Skip to content

[Server] Oauth2 based on middleware#221

Open
sveneld wants to merge 4 commits intomodelcontextprotocol:mainfrom
sveneld:oauth_middleware
Open

[Server] Oauth2 based on middleware#221
sveneld wants to merge 4 commits intomodelcontextprotocol:mainfrom
sveneld:oauth_middleware

Conversation

@sveneld
Copy link

@sveneld sveneld commented Jan 12, 2026

Motivation and Context

Implementation of OAuth based on middlewares from #218

How Has This Been Tested?

Breaking Changes

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

@sveneld sveneld mentioned this pull request Jan 12, 2026
Open
9 tasks
@chr-hertel
Copy link
Member

chr-hertel commented Jan 18, 2026

Thanks @sveneld - it will take some time for me to give some proper feedback here, just to let you know - needs quite some focus & attention - still really appreciated!

@chr-hertel chr-hertel changed the title Oauth2 based on middleware [Server] Oauth2 based on middleware Jan 23, 2026
@chr-hertel chr-hertel added Server Issues & PRs related to the Server component auth Issues and PRs related to Authentication / OAuth labels Jan 23, 2026
chr-hertel
chr-hertel requested changes Jan 26, 2026
View reviewed changes
Copy link
Member

@chr-hertel chr-hertel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi again @sveneld! This is great already - went to a first round of very detailed review directly. Thanks again for working on this! 🙏

Didn't manage to go through all, but dropping the first round of comments.

examples/server/oauth-keycloak/README.md

5. **Use with MCP Inspector:**

The MCP Inspector doesn't support OAuth out of the box, but you can test using curl or build a custom client.
Copy link
Member

@chr-hertel chr-hertel Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was a bit unexpected to me since I saw this in inspector:
image

examples/server/oauth-keycloak/README.md
Copy link
Member

@chr-hertel chr-hertel Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works right away 💪 👍

examples/server/oauth-keycloak/server.php Outdated
Comment on lines 26 to 37
// Configuration from environment
// External URL is what clients use and what appears in tokens
$keycloakExternalUrl = getenv('KEYCLOAK_EXTERNAL_URL') ?: 'http://localhost:8180';
// Internal URL is how this server reaches Keycloak (Docker network)
$keycloakInternalUrl = getenv('KEYCLOAK_INTERNAL_URL') ?: 'http://keycloak:8080';
$keycloakRealm = getenv('KEYCLOAK_REALM') ?: 'mcp';
$mcpAudience = getenv('MCP_AUDIENCE') ?: 'mcp-server';

// Issuer is what appears in the token (external URL)
$issuer = rtrim($keycloakExternalUrl, '/').'/realms/'.$keycloakRealm;
// JWKS URI uses internal URL to reach Keycloak within Docker network
$jwksUri = rtrim($keycloakInternalUrl, '/').'/realms/'.$keycloakRealm.'/protocol/openid-connect/certs';
Copy link
Member

@chr-hertel chr-hertel Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's fair to hard-code the values here instead of using getenv

examples/server/oauth-keycloak/server.php Outdated
Comment on lines 39 to 46
// Create logger
$logger = new class extends AbstractLogger {
public function log($level, \Stringable|string $message, array $context = []): void
{
$logMessage = sprintf("[%s] %s\n", strtoupper($level), $message);
error_log($logMessage);
}
};
Copy link
Member

@chr-hertel chr-hertel Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we use the logger() provided by the examples/bootstrap.php file? would be more consistent with other examples or is there a particular reason not to?

examples/server/oauth-keycloak/server.php Outdated
$server = Server::builder()
->setServerInfo('OAuth Keycloak Example', '1.0.0')
->setLogger($logger)
->setSession(new FileSessionStore('/tmp/mcp-sessions'))
Copy link
Member

@chr-hertel chr-hertel Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to be more consistent with other examples:

Suggested change
->setSession(new FileSessionStore('/tmp/mcp-sessions'))
->setSession(new FileSessionStore(__DIR__.'/sessions'))

src/Server/Transport/Middleware/JwtTokenValidator.php Outdated
$response = $this->httpClient->sendRequest($request);

if ($response->getStatusCode() >= 400) {
throw new \RuntimeException(sprintf(
Copy link
Member

@chr-hertel chr-hertel Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please use package specific exceptions: Mcp\Exception\RuntimeException

Copy link
Member

@chr-hertel chr-hertel Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

below as well, please

src/Server/Transport/Middleware/JwtTokenValidator.php Outdated

$response = $this->httpClient->sendRequest($request);

if ($response->getStatusCode() >= 400) {
Copy link
Member

@chr-hertel chr-hertel Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i wonder if this would be:

Suggested change
if ($response->getStatusCode() >= 400) {
if (200 !== $response->getStatusCode()) {

our expectations here are quite clear, right?

src/Server/Transport/Middleware/JwtTokenValidator.php Outdated
$tokenIssuer = $claims['iss'];
$expectedIssuers = \is_array($this->issuer) ? $this->issuer : [$this->issuer];

return \in_array($tokenIssuer, $expectedIssuers, true);
Copy link
Member

@chr-hertel chr-hertel Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$tokenIssuer can be inlined:

Suggested change
return \in_array($tokenIssuer, $expectedIssuers, true);
return \in_array($claims['iss'], $expectedIssuers, true);

src/Server/Transport/Middleware/JwtTokenValidator.php
Copy link
Member

@chr-hertel chr-hertel Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would be great to have tests for this class

src/Server/Transport/Middleware/AuthorizationResult.php Outdated
*
* @author Volodymyr Panivko <sveneld300@gmail.com>
*/
class AuthorizationResult
Copy link
Member

@chr-hertel chr-hertel Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
class AuthorizationResult
final class AuthorizationResult

@sveneld
Copy link
Author

sveneld commented Jan 28, 2026

@chr-hertel I updated pull request

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chr-hertel chr-hertel chr-hertel requested changes

@Nyholm Nyholm Awaiting requested review from Nyholm Nyholm is a code owner

@CodeWithKyrian CodeWithKyrian Awaiting requested review from CodeWithKyrian CodeWithKyrian is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

auth Issues and PRs related to Authentication / OAuth Server Issues & PRs related to the Server component

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sveneld @chr-hertel