-
Notifications
You must be signed in to change notification settings - Fork 100
Front-Door Auth #696
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Front-Door Auth #696
Changes from 4 commits
9e83804
beb871d
7e6e56c
59699f3
9ca3bba
58b13c0
0c99777
b96b635
0c8932c
428dcc5
0fd488d
172acfc
86bbc6d
078c81f
ae81885
5a5f98c
1c49833
1b311f0
570053d
810d337
c696d76
b0a26c2
6d9c1ca
3c120af
0b16721
fe4f418
571f666
5c0056b
070443d
d1116cd
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -7,44 +7,46 @@ | |
| from arcade_mcp_server import Context, MCPApp | ||
| from arcade_mcp_server.auth import Reddit | ||
| from arcade_mcp_server.resource_server import ( | ||
| AccessTokenValidationOptions, | ||
| AuthorizationServerEntry, | ||
| ResourceServer, | ||
| ResourceServerAuth, | ||
| ) | ||
|
|
||
| # Option 1: Single authorization server example | ||
| resource_server = ResourceServer( | ||
| # Option 1: Single authorization server with custom audience | ||
| # Use expected_audiences when your auth server returns a different aud claim | ||
| # (e.g., client_id instead of canonical_url) | ||
| resource_server_auth = ResourceServerAuth( | ||
| canonical_url="http://127.0.0.1:8000/mcp", | ||
| authorization_servers=[ | ||
| AuthorizationServerEntry( # WorkOS Authkit example configuration | ||
| authorization_server_url="https://your-workos.authkit.app", | ||
| issuer="https://your-workos.authkit.app", | ||
| jwks_uri="https://your-workos.authkit.app/oauth2/jwks", | ||
| validation_options=AccessTokenValidationOptions(verify_aud=False), | ||
| expected_audiences=["your-authkit-client-id"], # Override expected aud claim | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: from what we were discussing yesterday it seems like in the WorkOS case it's an app or workspace ID, not a client ID right?
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. So their naming of things is very bad, but it is the AuthKit's Client ID (which is closer to a workspace ID), not the registered client's ID. Both IDs are unfortunately prefixed with |
||
| ), | ||
| ], | ||
| ) | ||
|
|
||
| # Option 2: Multiple authorization servers with different keys (e.g., multi-IdP) | ||
| # resource_server = ResourceServer( | ||
| # resource_server_auth = ResourceServerAuth( | ||
| # canonical_url="http://127.0.0.1:8000/mcp", | ||
| # authorization_servers=[ | ||
| # AuthorizationServerEntry( # WorkOS Authkit example configuration | ||
| # AuthorizationServerEntry( # WorkOS Authkit example configuration | ||
| # authorization_server_url="https://your-workos.authkit.app", | ||
| # issuer="https://your-workos.authkit.app", | ||
| # jwks_uri="https://your-workos.authkit.app/oauth2/jwks", | ||
| # expected_audiences=["your-authkit-client-id"], | ||
| # ), | ||
| # AuthorizationServerEntry( # Keycloak example configuration | ||
| # AuthorizationServerEntry( # Keycloak example configuration | ||
| # authorization_server_url="http://localhost:8080/realms/mcp-test", | ||
| # issuer="http://localhost:8080/realms/mcp-test", | ||
| # jwks_uri="http://localhost:8080/realms/mcp-test/protocol/openid-connect/certs", | ||
| # algorithm="RS256", | ||
| # validation_options=AccessTokenValidationOptions(verify_aud=False), | ||
| # expected_audiences=["your-keycloak-client-id"], | ||
| # ) | ||
| # ], | ||
| # ) | ||
|
|
||
| # Option 3: Authoriation via env vars (place in your .env file) | ||
| # Option 3: Authorization via env vars (place in your .env file) | ||
| # ```bash | ||
| # MCP_RESOURCE_SERVER_CANONICAL_URL=http://127.0.0.1:8000/mcp | ||
| # MCP_RESOURCE_SERVER_AUTHORIZATION_SERVERS='[ | ||
|
|
@@ -53,15 +55,13 @@ | |
| # "issuer": "https://your-workos.authkit.app", | ||
| # "jwks_uri": "https://your-workos.authkit.app/oauth2/jwks", | ||
| # "algorithm": "RS256", | ||
| # "validation_options": { | ||
| # "verify_aud": false | ||
| # } | ||
| # "expected_audiences": ["your-authkit-client-id"] | ||
| # } | ||
| # ]' | ||
| # ``` | ||
| # resource_server = ResourceServer() | ||
| # resource_server_auth = ResourceServerAuth() | ||
|
|
||
| app = MCPApp(name="authorization", version="1.0.0", log_level="DEBUG", auth=resource_server) | ||
| app = MCPApp(name="authorization", version="1.0.0", log_level="DEBUG", auth=resource_server_auth) | ||
|
|
||
|
|
||
| @app.tool | ||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.