Removed the MCPAuthorization class relying on bearer token

2025-12-03 18:00:36 +00:00 · 2025-11-03 19:57:58 -08:00 · 2025-11-03 19:57:58 -08:00 · 9dbeeaca97
commit 9dbeeaca97
parent 376f0fcd23
7 changed files with 24 additions and 216 deletions
--- a/src/llama_stack/apis/agents/openai_responses.py
+++ b/src/llama_stack/apis/agents/openai_responses.py
@ -483,26 +483,6 @@ class AllowedToolsFilter(BaseModel):
    tool_names: list[str] | None = None


-@json_schema_type
-class MCPAuthorization(BaseModel):
-    """Authorization configuration for MCP servers.
-
-    :param type: Authorization type ("bearer", "basic", or "api_key")
-    :param token: Bearer token for bearer authorization
-    :param username: Username for basic authorization
-    :param password: Password for basic authorization
-    :param api_key: API key for api_key authorization
-    :param header_name: Custom header name for API key (default: "X-API-Key")
-    """
-
-    type: Literal["bearer", "basic", "api_key"]
-    token: str | None = None
-    username: str | None = None
-    password: str | None = None
-    api_key: str | None = None
-    header_name: str = "X-API-Key"
-
-
@json_schema_type
 class OpenAIResponseInputToolMCP(BaseModel):
    """Model Context Protocol (MCP) tool configuration for OpenAI response inputs.
@ -511,7 +491,7 @@ class OpenAIResponseInputToolMCP(BaseModel):
    :param server_label: Label to identify this MCP server
    :param server_url: URL endpoint of the MCP server
    :param headers: (Optional) HTTP headers to include when connecting to the server
-    :param authorization: (Optional) Authorization configuration for the MCP server
+    :param authorization: (Optional) Bearer token authorization string (format: "Bearer <token>")
    :param require_approval: Approval requirement for tool calls ("always", "never", or filter)
    :param allowed_tools: (Optional) Restriction on which tools can be used from this server
    """
@ -520,7 +500,9 @@ class OpenAIResponseInputToolMCP(BaseModel):
    server_label: str
    server_url: str
    headers: dict[str, Any] | None = None
-    authorization: MCPAuthorization | None = None
+    # OpenAI's MCP authorization currently only supports bearer tokens as a simple string
+    # Format: "Bearer <token>" (e.g., "Bearer my-secret-token")
+    authorization: str | None = None

    require_approval: Literal["always"] | Literal["never"] | ApprovalFilter = "never"
    allowed_tools: list[str] | AllowedToolsFilter | None = None
--- a/src/llama_stack/providers/inline/agents/meta_reference/responses/streaming.py
+++ b/src/llama_stack/providers/inline/agents/meta_reference/responses/streaming.py
@ -11,7 +11,6 @@ from typing import Any
 from llama_stack.apis.agents.openai_responses import (
    AllowedToolsFilter,
    ApprovalFilter,
-    MCPAuthorization,
    MCPListToolsTool,
    OpenAIResponseContentPartOutputText,
    OpenAIResponseContentPartReasoningText,
@ -83,32 +82,16 @@ from .utils import (
 logger = get_logger(name=__name__, category="agents::meta_reference")


-def _convert_authentication_to_headers(auth: MCPAuthorization) -> dict[str, str]:
-    """Convert MCPAuthorization config to HTTP headers.
+def _convert_authorization_to_headers(authorization: str) -> dict[str, str]:
+    """Convert authorization string to HTTP headers.

    Args:
-        auth: Authorization configuration
+        authorization: Authorization header value (e.g., "Bearer token")

    Returns:
-        Dictionary of HTTP headers for authorization
+        Dictionary of HTTP headers with Authorization header
    """
-    headers = {}
-
-    if auth.type == "bearer":
-        if auth.token:
-            headers["Authorization"] = f"Bearer {auth.token}"
-    elif auth.type == "basic":
-        if auth.username and auth.password:
-            import base64
-
-            credentials = f"{auth.username}:{auth.password}"
-            encoded = base64.b64encode(credentials.encode()).decode()
-            headers["Authorization"] = f"Basic {encoded}"
-    elif auth.type == "api_key":
-        if auth.api_key:
-            headers[auth.header_name] = auth.api_key
-
-    return headers
+    return {"Authorization": authorization}


 def convert_tooldef_to_chat_tool(tool_def):
@ -1131,7 +1114,7 @@ class StreamingResponseOrchestrator:
            # Prepare headers with authorization from tool config
            headers = dict(mcp_tool.headers or {})
            if mcp_tool.authorization:
-                auth_headers = _convert_authentication_to_headers(mcp_tool.authorization)
+                auth_headers = _convert_authorization_to_headers(mcp_tool.authorization)
                # Don't override existing headers (case-insensitive check)
                existing_keys_lower = {k.lower() for k in headers.keys()}
                for key, value in auth_headers.items():
--- a/src/llama_stack/providers/inline/agents/meta_reference/responses/tool_executor.py
+++ b/src/llama_stack/providers/inline/agents/meta_reference/responses/tool_executor.py
@ -10,7 +10,6 @@ from collections.abc import AsyncIterator
 from typing import Any

 from llama_stack.apis.agents.openai_responses import (
-    MCPAuthorization,
    OpenAIResponseInputToolFileSearch,
    OpenAIResponseInputToolMCP,
    OpenAIResponseObjectStreamResponseFileSearchCallCompleted,
@ -45,32 +44,16 @@ from .types import ChatCompletionContext, ToolExecutionResult
 logger = get_logger(name=__name__, category="agents::meta_reference")


-def _convert_authentication_to_headers(auth: MCPAuthorization) -> dict[str, str]:
-    """Convert MCPAuthorization config to HTTP headers.
+def _convert_authorization_to_headers(authorization: str) -> dict[str, str]:
+    """Convert authorization string to HTTP headers.

    Args:
-        auth: Authentication configuration
+        authorization: Authorization header value (e.g., "Bearer token")

    Returns:
-        Dictionary of HTTP headers for authentication
+        Dictionary of HTTP headers with Authorization header
    """
-    headers = {}
-
-    if auth.type == "bearer":
-        if auth.token:
-            headers["Authorization"] = f"Bearer {auth.token}"
-    elif auth.type == "basic":
-        if auth.username and auth.password:
-            import base64
-
-            credentials = f"{auth.username}:{auth.password}"
-            encoded = base64.b64encode(credentials.encode()).decode()
-            headers["Authorization"] = f"Basic {encoded}"
-    elif auth.type == "api_key":
-        if auth.api_key:
-            headers[auth.header_name] = auth.api_key
-
-    return headers
+    return {"Authorization": authorization}


 class ToolExecutor:
@ -347,7 +330,7 @@ class ToolExecutor:
                # Prepare headers with authorization from tool config
                headers = dict(mcp_tool.headers or {})
                if mcp_tool.authorization:
-                    auth_headers = _convert_authentication_to_headers(mcp_tool.authorization)
+                    auth_headers = _convert_authorization_to_headers(mcp_tool.authorization)
                    # Don't override existing headers (case-insensitive check)
                    existing_keys_lower = {k.lower() for k in headers.keys()}
                    for key, value in auth_headers.items():