phoenix-oss/open-mcp-auth-proxy-upstream
0
0
Fork 1
mirror of https://github.com/wso2/open-mcp-auth-proxy.git synced 2025-06-28 17:34:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update scope validation implementation

Browse source
This commit is contained in:
NipuniBhagya 2025-05-21 10:00:01 +05:30
parent 5c22f36ddc
commit 64caaa0f7c
7 changed files with 202 additions and 138 deletions
Download patch file Download diff file Expand all files Collapse all files

16
internal/proxy/proxy.go
View file

@ -302,6 +302,7 @@ func authorizeSSE(w http.ResponseWriter, r *http.Request, isLatestSpec bool, res
// Handles both v1 (just signature) and v2 (aud + scope) flows
func authorizeMCP(w http.ResponseWriter, r *http.Request, isLatestSpec bool, cfg *config.Config, accessController authz.AccessControl) error {
authzHeader := r.Header.Get("Authorization")
accessToken, _ := util.ExtractAccessToken(authzHeader)
if !strings.HasPrefix(authzHeader, "Bearer ") {
if isLatestSpec {
realm := cfg.ResourceIdentifier + "/.well-known/oauth-protected-resource"
@ -314,7 +315,7 @@ func authorizeMCP(w http.ResponseWriter, r *http.Request, isLatestSpec bool, cfg
return fmt.Errorf("missing or invalid Authorization header")
}
claims, err := util.ValidateJWT(isLatestSpec, authzHeader, cfg.Audience)
err := util.ValidateJWT(isLatestSpec, accessToken, cfg.Audience)
if err != nil {
if isLatestSpec {
realm := cfg.ResourceIdentifier + "/.well-known/oauth-protected-resource"
@ -331,16 +332,19 @@ func authorizeMCP(w http.ResponseWriter, r *http.Request, isLatestSpec bool, cfg
}
if isLatestSpec {
env, err := util.ParseRPCRequest(r)
_, err := util.ParseRPCRequest(r)
if err != nil {
http.Error(w, "Bad request", http.StatusBadRequest)
return err
}
requiredScopes := util.GetRequiredScopes(cfg, env.Method)
if len(requiredScopes) == 0 {
return nil
claimsMap, err := util.ParseJWT(accessToken)
if err != nil {
http.Error(w, "Invalid token claims", http.StatusUnauthorized)
return fmt.Errorf("invalid token claims")
}
pr := accessController.ValidateAccess(r, claims, requiredScopes)
pr := accessController.ValidateAccess(r, &claimsMap, cfg)
if pr.Decision == authz.DecisionDeny {
http.Error(w, "Forbidden: "+pr.Message, http.StatusForbidden)
return fmt.Errorf("forbidden — %s", pr.Message)