feat/authorization #149
feat/authorization #149
Conversation
|
@claude can you have a look at this PR ? |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
|
@pietrozullo , could you please tell what is blocking the PR? It look like it's covering the MCP spec. Is the merge expected any time soon? |
|
Hey @almalejko it is quite a big PR and I did not have time to review it and make sure it is proper, to me it works. I will try to YOLO it this next few days. Do you need it ? |
|
@pietrozullo , thanks for the answer! Are you aware of any public mcp servers that implement dynamic cluent registration? I would test the mcp client with them |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
@almalejko Linear, Asana and others (this is a good list) support DCR https://github.com/jaw9c/awesome-remote-mcp-servers @renvins did you test with them ? Did you test with github ? I know Github does not follow oauth spec properly so it might fail. |
@pietrozullo I've tested Linear and Asana, it's ok. GitHub has some issues. |
|
@renvins one other couple things that I would test here are:
|
The old non auth https servers were fixed in the previous commit. In the next hours/tomorrow I'm going to test all the rest |
- Remove auth field to reduce API verbosity - Add "auth" support for MCPClient's config - Add "oauth_provider" key to MCPClient's config to provide metadata - Fix no OAuth servers' errors
Signed-off-by: Vincenzo Reina <[email protected]>
|
Giving you a summary to clarify the ideas as much as possible:
I think I made the right architectural decision. Having both the field and the single setting in the config created incompatibilities with servers that didn't need auth and much more. @pietrozullo let me know! |
|
@pietrozullo What about the auth_token field? In our auth implementation we handle the bearer token case, so should we remove it or not? |
|
Hey @renvins could you please fix the tests and write an integration test for Authorization ? |
|
Hey @pietrozullo. Of course! Then I proceed updating the bugged test, removing the old field auth_token and creating an integration test for authorization! |
|
@pietrozullo I've manually tested all the features listed in the documentation and they work properly as expected. I updated a little mistake in one example on the doc. The integration test is done and it tests all the auth flow (mocking only the web browser and the callback server), discovery, DCR, token and auth. I added in the test also test for custom auth and for the direct usage of the Bearer token. I've also added the badge in the README and the test in GH actions. Hope you enjoy that? What are the next steps now? Waiting for you. |
|
@renvins You are the best! I will now review and merge |
Co-authored-by: Copilot <[email protected]> Signed-off-by: Pietro Zullo <[email protected]>
Co-authored-by: Copilot <[email protected]> Signed-off-by: Pietro Zullo <[email protected]>
|
@pietrozullo Thank you! We should modify also the examples before merging! (it takes 5 mins). If you want do also some tests on your own! |
|
You can modify the example yes, I just tested with notion mcp and it works great. Something like this could work: async def discover_oauth_metadata(self, server_url: str) -> Optional[Dict[str, Any]]:
"""
Discover OAuth metadata from server following OAuth 2.0 Authorization Server Metadata spec
"""
logger.info(f"🔍 [MCP Auth] Discovering OAuth metadata for: {server_url}")
try:
# Parse base URL
if "://" in server_url:
base_url = "/".join(server_url.split("/")[:3])
else:
base_url = f"https://{server_url}"
# Standard OAuth discovery endpoints
endpoints = [
f"{base_url}/.well-known/oauth-authorization-server",
f"{base_url}/.well-known/openid_configuration",
]
# Special handling for Linear MCP
if "linear.app" in server_url:
endpoints.insert(0, "https://mcp.linear.app/.well-known/oauth-authorization-server")
endpoints.insert(1, "https://mcp.linear.app/.well-known/openid_configuration")
async with httpx.AsyncClient() as client:
for endpoint in endpoints:
try:
logger.info(f"📤 [MCP Auth] Trying endpoint: {endpoint}")
response = await client.get(endpoint, headers={"Accept": "application/json"})
if response.status_code == 200:
metadata = response.json()
# Validate required fields
if metadata.get("authorization_endpoint") and metadata.get("token_endpoint"):
logger.info(f"✅ [MCP Auth] Valid metadata found at: {endpoint}")
return metadata
else:
logger.warning(f"⚠️ [MCP Auth] Invalid metadata at {endpoint}")
