tool expose just authorize method with prompt about disabled tools, and instructions how to unlock them

Once authorization is passed - we store it in state and expose list-changed call with new tools
@laskoviymishka
one time auth flow works
3726dd3
@laskoviymishka
wait-retry auth flow
4518376
@laskoviymishka laskoviymishka marked this pull request as ready for review March 25, 2025 22:20
@laskoviymishka laskoviymishka changed the title Auth flow MCP auth flow Mar 25, 2025
@laskoviymishka laskoviymishka merged commit b16865d into main Mar 25, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@laskoviymishka