Merge branch 'main' into ihrpr/RFC-8707

ihrpr · ihrpr · commit c5e3c6d926d1 · 2025-06-23T14:27:05.000+01:00
diff --git a/README.md b/README.md
@@ -444,7 +444,8 @@ mcp = FastMCP(
     "My App",
     token_verifier=MyTokenVerifier(),
     auth=AuthSettings(
-        authorization_servers=["https://auth.example.com"],
+        issuer_url="https://auth.example.com",
+        resource_server_url="http://localhost:3001",
         required_scopes=["mcp:read", "mcp:write"],
     ),
 )
diff --git a/examples/servers/simple-auth/README.md b/examples/servers/simple-auth/README.md
@@ -13,7 +13,7 @@ This example demonstrates OAuth 2.0 authentication with the Model Context Protoc
 
 **Set environment variables:**
 ```bash
-export MCP_GITHUB_CLIENT_ID="your_client_id_here"  
+export MCP_GITHUB_CLIENT_ID="your_client_id_here"
 export MCP_GITHUB_CLIENT_SECRET="your_client_secret_here"
 ```
 
@@ -28,7 +28,7 @@ export MCP_GITHUB_CLIENT_SECRET="your_client_secret_here"
 cd examples/servers/simple-auth
 
 # Start Authorization Server on port 9000
-python -m mcp_simple_auth.auth_server --port=9000
+uv run mcp-simple-auth-as --port=9000
 ```
 
 **What it provides:**
@@ -46,25 +46,20 @@ python -m mcp_simple_auth.auth_server --port=9000
 cd examples/servers/simple-auth
 
 # Start Resource Server on port 8001, connected to Authorization Server
-python -m mcp_simple_auth.server --port=8001 --auth-server=http://localhost:9000  --transport=streamable-http
+uv run mcp-simple-auth-rs --port=8001 --auth-server=http://localhost:9000  --transport=streamable-http
 
 # With RFC 8707 strict resource validation (recommended for production)
-python -m mcp_simple_auth.server --port=8001 --auth-server=http://localhost:9000  --transport=streamable-http --oauth-strict
-```
+uv run mcp-simple-auth-rs --port=8001 --auth-server=http://localhost:9000  --transport=streamable-http --oauth-strict
 
-**OAuth Strict Mode (`--oauth-strict`):**
-- Enables RFC 8707 resource indicator validation
-- Ensures tokens are only accepted if they were issued for this specific resource server
-- Prevents token misuse across different services
-- Recommended for production environments where security is critical
+```
 
 
 ### Step 3: Test with Client
 
 ```bash
 cd examples/clients/simple-auth-client
-# Start client with streamable HTTP  
-MCP_SERVER_PORT=8001 MCP_TRANSPORT_TYPE=streamable_http python -m mcp_simple_auth_client.main
+# Start client with streamable HTTP
+MCP_SERVER_PORT=8001 MCP_TRANSPORT_TYPE=streamable_http uv run mcp-simple-auth-client
 ```
 
 
@@ -103,7 +98,7 @@ For backwards compatibility with older MCP implementations, a legacy server is p
 
 ```bash
 # Start legacy authorization server on port 8002
-python -m mcp_simple_auth.legacy_as_server --port=8002
+uv run mcp-simple-auth-legacy --port=8002
 ```
 
 **Differences from the new architecture:**
@@ -117,12 +112,13 @@ python -m mcp_simple_auth.legacy_as_server --port=8002
 