except Exception as e:
logger.warning(f"❌ [MCP Auth] Failed to fetch {endpoint}: {e}")
continue
logger.warning(f"❌ [MCP Auth] No OAuth metadata found for {server_url}")
return None
except Exception as e:
logger.error(f"❌ [MCP Auth] OAuth discovery failed: {e}")
return None
|
|
@pietrozullo I think that instead of modifying the specs during the callback would be better to try some different discovery for GitHub. Let me know what you think and also I hope you liked my work! |
|
Yes it is okay to use different discovery for github. |
Also I've seen that for GH you also need to create an OAuth app on GitHub to get client id etc. because of theirs not support for DCR... |
|
Oh my bad, true that. Maybe at some point they did, I had this memory. Then this should be ready outside from the doc example right ? |
@pietrozullo I've searched around. They don't have an endpoint for discovery. So we should make an example where user has to EXPLICITLY specify the authorization and token endpoint and they should be this: Also needs to be specified the client_id that is generated from the oauth application that every user should create. If you want, instead of making users set these endpoints manually, we can hardcode them if we see GitHub in the url, preventing discovery. Let me know! And this is where auth is needed: |
|
@pietrozullo Another problem is that the OAuth application wants the Homepage URL and the callback URL. But since the port is not defined from start, how can we handle this... |
|
@pietrozullo Let me know any ideas you have! |
- Add customizable port for callback - Remove dynamic port - Fix bug of registration before checking port
|
@pietrozullo Added port support and removed dynamic port. Default port will be 8080 and modified url to localhost. Added also the edge case for automatic discovery for GitHub MCP server. Now I'm going to update docs! LEEEETSGOOO |
|
@pietrozullo Updated also docs. Waiting for your review! |
|
Hey @renvins great stuff. |
|
Hey @renvins great stuff. Here logs: (.venv) ➜ mcp-use git:(feat/authorization) python examples/simple_oauth_example.py
2025-09-08 11:36:06,474 - mcp_use.telemetry.telemetry - INFO - Anonymized telemetry enabled. Set MCP_USE_ANONYMIZED_TELEMETRY=false to disable.
2025-09-08 11:36:06,474 - mcp_use - INFO - 🚀 Initializing MCP agent and connecting to services...
2025-09-08 11:36:06,474 - mcp_use - INFO - 🔌 Found 0 existing sessions
2025-09-08 11:36:06,474 - mcp_use - INFO - 🔄 No active sessions found, creating new ones...
2025-09-08 11:36:06,474 - mcp_use - INFO - Using default callback port 8080
2025-09-08 11:36:06,602 - mcp_use - INFO - OAuth authentication required
2025-09-08 11:36:06,602 - mcp_use - INFO - Attempting Dynamic Client Registration
2025-09-08 11:36:07,004 - mcp_use - INFO - Dynamic Client Registration successful: zVYHH2pqkluWj
Opening browser for authorization: https://mcp.linear.app/authorize?response_type=code&client_id=zVYHH2pkluWj&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fcallback&state=4d93v9qhZCZKzYmp7Z9XBXqE3RcJ2jffQGDw90
2025-09-08 11:36:13,846 - mcp_use - ERROR - MCP protocol error during initialization: Session terminated
2025-09-08 11:36:14,961 - mcp_use - INFO - ✅ Created 1 new sessions
2025-09-08 11:36:15,088 - mcp_use - INFO - 🛠️ Created 24 LangChain tools from client
2025-09-08 11:36:15,088 - mcp_use - INFO - 🧰 Found 24 tools across all connectors
2025-09-08 11:36:15,088 - mcp_use - INFO - 🧠 Agent ready with tools: list_comments, create_comment, list_cycles, get_document, list_documents, get_issue, list_issues, create_issue, update_issue, list_issue_statuses, get_issue_status, list_my_issues, list_issue_labels, create_issue_label, list_projects, get_project, create_project, update_project, list_project_labels, list_teams, get_team, list_users, get_user, search_documentation
2025-09-08 11:36:15,137 - mcp_use - INFO - ✨ Agent initialization complete
2025-09-08 11:36:15,137 - mcp_use - INFO - 💬 Received query: 'What are my latest linear tickets'
2025-09-08 11:36:15,137 - mcp_use - INFO - 🏁 Starting agent execution with max_steps=5
2025-09-08 11:36:15,137 - mcp_use - INFO - 👣 Step 1/5
2025-09-08 11:36:20,116 - mcp_use - INFO - 💭 Reasoning: Invoking: `list_my_issues` with `{'limit': 5}`
2025-09-08 11:36:20,116 - mcp_use - INFO - 🔧 Tool call: list_my_issues with input: {'limit': 5}
2025-09-08 11:36:20,116 - mcp_use - INFO - 📄 Tool result: [{"id":"8290d94e-85a5-43f3-a850-719502088cfe","identifier":"MCP-93","title":"LLM in MCPAgent Fail...
