phoenix-oss/open-mcp-auth-proxy-upstream
0
0
Fork 1
mirror of https://github.com/wso2/open-mcp-auth-proxy.git synced 2025-12-14 12:12:30 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge 8ca4bb4787 into 017a3f3a13

Browse source
This commit is contained in:
ALB.Leach 2025-10-12 20:56:01 +00:00 committed by GitHub
commit e83c40fa9d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 17 additions and 66 deletions
Download patch file Download diff file Expand all files Collapse all files

5
config.yaml
View file

@ -53,9 +53,8 @@ protected_resource_metadata:
resource_identifier: http://localhost:8080/sse resource_identifier: http://localhost:8080/sse
audience: 2xGW_poFYoObUE_vUQxvGdPSUPwa audience: 2xGW_poFYoObUE_vUQxvGdPSUPwa
scopes_supported: scopes_supported:
- initialize: "mcp_init" - "read:tools"
- tools/call: - "read:resources"
- echo_tool: "mcp_echo_tool"
authorization_servers: authorization_servers:
- https://api.asgardeo.io/t/openmcpauthdemo/oauth2/token - https://api.asgardeo.io/t/openmcpauthdemo/oauth2/token
jwks_uri: https://api.asgardeo.io/t/openmcpauthdemo/oauth2/jwks jwks_uri: https://api.asgardeo.io/t/openmcpauthdemo/oauth2/jwks

9
internal/authz/default.go
View file

@ -86,10 +86,17 @@ func (p *defaultProvider) ProtectedResourceMetadataHandler() http.HandlerFunc {
w.Header().Set("Content-Type", "application/json") w.Header().Set("Content-Type", "application/json")
meta := map[string]interface{}{ meta := map[string]interface{}{
"audience": p.cfg.ProtectedResourceMetadata.Audience, "audience": p.cfg.ProtectedResourceMetadata.Audience,
"scopes_supported": p.cfg.ProtectedResourceMetadata.ScopesSupported,
"authorization_servers": p.cfg.ProtectedResourceMetadata.AuthorizationServers, "authorization_servers": p.cfg.ProtectedResourceMetadata.AuthorizationServers,
} }
if len(p.cfg.ProtectedResourceMetadata.ScopesSupported) > 0 {
meta["scopes_supported"] = p.cfg.ProtectedResourceMetadata.ScopesSupported
}
if p.cfg.ProtectedResourceMetadata.ResourceIdentifier != "" {
meta["resource"] = p.cfg.ProtectedResourceMetadata.ResourceIdentifier
}
if p.cfg.ProtectedResourceMetadata.JwksURI != "" { if p.cfg.ProtectedResourceMetadata.JwksURI != "" {
meta["jwks_uri"] = p.cfg.ProtectedResourceMetadata.JwksURI meta["jwks_uri"] = p.cfg.ProtectedResourceMetadata.JwksURI
} }

7
internal/authz/scope_validator.go
View file

@ -7,7 +7,6 @@ import (
"github.com/golang-jwt/jwt/v4" "github.com/golang-jwt/jwt/v4"
"github.com/wso2/open-mcp-auth-proxy/internal/config" "github.com/wso2/open-mcp-auth-proxy/internal/config"
"github.com/wso2/open-mcp-auth-proxy/internal/util"
) )
type ScopeValidator struct{} type ScopeValidator struct{}
@ -18,11 +17,7 @@ func (d *ScopeValidator) ValidateAccess(
claims *jwt.MapClaims, claims *jwt.MapClaims,
config *config.Config, config *config.Config,
) AccessControlResult { ) AccessControlResult {
env, err := util.ParseRPCRequest(r) requiredScopes := config.ProtectedResourceMetadata.ScopesSupported
if err != nil {
return AccessControlResult{DecisionDeny, "bad JSON-RPC request"}
}
requiredScopes := util.GetRequiredScopes(config, env)
if len(requiredScopes) == 0 { if len(requiredScopes) == 0 {
return AccessControlResult{DecisionAllow, ""} return AccessControlResult{DecisionAllow, ""}

12
internal/config/config.go
View file

@ -70,12 +70,12 @@ type ResponseConfig struct {
} }
type ProtectedResourceMetadata struct { type ProtectedResourceMetadata struct {
ResourceIdentifier string `yaml:"resource_identifier"` ResourceIdentifier string `yaml:"resource_identifier"`
Audience string `yaml:"audience"` Audience string `yaml:"audience"`
ScopesSupported []map[string]interface{} `yaml:"scopes_supported"` ScopesSupported []string `yaml:"scopes_supported"`
AuthorizationServers []string `yaml:"authorization_servers"` AuthorizationServers []string `yaml:"authorization_servers"`
JwksURI string `yaml:"jwks_uri,omitempty"` JwksURI string `yaml:"jwks_uri,omitempty"`
BearerMethodsSupported []string `yaml:"bearer_methods_supported,omitempty"` BearerMethodsSupported []string `yaml:"bearer_methods_supported,omitempty"`
} }
type PathConfig struct { type PathConfig struct {

50
internal/util/jwks.go
View file

@ -10,7 +10,6 @@ import (
"strings" "strings"
"github.com/golang-jwt/jwt/v4" "github.com/golang-jwt/jwt/v4"
"github.com/wso2/open-mcp-auth-proxy/internal/config"
logger "github.com/wso2/open-mcp-auth-proxy/internal/logging" logger "github.com/wso2/open-mcp-auth-proxy/internal/logging"
) )
@ -160,55 +159,6 @@ func ParseJWT(tokenStr string) (jwt.MapClaims, error) {
return claims, nil return claims, nil
} }
// Process the required scopes
func GetRequiredScopes(cfg *config.Config, requestBody *RPCEnvelope) []string {
var scopeObj interface{}
found := false
for _, m := range cfg.ProtectedResourceMetadata.ScopesSupported {
if val, ok := m[requestBody.Method]; ok {
scopeObj = val
found = true
break
}
}
if !found {
return nil
}
switch v := scopeObj.(type) {
case string:
return []string{v}
case []any:
if requestBody.Params != nil {
if paramsMap, ok := requestBody.Params.(map[string]any); ok {
name, ok := paramsMap["name"].(string)
if ok {
for _, item := range v {
if scopeMap, ok := item.(map[interface{}]interface{}); ok {
if scopeVal, exists := scopeMap[name]; exists {
if scopeStr, ok := scopeVal.(string); ok {
return []string{scopeStr}
}
if scopeArr, ok := scopeVal.([]any); ok {
var scopes []string
for _, s := range scopeArr {
if str, ok := s.(string); ok {
scopes = append(scopes, str)
}
}
return scopes
}
}
}
}
}
}
}
}
return nil
}
// Extracts the Bearer token from the Authorization header // Extracts the Bearer token from the Authorization header
func ExtractAccessToken(authHeader string) (string, error) { func ExtractAccessToken(authHeader string) (string, error) {