 ```bash
 # Test with client (will automatically fall back to legacy discovery)
-MCP_SERVER_PORT=8002 MCP_TRANSPORT_TYPE=streamable_http python -m mcp_simple_auth_client.main
+cd examples/clients/simple-auth-client
+MCP_SERVER_PORT=8002 MCP_TRANSPORT_TYPE=streamable_http uv run mcp-simple-auth-client
 ```
 
 The client will:
 1. Try RFC 9728 discovery at `/.well-known/oauth-protected-resource` (404 on legacy server)
-2. Fall back to direct OAuth discovery at `/.well-known/oauth-authorization-server` 
+2. Fall back to direct OAuth discovery at `/.well-known/oauth-authorization-server`
 3. Complete authentication with the MCP server acting as its own AS
 
 This ensures existing MCP servers (which could optionally act as Authorization Servers under the old spec) continue to work while the ecosystem transitions to the new architecture where MCP servers are Resource Servers only.
diff --git a/examples/servers/simple-auth/mcp_simple_auth/auth_server.py b/examples/servers/simple-auth/mcp_simple_auth/auth_server.py
@@ -68,7 +68,7 @@ def create_authorization_server(server_settings: AuthServerSettings, github_sett
             default_scopes=[github_settings.mcp_scope],
         ),
         required_scopes=[github_settings.mcp_scope],
-        authorization_servers=None,
+        resource_server_url=None,
     )
 
     # Create OAuth routes
@@ -113,20 +113,16 @@ async def introspect_handler(request: Request) -> Response:
             return JSONResponse({"active": False})
 
         # Return token info for Resource Server
-        response_data = {
-            "active": True,
-            "client_id": access_token.client_id,
-            "scope": " ".join(access_token.scopes),
-            "exp": access_token.expires_at,
-            "iat": int(time.time()),
-            "token_type": "Bearer",
-        }
-
-        # Include audience claim for RFC 8707 resource validation
-        if access_token.resource:
-            response_data["aud"] = access_token.resource
-
-        return JSONResponse(response_data)
+        return JSONResponse(
+            {
+                "active": True,
+                "client_id": access_token.client_id,
+                "scope": " ".join(access_token.scopes),
+                "exp": access_token.expires_at,
+                "iat": int(time.time()),
+                "token_type": "Bearer",
+            }
+        )
 
     routes.append(
         Route(
diff --git a/examples/servers/simple-auth/mcp_simple_auth/legacy_as_server.py b/examples/servers/simple-auth/mcp_simple_auth/legacy_as_server.py
@@ -59,8 +59,8 @@ def create_simple_mcp_server(server_settings: ServerSettings, github_settings: G
             default_scopes=[github_settings.mcp_scope],
         ),
         required_scopes=[github_settings.mcp_scope],
-        # No authorization_servers parameter in legacy mode
-        authorization_servers=None,
+        # No resource_server_url parameter in legacy mode
+        resource_server_url=None,
     )
 
     app = FastMCP(
diff --git a/examples/servers/simple-auth/mcp_simple_auth/server.py b/examples/servers/simple-auth/mcp_simple_auth/server.py
@@ -77,9 +77,9 @@ def create_resource_server(settings: ResourceServerSettings) -> FastMCP:
         # Auth configuration for RS mode
         token_verifier=token_verifier,
         auth=AuthSettings(
-            issuer_url=settings.server_url,
+            issuer_url=settings.auth_server_url,
             required_scopes=[settings.mcp_scope],
-            authorization_servers=[settings.auth_server_url],
+            resource_server_url=settings.server_url,
         ),
     )
 
diff --git a/examples/servers/simple-auth/pyproject.toml b/examples/servers/simple-auth/pyproject.toml
@@ -18,7 +18,9 @@ dependencies = [
 ]
 
 [project.scripts]
-mcp-simple-auth = "mcp_simple_auth.server:main"
+mcp-simple-auth-rs = "mcp_simple_auth.server:main"
+mcp-simple-auth-as = "mcp_simple_auth.auth_server:main"
+mcp-simple-auth-legacy = "mcp_simple_auth.legacy_as_server:main"
 
 [build-system]
 requires = ["hatchling"]
@@ -28,4 +30,4 @@ build-backend = "hatchling.build"
 packages = ["mcp_simple_auth"]
 
 [tool.uv]
-dev-dependencies = ["pyright>=1.1.391", "pytest>=8.3.4", "ruff>=0.8.5"]
+dev-dependencies = ["pyright>=1.1.391", "pytest>=8.3.4", "ruff>=0.8.5"]
diff --git a/src/mcp/server/auth/settings.py b/src/mcp/server/auth/settings.py
@@ -15,15 +15,16 @@ class RevocationOptions(BaseModel):
 class AuthSettings(BaseModel):
     issuer_url: AnyHttpUrl = Field(
         ...,
-        description="Base URL where this server is reachable. For AS: OAuth issuer URL. For RS: Resource server URL.",
+        description="OAuth authorization server URL that issues tokens for this resource server.",
     )
     service_documentation_url: AnyHttpUrl | None = None
     client_registration_options: ClientRegistrationOptions | None = None
     revocation_options: RevocationOptions | None = None
     required_scopes: list[str] | None = None
 
     # Resource Server settings (when operating as RS only)
-    authorization_servers: list[AnyHttpUrl] | None = Field(
-        None,
-        description="Authorization servers that can issue tokens for this resource (RS mode)",
+    resource_server_url: AnyHttpUrl | None = Field(
+        ...,
+        description="The URL of the MCP server to be used as the resource identifier "
+        "and base route to look up OAuth Protected Resource Metadata.",
     )
diff --git a/src/mcp/server/fastmcp/server.py b/src/mcp/server/fastmcp/server.py
@@ -743,11 +743,11 @@ async def handle_sse(scope: Scope, receive: Receive, send: Send):
         if self._token_verifier:
             # Determine resource metadata URL
             resource_metadata_url = None
-            if self.settings.auth and self.settings.auth.authorization_servers:
+            if self.settings.auth and self.settings.auth.resource_server_url:
                 from pydantic import AnyHttpUrl
 
                 resource_metadata_url = AnyHttpUrl(
