Updated the authentication field to take just the token

2025-12-04 02:03:44 +00:00 · 2025-11-05 10:48:05 -08:00 · 2025-11-05 10:48:05 -08:00 · 09ef0b38c1
commit 09ef0b38c1
parent 8632c705aa
8 changed files with 10721 additions and 13 deletions
--- a/src/llama_stack/apis/agents/openai_responses.py
+++ b/src/llama_stack/apis/agents/openai_responses.py
@ -487,7 +487,7 @@ class OpenAIResponseInputToolMCP(BaseModel):
    :param server_label: Label to identify this MCP server
    :param server_url: URL endpoint of the MCP server
    :param headers: (Optional) HTTP headers to include when connecting to the server
-    :param authorization: (Optional) Bearer token authorization string (format: "Bearer <token>")
+    :param authorization: (Optional) OAuth access token for authenticating with the MCP server (provide just the token, not "Bearer <token>")
    :param require_approval: Approval requirement for tool calls ("always", "never", or filter)
    :param allowed_tools: (Optional) Restriction on which tools can be used from this server
    """
@ -496,8 +496,8 @@ class OpenAIResponseInputToolMCP(BaseModel):
    server_label: str
    server_url: str
    headers: dict[str, Any] | None = None
-    # OpenAI's MCP authorization currently only supports bearer tokens as a simple string
-    # Format: "Bearer <token>" (e.g., "Bearer my-secret-token")
+    # OAuth access token for MCP server authentication
+    # Provide just the token (e.g., "my-secret-token"), the "Bearer " prefix will be added automatically
    authorization: str | None = None

    require_approval: Literal["always"] | Literal["never"] | ApprovalFilter = "never"
--- a/src/llama_stack/providers/inline/agents/meta_reference/responses/streaming.py
+++ b/src/llama_stack/providers/inline/agents/meta_reference/responses/streaming.py
@ -1085,7 +1085,8 @@ class StreamingResponseOrchestrator:
                # Don't override existing Authorization header (case-insensitive check)
                existing_keys_lower = {k.lower() for k in headers.keys()}
                if "authorization" not in existing_keys_lower:
-                    headers["Authorization"] = mcp_tool.authorization
+                    # OAuth access token - add "Bearer " prefix
+                    headers["Authorization"] = f"Bearer {mcp_tool.authorization}"

            async with tracing.span("list_mcp_tools", attributes):
                tool_defs = await list_mcp_tools(
--- a/src/llama_stack/providers/inline/agents/meta_reference/responses/tool_executor.py
+++ b/src/llama_stack/providers/inline/agents/meta_reference/responses/tool_executor.py
@ -305,7 +305,8 @@ class ToolExecutor:
                    # Don't override existing Authorization header (case-insensitive check)
                    existing_keys_lower = {k.lower() for k in headers.keys()}
                    if "authorization" not in existing_keys_lower:
-                        headers["Authorization"] = mcp_tool.authorization
+                        # OAuth access token - add "Bearer " prefix
+                        headers["Authorization"] = f"Bearer {mcp_tool.authorization}"

                async with tracing.span("invoke_mcp_tool", attributes):
                    result = await invoke_mcp_tool(