feat(teams): per-user OAuth connect flow (Path B) broker connector (spec 074, MCP-1038)#602
Merged
Conversation
…pec 074, MCP-1038) Adds internal/teams/broker.OAuthConnector implementing Path B of the upstream token-brokering spec: a per-user authorization-code + PKCE connect flow against an upstream AS that does not support token exchange. - BuildAuthorizationURL: PKCE (S256) verifier/challenge + opaque per-user state, tracked in-memory with a TTL; requires explicit AS consent (confused-deputy avoidance, FR-011). - Complete: validates state (unknown/expired/one-time), exchanges the code via the bound verifier, stores the per-user credential encrypted with ObtainedVia=connect_flow (FR-010). - Deny: clears the pending flow, stores nothing (denied consent). - Refresh: transparent refresh_token grant, preserving a non-rotated refresh token (FR-012). Config: AuthBrokerConfig gains authorization_endpoint, required for the oauth_connect mode. TDD: PKCE URL build + uniqueness, PKCE roundtrip, invalid/expired/one-time state, token-endpoint error, denied consent stores nothing, refresh path. Reuses oauth.GenerateServerKey for the store key; server edition only. Related #1038 Co-Authored-By: Paperclip <noreply@paperclip.ing>
Deploying mcpproxy-docs with
|
| Latest commit: |
3a92bdb
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://f265c896.mcpproxy-docs.pages.dev |
| Branch Preview URL: | https://074-t5-oauth-connector.mcpproxy-docs.pages.dev |
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
📦 Build ArtifactsWorkflow Run: View Run Available Artifacts
How to DownloadOption 1: GitHub Web UI (easiest)
Option 2: GitHub CLI gh run download 27395533500 --repo smart-mcp-proxy/mcpproxy-go
|
…irement (spec 074, MCP-1038) Address CodexReviewer request_changes on PR #602 (ENG-9): the per-upstream auth_broker config block had no docs. Add docs/features/auth-broker.md covering all three modes (token_exchange, entra_obo, oauth_connect), every field, and the oauth_connect Path B flow. Call out that auth_broker.authorization_endpoint is required for mode oauth_connect. Cross-reference from the upstream-servers config-options table. Related #602
Co-Authored-By: Paperclip <noreply@paperclip.ing>
There was a problem hiding this comment.
✅ Gatekeeper approval — Codex review verdict: ACCEPT.
This approval is posted automatically by the MCPProxy Gatekeeper App on behalf of the Codex reviewer (verdict of record lives in the Paperclip review thread). Author≠approver satisfied; QA + CI gates enforced separately.
Auto-approved per Model B (MCP-1249).
Dumbris
added a commit
that referenced
this pull request
Jun 10, 2026
Add a new 'server-edition' job to unit-tests.yml that builds and tests the server edition (-tags server) on every push and PR. This catches build breaks like the one in PR #602 where a duplicate type in a server-tagged file slipped through because only release.yml (tag-only) compiled with -tags server. Related #MCP-1886
…tion collision (MCP-1038) QATester BLOCKED #602: internal/teams/broker failed `-tags server` compile — oauth_connector.go redeclared `type tokenResponse`, already declared on main in token_exchanger.go (same broker package, from MCP-1037). The two serve different endpoints (plain OAuth token vs RFC 8693 token-exchange) with different field shapes (ExpiresIn int vs int64, IssuedTokenType), so they are NOT merged: the connector's type is renamed to oauthTokenResponse and its 4 references updated. Verified: go vet -tags server ./internal/teams/broker/, go build -tags server ./..., go build ./cmd/mcpproxy, go test -race -tags server ./internal/teams/broker/... (connector tests now run + pass). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Dumbris
added a commit
that referenced
this pull request
Jun 15, 2026
Add a new 'server-edition' job to unit-tests.yml that builds and tests the server edition (-tags server) on every push and PR. This catches build breaks like the one in PR #602 where a duplicate type in a server-tagged file slipped through because only release.yml (tag-only) compiled with -tags server. Related #MCP-1886
This was referenced Jun 15, 2026
Dumbris
added a commit
that referenced
this pull request
Jun 15, 2026
… pkg (MCP-2455) (#679) PR #602 added internal/teams/broker/oauth_connector.go AFTER the Teams->Server Edition rename (#603) moved internal/teams/ -> internal/serveredition/. The connector landed in the stale path, in package broker, referencing CredentialStore/UpstreamCredential as same-package symbols — but those live in internal/serveredition/broker. Result: 'undefined: CredentialStore' under -tags server, breaking the Server Edition CI job on main (and therefore on every open PR after #631 added that job to PR CI). Fix: git mv the connector + its test into internal/serveredition/broker/ (no importers of the old path) and delete the now-empty internal/teams/ tree. Same package, so all refs resolve. No code changes. Verified: go build -tags server ./... (0), go build ./... (0), go test -tags server ./internal/serveredition/... (all ok). Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Dumbris
added a commit
that referenced
this pull request
Jun 15, 2026
…am (spec 074, MCP-1039) (#688) * feat(broker): CredentialResolver — per-user-only ordering + policy seam (spec 074, MCP-1039) Add the per-user credential resolver (T6) that selects which brokered credential to inject on a proxied request. Strict per-user-only ordering (FR-013/FR-014), with no shared or static fallback: 1. valid cached per-user credential (refreshed if near-expiry); 2. else token-exchange / Entra OBO from the stored IdP subject token; 3. else, for oauth_connect upstreams the user has not connected, an actionable NotConnectedError carrying the connect URL; 4. else ErrNoCredential. - Single-flight coalescing per (user, server) so concurrent acquisitions do not trigger duplicate upstream token flows (golang.org/x/sync). - PolicyHook seam (FR-015) evaluated per call before a credential is returned; ships with an allow-all default (no policy engine yet). - Unauthenticated callers and a disabled store are rejected up front. - Exchanger/Connector/ConnectorProvider interfaces decouple the resolver from the concrete TokenExchanger (T4) and OAuthConnector (T5); both satisfy the interfaces via compile-time assertions. TDD: each ordering branch, near-expiry refresh (token-exchange + connect), unconnected -> connect-URL error, unauthenticated reject, store-disabled, policy-denied, no-static-fallback, and single-flight under -race. Related: spec 074 (MCP-1033). Builds on T3 (#601), T4 (#600), T5 (#602), all merged to main. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(broker): address review on CredentialResolver — singleflight ctx, double-exchange, reconnect error Review (MCP-2490 / Critic) on PR #688: - must-fix: detach the caller's context inside the single-flight closure with context.WithoutCancel. The flight runs the acquisition once for all co-pending callers; inheriting the first caller's cancellation let a single client disconnect/timeout broadcast ctx.Err() to every waiter for the same (user, server). Per-caller cancellation still applies at the policy/return layer (caller's original ctx). - advisory: collapse the per-mode acquire/refresh paths so a near-expiry token-exchange miss no longer calls Exchange twice (refresh-then-fallthrough); a single Exchange now covers both cache-miss and near-expiry. - advisory: an already-connected oauth_connect user whose refresh fails now gets an actionable reconnect error (NotConnectedError.Reason) instead of a misleading "never connected" message; the connect URL is still surfaced. - advisory: document that the Exchanger (T4) and Connector (T5) persist their results themselves, so the resolver never calls store.Put. Tests: add single-flight caller-cancellation detach, no-double-exchange on near-expiry failure, and connect-flow refresh-fail -> reconnect. Full broker suite green under -tags server -race; golangci-lint v2.5.0 clean. Co-Authored-By: Paperclip <noreply@paperclip.ing> * docs(auth-broker): document per-user credential resolution ordering (spec 074, MCP-1039) Add a "Credential resolution" section describing the resolver's strict per-user-only ordering (cached/refresh -> token-exchange/OBO -> actionable connect-URL error -> no-credential), the no-shared/static-fallback guarantee, single-flight coalescing, and the policy-decision seam. Keeps the feature doc consistent with the CredentialResolver added in this PR (review follow-up). Co-Authored-By: Paperclip <noreply@paperclip.ing> --------- Co-authored-by: Paperclip <noreply@paperclip.ing>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Spec 074 · T5 — OAuthConnector (Path B)
Implements the per-user OAuth connect flow for upstreams whose AS does not support token exchange but does standard authorization-code OAuth. This is the connector engine + handlers; REST endpoints are T8 ([MCP-1041]).
Builds on T1 ([MCP-1034], CredentialStore #587) and T2 ([MCP-1035], auth_broker config #588), both merged.
What's added
internal/teams/broker/OAuthConnector(server edition only):BuildAuthorizationURL(userID)— generates a PKCE (S256) verifier/challenge and an opaque per-userstate, tracks the pending flow in-memory with a TTL, and returns the upstream authorize URL. Explicit AS consent + unguessable state = confused-deputy avoidance (FR-011).Complete(ctx, state, code)— validatesstate(rejects unknown / expired / already-used), exchanges the code via the bound verifier at the token endpoint, and persists the per-user credential encrypted withObtainedVia=connect_flow(FR-010). State is single-use.Deny(state, reason)— denied/failed callback clears the pending flow and stores nothing.Refresh(ctx, userID)— transparentrefresh_tokengrant; preserves a non-rotated refresh token (FR-012).Store key uses the existing
oauth.GenerateServerKey(name,url)scheme. The HTTP token-exchange pattern mirrors the mergedinternal/teams/auth/oauth_providers.go.Config
config.AuthBrokerConfiggainsauthorization_endpoint, now required whenmode: oauth_connect(the connect flow needs the upstream authorize URL).token_exchange/entra_oboare unaffected.Tests (TDD — test-first, watched RED → GREEN)
oauth_connector_test.go: PKCE URL build + per-flow uniqueness, full PKCE roundtrip (token endpoint receives a verifier whose S256 equals the advertised challenge), invalid/expired/one-timestate, token-endpoint error → nothing stored, denied consent → nothing stored, refresh path (incl. preserve-on-no-rotation and no-refresh-token error), constructor validation. Plusauth_broker_test.gofor the new config requirement.Verification
go test -tags server -race ./internal/teams/broker/ ./internal/config/✅go test -tags server ./internal/teams/...✅go build -tags server ./cmd/mcpproxy✅ andgo build ./cmd/mcpproxy(personal unaffected) ✅gofmt -lclean,go vet -tags servercleanDocs note
The whole
auth_brokerblock is still being assembled across spec-074 tasks and currently has no user-facing docs (T1/T2 merged the config block + store with godoc only; the user surface — REST/CLI — lands in T8/T9). Following that precedent, end-user docs for the connect flow belong with the surfacing tasks; the new config key carries thorough godoc here.Related #1038