-                    str(self.settings.auth.issuer_url).rstrip("/") + "/.well-known/oauth-protected-resource"
+                    str(self.settings.auth.resource_server_url).rstrip("/") + "/.well-known/oauth-protected-resource"
                 )
 
             # Auth is enabled, wrap the endpoints with RequireAuthMiddleware
@@ -785,13 +785,13 @@ async def sse_endpoint(request: Request) -> Response:
                 )
             )
         # Add protected resource metadata endpoint if configured as RS
-        if self.settings.auth and self.settings.auth.authorization_servers:
+        if self.settings.auth and self.settings.auth.resource_server_url:
             from mcp.server.auth.routes import create_protected_resource_routes
 
             routes.extend(
                 create_protected_resource_routes(
-                    resource_url=self.settings.auth.issuer_url,
-                    authorization_servers=self.settings.auth.authorization_servers,
+                    resource_url=self.settings.auth.resource_server_url,
+                    authorization_servers=[self.settings.auth.issuer_url],
                     scopes_supported=self.settings.auth.required_scopes,
                 )
             )
@@ -858,11 +858,11 @@ async def handle_streamable_http(scope: Scope, receive: Receive, send: Send) ->
         if self._token_verifier:
             # Determine resource metadata URL
             resource_metadata_url = None
-            if self.settings.auth and self.settings.auth.authorization_servers:
+            if self.settings.auth and self.settings.auth.resource_server_url:
                 from pydantic import AnyHttpUrl
 
                 resource_metadata_url = AnyHttpUrl(
-                    str(self.settings.auth.issuer_url).rstrip("/") + "/.well-known/oauth-protected-resource"
+                    str(self.settings.auth.resource_server_url).rstrip("/") + "/.well-known/oauth-protected-resource"
                 )
 
             routes.append(
@@ -881,14 +881,14 @@ async def handle_streamable_http(scope: Scope, receive: Receive, send: Send) ->
             )
 
         # Add protected resource metadata endpoint if configured as RS
-        if self.settings.auth and self.settings.auth.authorization_servers:
+        if self.settings.auth and self.settings.auth.resource_server_url:
             from mcp.server.auth.handlers.metadata import ProtectedResourceMetadataHandler
             from mcp.server.auth.routes import cors_middleware
             from mcp.shared.auth import ProtectedResourceMetadata
 
             protected_resource_metadata = ProtectedResourceMetadata(
-                resource=self.settings.auth.issuer_url,
-                authorization_servers=self.settings.auth.authorization_servers,
+                resource=self.settings.auth.resource_server_url,
+                authorization_servers=[self.settings.auth.issuer_url],
                 scopes_supported=self.settings.auth.required_scopes,
             )
             routes.append(
diff --git a/tests/client/test_auth.py b/tests/client/test_auth.py
@@ -259,56 +259,6 @@ async def test_token_exchange_request(self, oauth_provider):
         assert "code_verifier=test_verifier" in content
         assert "client_id=test_client" in content
         assert "client_secret=test_secret" in content
-        # Resource parameter should be included per RFC 8707
-        assert "resource=https%3A%2F%2Fapi.example.com%2Fv1%2Fmcp" in content
-
-    @pytest.mark.anyio
-    async def test_authorization_url_request(self, oauth_provider):
-        """Test authorization URL construction with resource parameter."""
-        from unittest.mock import patch
-
-        # Set up required context
-        oauth_provider.context.client_info = OAuthClientInformationFull(
-            client_id="test_client",
-            client_secret="test_secret",
-            redirect_uris=[AnyUrl("http://localhost:3030/callback")],
-        )
-
-        # Mock the redirect handler to capture the URL
-        captured_url = None
-
-        async def mock_redirect_handler(url: str):
-            nonlocal captured_url
-            captured_url = url
-
-        oauth_provider.context.redirect_handler = mock_redirect_handler
-
-        # Mock callback handler
-        async def mock_callback_handler():
-            return "test_auth_code", "test_state"
-
-        oauth_provider.context.callback_handler = mock_callback_handler
-
-        # Mock pkce and state generation for predictable testing
-        with (
-            patch("mcp.client.auth.PKCEParameters.generate") as mock_pkce,
-            patch("mcp.client.auth.secrets.token_urlsafe") as mock_state,
-        ):
-            mock_pkce.return_value.code_verifier = "test_verifier"
-            mock_pkce.return_value.code_challenge = "test_challenge"
-            mock_state.return_value = "test_state"
-
-            # Mock compare_digest to return True
-            with patch("mcp.client.auth.secrets.compare_digest", return_value=True):
-                await oauth_provider._perform_authorization()
-
-        # Verify the captured URL contains resource parameter
-        assert captured_url is not None
-        assert "resource=https%3A%2F%2Fapi.example.com%2Fv1%2Fmcp" in captured_url
-        assert "client_id=test_client" in captured_url
-        assert "response_type=code" in captured_url
-        assert "code_challenge=test_challenge" in captured_url
-        assert "code_challenge_method=S256" in captured_url
 
     @pytest.mark.anyio
     async def test_refresh_token_request(self, oauth_provider, valid_tokens):
@@ -333,8 +283,6 @@ async def test_refresh_token_request(self, oauth_provider, valid_tokens):
         assert "refresh_token=test_refresh_token" in content
         assert "client_id=test_client" in content
         assert "client_secret=test_secret" in content
-        # Resource parameter should be included per RFC 8707
-        assert "resource=https%3A%2F%2Fapi.example.com%2Fv1%2Fmcp" in content
 
 
 class TestAuthFlow:
