mirror of
https://github.com/openshift/openshift-mcp-server.git
synced 2025-10-17 14:27:48 +03:00
275b91a00d
Introduce require-oauth flag When this flag is enabled, authorization middleware will be turned on. When this flag is enabled, Derived which is generated based on the client token will not be used. --- Wire Authorization middleware to http mux This commit adds authorization middleware. Additionally, this commit rejects the requests if the bearer token is absent in Authorization header of the request. --- Add offline token validation for expiration and audience Per Model Context Protocol specification, MCP Servers must check the audience field of the token to ensure that they are generated specifically for them. This commits parses the JWT token and asserts that audience is correct and token is not expired. --- Add online token verification via TokenReview request to API Server This commit sends online token verification by sending request to TokenReview endpoint of API Server with the token and expected audience. If API Server returns the status as authenticated, that means this token can be used to generate a new ad hoc token for MCP Server. If API Server returns the status as not authenticated, that means this token is invalid and MCP Server returns 401 to force the client to initiate OAuth flow. --- Serve oauth protected resource metadata endpoint --- Introduce server-url to be represented in protected resource metadata --- Add error return type in Derived function --- Return error if error occurs in Derived, when require-oauth --- Add test cases for authorization-url and server-url --- Wire server-url to audience, if it is set --- Remove redundant ssebaseurl parameter from http