MCP authentication parameter implementation

2025-12-03 09:53:45 +00:00 · 2025-11-03 15:48:56 -08:00 · 2025-11-03 15:48:56 -08:00 · d0a8878337
commit d0a8878337
parent da57b51fb6
7 changed files with 375 additions and 2 deletions
--- a/src/llama_stack/providers/inline/agents/meta_reference/responses/streaming.py
+++ b/src/llama_stack/providers/inline/agents/meta_reference/responses/streaming.py
@ -11,6 +11,7 @@ from typing import Any
 from llama_stack.apis.agents.openai_responses import (
    AllowedToolsFilter,
    ApprovalFilter,
+    MCPAuthentication,
    MCPListToolsTool,
    OpenAIResponseContentPartOutputText,
    OpenAIResponseContentPartReasoningText,
@ -80,6 +81,34 @@ from .utils import (
 logger = get_logger(name=__name__, category="agents::meta_reference")


+def _convert_authentication_to_headers(auth: MCPAuthentication) -> dict[str, str]:
+    """Convert MCPAuthentication config to HTTP headers.
+
+    Args:
+        auth: Authentication configuration
+
+    Returns:
+        Dictionary of HTTP headers for authentication
+    """
+    headers = {}
+
+    if auth.type == "bearer":
+        if auth.token:
+            headers["Authorization"] = f"Bearer {auth.token}"
+    elif auth.type == "basic":
+        if auth.username and auth.password:
+            import base64
+
+            credentials = f"{auth.username}:{auth.password}"
+            encoded = base64.b64encode(credentials.encode()).decode()
+            headers["Authorization"] = f"Basic {encoded}"
+    elif auth.type == "api_key":
+        if auth.api_key:
+            headers[auth.header_name] = auth.api_key
+
+    return headers
+
+
 def convert_tooldef_to_chat_tool(tool_def):
    """Convert a ToolDef to OpenAI ChatCompletionToolParam format.

@ -1079,10 +1108,20 @@ class StreamingResponseOrchestrator:
                "server_url": mcp_tool.server_url,
                "mcp_list_tools_id": list_id,
            }
+            # Prepare headers with authentication from tool config
+            headers = dict(mcp_tool.headers or {})
+            if mcp_tool.authentication:
+                auth_headers = _convert_authentication_to_headers(mcp_tool.authentication)
+                # Don't override existing headers (case-insensitive check)
+                existing_keys_lower = {k.lower() for k in headers.keys()}
+                for key, value in auth_headers.items():
+                    if key.lower() not in existing_keys_lower:
+                        headers[key] = value
+
            async with tracing.span("list_mcp_tools", attributes):
                tool_defs = await list_mcp_tools(
                    endpoint=mcp_tool.server_url,
-                    headers=mcp_tool.headers or {},
+                    headers=headers,
                )

            # Create the MCP list tools message
--- a/src/llama_stack/providers/inline/agents/meta_reference/responses/tool_executor.py
+++ b/src/llama_stack/providers/inline/agents/meta_reference/responses/tool_executor.py
@ -10,6 +10,7 @@ from collections.abc import AsyncIterator
 from typing import Any

 from llama_stack.apis.agents.openai_responses import (
+    MCPAuthentication,
    OpenAIResponseInputToolFileSearch,
    OpenAIResponseInputToolMCP,
    OpenAIResponseObjectStreamResponseFileSearchCallCompleted,
@ -47,6 +48,34 @@ from .types import ChatCompletionContext, ToolExecutionResult
 logger = get_logger(name=__name__, category="agents::meta_reference")


+def _convert_authentication_to_headers(auth: MCPAuthentication) -> dict[str, str]:
+    """Convert MCPAuthentication config to HTTP headers.
+
+    Args:
+        auth: Authentication configuration
+
+    Returns:
+        Dictionary of HTTP headers for authentication
+    """
+    headers = {}
+
+    if auth.type == "bearer":
+        if auth.token:
+            headers["Authorization"] = f"Bearer {auth.token}"
+    elif auth.type == "basic":
+        if auth.username and auth.password:
+            import base64
+
+            credentials = f"{auth.username}:{auth.password}"
+            encoded = base64.b64encode(credentials.encode()).decode()
+            headers["Authorization"] = f"Basic {encoded}"
+    elif auth.type == "api_key":
+        if auth.api_key:
+            headers[auth.header_name] = auth.api_key
+
+    return headers
+
+
 class ToolExecutor:
    def __init__(
        self,
@ -299,10 +328,20 @@ class ToolExecutor:
                    "server_url": mcp_tool.server_url,
                    "tool_name": function_name,
                }
+                # Prepare headers with authentication from tool config
+                headers = dict(mcp_tool.headers or {})
+                if mcp_tool.authentication:
+                    auth_headers = _convert_authentication_to_headers(mcp_tool.authentication)
+                    # Don't override existing headers (case-insensitive check)
+                    existing_keys_lower = {k.lower() for k in headers.keys()}
+                    for key, value in auth_headers.items():
+                        if key.lower() not in existing_keys_lower:
+                            headers[key] = value
+
                async with tracing.span("invoke_mcp_tool", attributes):
                    result = await invoke_mcp_tool(
                        endpoint=mcp_tool.server_url,
-                        headers=mcp_tool.headers or {},
+                        headers=headers,
                        tool_name=function_name,
                        kwargs=tool_kwargs,
                    )