Skip to content

feat(teams): per-user OAuth connect flow (Path B) broker connector (spec 074, MCP-1038)#602

Merged
Dumbris merged 4 commits into
mainfrom
074-t5-oauth-connector
Jun 12, 2026
Merged

feat(teams): per-user OAuth connect flow (Path B) broker connector (spec 074, MCP-1038)#602
Dumbris merged 4 commits into
mainfrom
074-t5-oauth-connector

Conversation

@Dumbris

@Dumbris Dumbris commented Jun 4, 2026

Copy link
Copy Markdown
Member

Spec 074 · T5 — OAuthConnector (Path B)

Implements the per-user OAuth connect flow for upstreams whose AS does not support token exchange but does standard authorization-code OAuth. This is the connector engine + handlers; REST endpoints are T8 ([MCP-1041]).

Builds on T1 ([MCP-1034], CredentialStore #587) and T2 ([MCP-1035], auth_broker config #588), both merged.

What's added

internal/teams/broker/OAuthConnector (server edition only):

  • BuildAuthorizationURL(userID) — generates a PKCE (S256) verifier/challenge and an opaque per-user state, tracks the pending flow in-memory with a TTL, and returns the upstream authorize URL. Explicit AS consent + unguessable state = confused-deputy avoidance (FR-011).
  • Complete(ctx, state, code) — validates state (rejects unknown / expired / already-used), exchanges the code via the bound verifier at the token endpoint, and persists the per-user credential encrypted with ObtainedVia=connect_flow (FR-010). State is single-use.
  • Deny(state, reason) — denied/failed callback clears the pending flow and stores nothing.
  • Refresh(ctx, userID) — transparent refresh_token grant; preserves a non-rotated refresh token (FR-012).

Store key uses the existing oauth.GenerateServerKey(name,url) scheme. The HTTP token-exchange pattern mirrors the merged internal/teams/auth/oauth_providers.go.

Config

config.AuthBrokerConfig gains authorization_endpoint, now required when mode: oauth_connect (the connect flow needs the upstream authorize URL). token_exchange/entra_obo are unaffected.

Tests (TDD — test-first, watched RED → GREEN)

oauth_connector_test.go: PKCE URL build + per-flow uniqueness, full PKCE roundtrip (token endpoint receives a verifier whose S256 equals the advertised challenge), invalid/expired/one-time state, token-endpoint error → nothing stored, denied consent → nothing stored, refresh path (incl. preserve-on-no-rotation and no-refresh-token error), constructor validation. Plus auth_broker_test.go for the new config requirement.

Verification

  • go test -tags server -race ./internal/teams/broker/ ./internal/config/
  • go test -tags server ./internal/teams/...
  • go build -tags server ./cmd/mcpproxy ✅ and go build ./cmd/mcpproxy (personal unaffected) ✅
  • gofmt -l clean, go vet -tags server clean

Docs note

The whole auth_broker block is still being assembled across spec-074 tasks and currently has no user-facing docs (T1/T2 merged the config block + store with godoc only; the user surface — REST/CLI — lands in T8/T9). Following that precedent, end-user docs for the connect flow belong with the surfacing tasks; the new config key carries thorough godoc here.

Related #1038

…pec 074, MCP-1038)

Adds internal/teams/broker.OAuthConnector implementing Path B of the
upstream token-brokering spec: a per-user authorization-code + PKCE
connect flow against an upstream AS that does not support token exchange.

- BuildAuthorizationURL: PKCE (S256) verifier/challenge + opaque per-user
  state, tracked in-memory with a TTL; requires explicit AS consent
  (confused-deputy avoidance, FR-011).
- Complete: validates state (unknown/expired/one-time), exchanges the code
  via the bound verifier, stores the per-user credential encrypted with
  ObtainedVia=connect_flow (FR-010).
- Deny: clears the pending flow, stores nothing (denied consent).
- Refresh: transparent refresh_token grant, preserving a non-rotated
  refresh token (FR-012).

Config: AuthBrokerConfig gains authorization_endpoint, required for the
oauth_connect mode.

TDD: PKCE URL build + uniqueness, PKCE roundtrip, invalid/expired/one-time
state, token-endpoint error, denied consent stores nothing, refresh path.
Reuses oauth.GenerateServerKey for the store key; server edition only.

Related #1038

Co-Authored-By: Paperclip <noreply@paperclip.ing>
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 4, 2026

Copy link
Copy Markdown

Deploying mcpproxy-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: 3a92bdb
Status: ✅  Deploy successful!
Preview URL: https://f265c896.mcpproxy-docs.pages.dev
Branch Preview URL: https://074-t5-oauth-connector.mcpproxy-docs.pages.dev

View logs

@codecov-commenter

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@github-actions

github-actions Bot commented Jun 4, 2026

Copy link
Copy Markdown

📦 Build Artifacts

Workflow Run: View Run
Branch: 074-t5-oauth-connector

Available Artifacts

  • archive-darwin-amd64 (28 MB)
  • archive-darwin-arm64 (25 MB)
  • archive-linux-amd64 (16 MB)
  • archive-linux-arm64 (14 MB)
  • archive-windows-amd64 (28 MB)
  • archive-windows-arm64 (24 MB)
  • frontend-dist-pr (0 MB)
  • installer-dmg-darwin-amd64 (21 MB)
  • installer-dmg-darwin-arm64 (19 MB)

How to Download

Option 1: GitHub Web UI (easiest)

  1. Go to the workflow run page linked above
  2. Scroll to the bottom "Artifacts" section
  3. Click on the artifact you want to download

Option 2: GitHub CLI

gh run download 27395533500 --repo smart-mcp-proxy/mcpproxy-go

Note: Artifacts expire in 14 days.

Dumbris and others added 2 commits June 9, 2026 09:48
…irement (spec 074, MCP-1038)

Address CodexReviewer request_changes on PR #602 (ENG-9): the per-upstream
auth_broker config block had no docs. Add docs/features/auth-broker.md covering
all three modes (token_exchange, entra_obo, oauth_connect), every field, and the
oauth_connect Path B flow. Call out that auth_broker.authorization_endpoint is
required for mode oauth_connect. Cross-reference from the upstream-servers
config-options table.

Related #602
Co-Authored-By: Paperclip <noreply@paperclip.ing>

@mcpproxy-gatekeeper mcpproxy-gatekeeper Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Gatekeeper approval — Codex review verdict: ACCEPT.

This approval is posted automatically by the MCPProxy Gatekeeper App on behalf of the Codex reviewer (verdict of record lives in the Paperclip review thread). Author≠approver satisfied; QA + CI gates enforced separately.

Auto-approved per Model B (MCP-1249).

Dumbris added a commit that referenced this pull request Jun 10, 2026
Add a new 'server-edition' job to unit-tests.yml that builds and tests
the server edition (-tags server) on every push and PR. This catches
build breaks like the one in PR #602 where a duplicate type in a
server-tagged file slipped through because only release.yml (tag-only)
compiled with -tags server.

Related #MCP-1886
@Dumbris Dumbris closed this Jun 12, 2026
@Dumbris Dumbris reopened this Jun 12, 2026
…tion collision (MCP-1038)

QATester BLOCKED #602: internal/teams/broker failed `-tags server` compile —
oauth_connector.go redeclared `type tokenResponse`, already declared on main in
token_exchanger.go (same broker package, from MCP-1037). The two serve different
endpoints (plain OAuth token vs RFC 8693 token-exchange) with different field
shapes (ExpiresIn int vs int64, IssuedTokenType), so they are NOT merged: the
connector's type is renamed to oauthTokenResponse and its 4 references updated.

Verified: go vet -tags server ./internal/teams/broker/, go build -tags server
./..., go build ./cmd/mcpproxy, go test -race -tags server
./internal/teams/broker/... (connector tests now run + pass).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Dumbris Dumbris merged commit b868697 into main Jun 12, 2026
43 of 45 checks passed
Dumbris added a commit that referenced this pull request Jun 15, 2026
Add a new 'server-edition' job to unit-tests.yml that builds and tests
the server edition (-tags server) on every push and PR. This catches
build breaks like the one in PR #602 where a duplicate type in a
server-tagged file slipped through because only release.yml (tag-only)
compiled with -tags server.

