From 9dbeeaca973d916612ab8c0b223b8da70dc71de8 Mon Sep 17 00:00:00 2001 From: Omar Abdelwahab Date: Mon, 3 Nov 2025 19:57:58 -0800 Subject: [PATCH] Removed the MCPAuthorization class relying on bearer token --- client-sdks/stainless/openapi.yml | 39 +------------------ docs/static/deprecated-llama-stack-spec.yaml | 39 +------------------ docs/static/llama-stack-spec.yaml | 39 +------------------ docs/static/stainless-llama-stack-spec.yaml | 39 +------------------ .../apis/agents/openai_responses.py | 26 ++----------- .../meta_reference/responses/streaming.py | 29 +++----------- .../meta_reference/responses/tool_executor.py | 29 +++----------- 7 files changed, 24 insertions(+), 216 deletions(-) diff --git a/client-sdks/stainless/openapi.yml b/client-sdks/stainless/openapi.yml index 2a03104e3..ab4b2126f 100644 --- a/client-sdks/stainless/openapi.yml +++ b/client-sdks/stainless/openapi.yml @@ -7656,41 +7656,6 @@ components: title: ResponseGuardrailSpec description: >- Specification for a guardrail to apply during response generation. - MCPAuthorization: - type: object - properties: - type: - type: string - enum: - - bearer - - basic - - api_key - description: >- - Authorization type ("bearer", "basic", or "api_key") - token: - type: string - description: Bearer token for bearer authorization - username: - type: string - description: Username for basic authorization - password: - type: string - description: Password for basic authorization - api_key: - type: string - description: API key for api_key authorization - header_name: - type: string - default: X-API-Key - description: >- - Custom header name for API key (default: "X-API-Key") - additionalProperties: false - required: - - type - - header_name - title: MCPAuthorization - description: >- - Authorization configuration for MCP servers. OpenAIResponseInputTool: oneOf: - $ref: '#/components/schemas/OpenAIResponseInputToolWebSearch' @@ -7731,9 +7696,9 @@ components: description: >- (Optional) HTTP headers to include when connecting to the server authorization: - $ref: '#/components/schemas/MCPAuthorization' + type: string description: >- - (Optional) Authorization configuration for the MCP server + (Optional) Bearer token authorization string (format: "Bearer ") require_approval: oneOf: - type: string diff --git a/docs/static/deprecated-llama-stack-spec.yaml b/docs/static/deprecated-llama-stack-spec.yaml index 4f3d4bc93..d0b174ed2 100644 --- a/docs/static/deprecated-llama-stack-spec.yaml +++ b/docs/static/deprecated-llama-stack-spec.yaml @@ -7711,41 +7711,6 @@ components: title: ResponseGuardrailSpec description: >- Specification for a guardrail to apply during response generation. - MCPAuthorization: - type: object - properties: - type: - type: string - enum: - - bearer - - basic - - api_key - description: >- - Authorization type ("bearer", "basic", or "api_key") - token: - type: string - description: Bearer token for bearer authorization - username: - type: string - description: Username for basic authorization - password: - type: string - description: Password for basic authorization - api_key: - type: string - description: API key for api_key authorization - header_name: - type: string - default: X-API-Key - description: >- - Custom header name for API key (default: "X-API-Key") - additionalProperties: false - required: - - type - - header_name - title: MCPAuthorization - description: >- - Authorization configuration for MCP servers. OpenAIResponseInputTool: oneOf: - $ref: '#/components/schemas/OpenAIResponseInputToolWebSearch' @@ -7786,9 +7751,9 @@ components: description: >- (Optional) HTTP headers to include when connecting to the server authorization: - $ref: '#/components/schemas/MCPAuthorization' + type: string description: >- - (Optional) Authorization configuration for the MCP server + (Optional) Bearer token authorization string (format: "Bearer ") require_approval: oneOf: - type: string diff --git a/docs/static/llama-stack-spec.yaml b/docs/static/llama-stack-spec.yaml index 8b0256974..0c8bbbfd0 100644 --- a/docs/static/llama-stack-spec.yaml +++ b/docs/static/llama-stack-spec.yaml @@ -6443,41 +6443,6 @@ components: title: ResponseGuardrailSpec description: >- Specification for a guardrail to apply during response generation. - MCPAuthorization: - type: object - properties: - type: - type: string - enum: - - bearer - - basic - - api_key - description: >- - Authorization type ("bearer", "basic", or "api_key") - token: - type: string - description: Bearer token for bearer authorization - username: - type: string - description: Username for basic authorization - password: - type: string - description: Password for basic authorization - api_key: - type: string - description: API key for api_key authorization - header_name: - type: string - default: X-API-Key - description: >- - Custom header name for API key (default: "X-API-Key") - additionalProperties: false - required: - - type - - header_name - title: MCPAuthorization - description: >- - Authorization configuration for MCP servers. OpenAIResponseInputTool: oneOf: - $ref: '#/components/schemas/OpenAIResponseInputToolWebSearch' @@ -6518,9 +6483,9 @@ components: description: >- (Optional) HTTP headers to include when connecting to the server authorization: - $ref: '#/components/schemas/MCPAuthorization' + type: string description: >- - (Optional) Authorization configuration for the MCP server + (Optional) Bearer token authorization string (format: "Bearer ") require_approval: oneOf: - type: string diff --git a/docs/static/stainless-llama-stack-spec.yaml b/docs/static/stainless-llama-stack-spec.yaml index 2a03104e3..ab4b2126f 100644 --- a/docs/static/stainless-llama-stack-spec.yaml +++ b/docs/static/stainless-llama-stack-spec.yaml @@ -7656,41 +7656,6 @@ components: title: ResponseGuardrailSpec description: >- Specification for a guardrail to apply during response generation. - MCPAuthorization: - type: object - properties: - type: - type: string - enum: - - bearer - - basic - - api_key - description: >- - Authorization type ("bearer", "basic", or "api_key") - token: - type: string - description: Bearer token for bearer authorization - username: - type: string - description: Username for basic authorization - password: - type: string - description: Password for basic authorization - api_key: - type: string - description: API key for api_key authorization - header_name: - type: string - default: X-API-Key - description: >- - Custom header name for API key (default: "X-API-Key") - additionalProperties: false - required: - - type - - header_name - title: MCPAuthorization - description: >- - Authorization configuration for MCP servers. OpenAIResponseInputTool: oneOf: - $ref: '#/components/schemas/OpenAIResponseInputToolWebSearch' @@ -7731,9 +7696,9 @@ components: description: >- (Optional) HTTP headers to include when connecting to the server authorization: - $ref: '#/components/schemas/MCPAuthorization' + type: string description: >- - (Optional) Authorization configuration for the MCP server + (Optional) Bearer token authorization string (format: "Bearer ") require_approval: oneOf: - type: string diff --git a/src/llama_stack/apis/agents/openai_responses.py b/src/llama_stack/apis/agents/openai_responses.py index 705f57152..de631a94d 100644 --- a/src/llama_stack/apis/agents/openai_responses.py +++ b/src/llama_stack/apis/agents/openai_responses.py @@ -483,26 +483,6 @@ class AllowedToolsFilter(BaseModel): tool_names: list[str] | None = None -@json_schema_type -class MCPAuthorization(BaseModel): - """Authorization configuration for MCP servers. - - :param type: Authorization type ("bearer", "basic", or "api_key") - :param token: Bearer token for bearer authorization - :param username: Username for basic authorization - :param password: Password for basic authorization - :param api_key: API key for api_key authorization - :param header_name: Custom header name for API key (default: "X-API-Key") - """ - - type: Literal["bearer", "basic", "api_key"] - token: str | None = None - username: str | None = None - password: str | None = None - api_key: str | None = None - header_name: str = "X-API-Key" - - @json_schema_type class OpenAIResponseInputToolMCP(BaseModel): """Model Context Protocol (MCP) tool configuration for OpenAI response inputs. @@ -511,7 +491,7 @@ class OpenAIResponseInputToolMCP(BaseModel): :param server_label: Label to identify this MCP server :param server_url: URL endpoint of the MCP server :param headers: (Optional) HTTP headers to include when connecting to the server - :param authorization: (Optional) Authorization configuration for the MCP server + :param authorization: (Optional) Bearer token authorization string (format: "Bearer ") :param require_approval: Approval requirement for tool calls ("always", "never", or filter) :param allowed_tools: (Optional) Restriction on which tools can be used from this server """ @@ -520,7 +500,9 @@ class OpenAIResponseInputToolMCP(BaseModel): server_label: str server_url: str headers: dict[str, Any] | None = None - authorization: MCPAuthorization | None = None + # OpenAI's MCP authorization currently only supports bearer tokens as a simple string + # Format: "Bearer " (e.g., "Bearer my-secret-token") + authorization: str | None = None require_approval: Literal["always"] | Literal["never"] | ApprovalFilter = "never" allowed_tools: list[str] | AllowedToolsFilter | None = None diff --git a/src/llama_stack/providers/inline/agents/meta_reference/responses/streaming.py b/src/llama_stack/providers/inline/agents/meta_reference/responses/streaming.py index d52b16fd4..f816cd48d 100644 --- a/src/llama_stack/providers/inline/agents/meta_reference/responses/streaming.py +++ b/src/llama_stack/providers/inline/agents/meta_reference/responses/streaming.py @@ -11,7 +11,6 @@ from typing import Any from llama_stack.apis.agents.openai_responses import ( AllowedToolsFilter, ApprovalFilter, - MCPAuthorization, MCPListToolsTool, OpenAIResponseContentPartOutputText, OpenAIResponseContentPartReasoningText, @@ -83,32 +82,16 @@ from .utils import ( logger = get_logger(name=__name__, category="agents::meta_reference") -def _convert_authentication_to_headers(auth: MCPAuthorization) -> dict[str, str]: - """Convert MCPAuthorization config to HTTP headers. +def _convert_authorization_to_headers(authorization: str) -> dict[str, str]: + """Convert authorization string to HTTP headers. Args: - auth: Authorization configuration + authorization: Authorization header value (e.g., "Bearer token") Returns: - Dictionary of HTTP headers for authorization + Dictionary of HTTP headers with Authorization header """ - headers = {} - - if auth.type == "bearer": - if auth.token: - headers["Authorization"] = f"Bearer {auth.token}" - elif auth.type == "basic": - if auth.username and auth.password: - import base64 - - credentials = f"{auth.username}:{auth.password}" - encoded = base64.b64encode(credentials.encode()).decode() - headers["Authorization"] = f"Basic {encoded}" - elif auth.type == "api_key": - if auth.api_key: - headers[auth.header_name] = auth.api_key - - return headers + return {"Authorization": authorization} def convert_tooldef_to_chat_tool(tool_def): @@ -1131,7 +1114,7 @@ class StreamingResponseOrchestrator: # Prepare headers with authorization from tool config headers = dict(mcp_tool.headers or {}) if mcp_tool.authorization: - auth_headers = _convert_authentication_to_headers(mcp_tool.authorization) + auth_headers = _convert_authorization_to_headers(mcp_tool.authorization) # Don't override existing headers (case-insensitive check) existing_keys_lower = {k.lower() for k in headers.keys()} for key, value in auth_headers.items(): diff --git a/src/llama_stack/providers/inline/agents/meta_reference/responses/tool_executor.py b/src/llama_stack/providers/inline/agents/meta_reference/responses/tool_executor.py index 715c6a764..1408a9e4a 100644 --- a/src/llama_stack/providers/inline/agents/meta_reference/responses/tool_executor.py +++ b/src/llama_stack/providers/inline/agents/meta_reference/responses/tool_executor.py @@ -10,7 +10,6 @@ from collections.abc import AsyncIterator from typing import Any from llama_stack.apis.agents.openai_responses import ( - MCPAuthorization, OpenAIResponseInputToolFileSearch, OpenAIResponseInputToolMCP, OpenAIResponseObjectStreamResponseFileSearchCallCompleted, @@ -45,32 +44,16 @@ from .types import ChatCompletionContext, ToolExecutionResult logger = get_logger(name=__name__, category="agents::meta_reference") -def _convert_authentication_to_headers(auth: MCPAuthorization) -> dict[str, str]: - """Convert MCPAuthorization config to HTTP headers. +def _convert_authorization_to_headers(authorization: str) -> dict[str, str]: + """Convert authorization string to HTTP headers. Args: - auth: Authentication configuration + authorization: Authorization header value (e.g., "Bearer token") Returns: - Dictionary of HTTP headers for authentication + Dictionary of HTTP headers with Authorization header """ - headers = {} - - if auth.type == "bearer": - if auth.token: - headers["Authorization"] = f"Bearer {auth.token}" - elif auth.type == "basic": - if auth.username and auth.password: - import base64 - - credentials = f"{auth.username}:{auth.password}" - encoded = base64.b64encode(credentials.encode()).decode() - headers["Authorization"] = f"Basic {encoded}" - elif auth.type == "api_key": - if auth.api_key: - headers[auth.header_name] = auth.api_key - - return headers + return {"Authorization": authorization} class ToolExecutor: @@ -347,7 +330,7 @@ class ToolExecutor: # Prepare headers with authorization from tool config headers = dict(mcp_tool.headers or {}) if mcp_tool.authorization: - auth_headers = _convert_authentication_to_headers(mcp_tool.authorization) + auth_headers = _convert_authorization_to_headers(mcp_tool.authorization) # Don't override existing headers (case-insensitive check) existing_keys_lower = {k.lower() for k in headers.keys()} for key, value in auth_headers.items():