2025-09-08 11:36:20,116 - mcp_use - INFO - 👣 Step 2/5
2025-09-08 11:36:29,525 - mcp_use - INFO - ✅ Agent finished at step 2
2025-09-08 11:36:29,525 - mcp_use - INFO - 🎉 Agent execution complete in 23.05090618133545 seconds
Here are your latest Linear tickets:
REDACTED
Let me know if you need more information on any of these tickets!
(.venv) ➜ mcp-use git:(feat/authorization) python examples/simple_oauth_example.py
2025-09-08 11:36:32,864 - mcp_use.telemetry.telemetry - INFO - Anonymized telemetry enabled. Set MCP_USE_ANONYMIZED_TELEMETRY=false to disable.
2025-09-08 11:36:32,865 - mcp_use - INFO - 🚀 Initializing MCP agent and connecting to services...
2025-09-08 11:36:32,865 - mcp_use - INFO - 🔌 Found 0 existing sessions
2025-09-08 11:36:32,865 - mcp_use - INFO - 🔄 No active sessions found, creating new ones...
2025-09-08 11:36:32,865 - mcp_use - INFO - Using default callback port 8080
2025-09-08 11:36:32,991 - mcp_use - ERROR - MCP protocol error during initialization: Session terminated
2025-09-08 11:36:34,175 - mcp_use - INFO - ✅ Created 1 new sessions
2025-09-08 11:36:34,287 - mcp_use - INFO - 🛠️ Created 24 LangChain tools from client
2025-09-08 11:36:34,287 - mcp_use - INFO - 🧰 Found 24 tools across all connectors
2025-09-08 11:36:34,287 - mcp_use - INFO - 🧠 Agent ready with tools: list_comments, create_comment, list_cycles, get_document, list_documents, get_issue, list_issues, create_issue, update_issue, list_issue_statuses, get_issue_status, list_my_issues, list_issue_labels, create_issue_label, list_projects, get_project, create_project, update_project, list_project_labels, list_teams, get_team, list_users, get_user, search_documentation
2025-09-08 11:36:34,333 - mcp_use - INFO - ✨ Agent initialization complete
2025-09-08 11:36:34,333 - mcp_use - INFO - 💬 Received query: 'What are my latest linear tickets'
2025-09-08 11:36:34,333 - mcp_use - INFO - 🏁 Starting agent execution with max_steps=5
2025-09-08 11:36:34,333 - mcp_use - INFO - 👣 Step 1/5
2025-09-08 11:36:43,463 - mcp_use - INFO - 💭 Reasoning: Invoking: `list_my_issues` with `{'limit': 5}`
2025-09-08 11:36:43,463 - mcp_use - INFO - 🔧 Tool call: list_my_issues with input: {'limit': 5}
2025-09-08 11:36:43,463 - mcp_use - INFO - 📄 Tool result: [{"id":"8290d94e-85a5-43f3-a850-719502088cfe","identifier":"MCP-93","title":"LLM in MCPAgent Fail...
2025-09-08 11:36:43,464 - mcp_use - INFO - 👣 Step 2/5
2025-09-08 11:36:53,405 - mcp_use - INFO - ✅ Agent finished at step 2
2025-09-08 11:36:53,405 - mcp_use - INFO - 🎉 Agent execution complete in 20.540530920028687 seconds
Here are your latest Linear tickets:
REDACTED
Let me know if you need more information on any of these tickets!
(.venv) ➜ mcp-use git:(feat/authorization) As you see in both succesfull runs the logs return an error in the MCP protocol initialization: |
|
Issue found, and flagged |
|
@pietrozullo for me is finished definitely. If you want have a look also at the tests. By the way check also integration tests if you mean to. |
No description provided.