Related #MCP-1886
Dumbris added a commit that referenced this pull request Jun 15, 2026
… pkg (MCP-2455) (#679)

PR #602 added internal/teams/broker/oauth_connector.go AFTER the Teams->Server
Edition rename (#603) moved internal/teams/ -> internal/serveredition/. The
connector landed in the stale path, in package broker, referencing
CredentialStore/UpstreamCredential as same-package symbols — but those live in
internal/serveredition/broker. Result: 'undefined: CredentialStore' under
-tags server, breaking the Server Edition CI job on main (and therefore on
every open PR after #631 added that job to PR CI).

Fix: git mv the connector + its test into internal/serveredition/broker/ (no
importers of the old path) and delete the now-empty internal/teams/ tree.
Same package, so all refs resolve. No code changes.

Verified: go build -tags server ./... (0), go build ./... (0),
go test -tags server ./internal/serveredition/... (all ok).

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Dumbris added a commit that referenced this pull request Jun 15, 2026
…am (spec 074, MCP-1039) (#688)

* feat(broker): CredentialResolver — per-user-only ordering + policy seam (spec 074, MCP-1039)

Add the per-user credential resolver (T6) that selects which brokered
credential to inject on a proxied request. Strict per-user-only ordering
(FR-013/FR-014), with no shared or static fallback:

  1. valid cached per-user credential (refreshed if near-expiry);
  2. else token-exchange / Entra OBO from the stored IdP subject token;
  3. else, for oauth_connect upstreams the user has not connected, an
     actionable NotConnectedError carrying the connect URL;
  4. else ErrNoCredential.

- Single-flight coalescing per (user, server) so concurrent acquisitions
  do not trigger duplicate upstream token flows (golang.org/x/sync).
- PolicyHook seam (FR-015) evaluated per call before a credential is
  returned; ships with an allow-all default (no policy engine yet).
- Unauthenticated callers and a disabled store are rejected up front.
- Exchanger/Connector/ConnectorProvider interfaces decouple the resolver
  from the concrete TokenExchanger (T4) and OAuthConnector (T5); both
  satisfy the interfaces via compile-time assertions.

TDD: each ordering branch, near-expiry refresh (token-exchange + connect),
unconnected -> connect-URL error, unauthenticated reject, store-disabled,
policy-denied, no-static-fallback, and single-flight under -race.

Related: spec 074 (MCP-1033). Builds on T3 (#601), T4 (#600), T5 (#602), all merged to main.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* fix(broker): address review on CredentialResolver — singleflight ctx, double-exchange, reconnect error

Review (MCP-2490 / Critic) on PR #688:

- must-fix: detach the caller's context inside the single-flight closure with
  context.WithoutCancel. The flight runs the acquisition once for all co-pending
  callers; inheriting the first caller's cancellation let a single client
  disconnect/timeout broadcast ctx.Err() to every waiter for the same
  (user, server). Per-caller cancellation still applies at the policy/return
  layer (caller's original ctx).
- advisory: collapse the per-mode acquire/refresh paths so a near-expiry
  token-exchange miss no longer calls Exchange twice (refresh-then-fallthrough);
  a single Exchange now covers both cache-miss and near-expiry.
- advisory: an already-connected oauth_connect user whose refresh fails now gets
  an actionable reconnect error (NotConnectedError.Reason) instead of a
  misleading "never connected" message; the connect URL is still surfaced.
- advisory: document that the Exchanger (T4) and Connector (T5) persist their
  results themselves, so the resolver never calls store.Put.

Tests: add single-flight caller-cancellation detach, no-double-exchange on
near-expiry failure, and connect-flow refresh-fail -> reconnect. Full broker
suite green under -tags server -race; golangci-lint v2.5.0 clean.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

* docs(auth-broker): document per-user credential resolution ordering (spec 074, MCP-1039)

Add a "Credential resolution" section describing the resolver's strict
per-user-only ordering (cached/refresh -> token-exchange/OBO -> actionable
connect-URL error -> no-credential), the no-shared/static-fallback guarantee,
single-flight coalescing, and the policy-decision seam. Keeps the feature doc
consistent with the CredentialResolver added in this PR (review follow-up).

Co-Authored-By: Paperclip <noreply@paperclip.ing>

---------

Co-authored-by: Paperclip <noreply@paperclip.ing>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants