Skip to content

feat: add HTTP transport with OAuth flow including token exchange#21

Draft
tomassurin wants to merge 29 commits intomainfrom
tomas/mcp-server-auth
Draft

feat: add HTTP transport with OAuth flow including token exchange#21
tomassurin wants to merge 29 commits intomainfrom
tomas/mcp-server-auth

Conversation

@tomassurin
Copy link

@tomassurin tomassurin commented Mar 11, 2026
edited
Loading

Resolves https://nutrient.atlassian.net/browse/SERVER-2408

Summary

Upgrades the MCP server from stdio-only with static API key auth to also support HTTP transport with production-grade authentication:

  • Streamable HTTP transport at /mcp with session binding, alongside the existing stdio mode
  • JWT authentication via JWKS (AUTH_MODE=jwt) with validation of aud, scope, exp, iss claims, plus static bearer token mode (AUTH_MODE=static) for local dev
  • RFC 8693 token exchange — exchanges MCP access tokens for short-lived DWS API credentials with per-principal caching
    • Built it when I still considered having this MCP hosted. Since we go with local MCP only now, it's not practical (MCP needs to be confidential client but we will be publishing it so can't really do secrets).
  • Protected Resource Metadata endpoint (/.well-known/oauth-protected-resource) per RFC 9728
  • Session-scoped DwsApiClient replacing the module-level API function, enabling per-user token resolution
  • Request logging middleware with structured logger
  • CI setup Github action to run tests and lint

Stdio mode is fully preserved — all new behavior is opt-in via environment variables (MCP_TRANSPORT=http).

tomassurin and others added 8 commits March 11, 2026 13:54
@tomassurin @claude
docs: add DWS MCP Server OAuth design plan
26c2c15 
Design for Track B of Co-work DWS Connector — upgrading the MCP server
from stdio-only/static-API-key to HTTP transport with JWT auth via JWKS,
RFC 8693 token exchange, and RFC 9728 Protected Resource Metadata.
Six implementation phases covering transport, auth, token exchange,
and environment configuration.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@tomassurin
feat(dws): introduce session-scoped DWS API client
d5fa9cb
@tomassurin
feat(auth): add static/jwt auth middleware and token exchange
bfd93c9
@tomassurin
feat(server): add streamable HTTP transport with session binding
ce91abd
@tomassurin
chore(runtime): document and configure HTTP/OAuth deployment
e9f47a4
@tomassurin
Add debug logging
2c55d24
@tomassurin
Add proper logger
5131359
@tomassurin
Revert "docs: add DWS MCP Server OAuth design plan"
a6d6030 
This reverts commit 26c2c15.
@tomassurin tomassurin changed the title feat: add HTTP transport with JWT auth and token exchange feat: add HTTP transport with OAuth flow including token exchange Mar 11, 2026
@tomassurin tomassurin mentioned this pull request Mar 11, 2026
Closed
@tomassurin tomassurin self-assigned this Mar 11, 2026
tomassurin and others added 15 commits March 12, 2026 18:47
@tomassurin
Add private_key_jwt auth method
6f519cd
@tomassurin
CORS handling
e3820ac
@tomassurin
Mention mcp inspector
cabbab1
@tomassurin @claude
Require DwsApiClient via dependency injection, remove hidden fallbacks
8bda5a2 
Remove callNutrientApi legacy helper and inline axios fallbacks. All
perform* functions now require an explicit DwsApiClient parameter,
eliminating hidden coupling to environment variables and global state.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@tomassurin @claude
Add JSDoc to DwsApiClient, factory functions, and auth context types
4fe10a1 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@tomassurin
Log session miss
83fb3e4
@tomassurin
Simplify JWT auth by forwarding OAuth access tokens directly
253adc9 
- Remove TokenExchangeClient and token exchange mechanism
- DWS API now accepts OAuth access tokens directly
- Simplify JWT mode environment validation to only require JWKS_URL
- Remove CLIENT_ID, CLIENT_SECRET, CLIENT_ASSERTION_* requirements for JWT mode
- Delete unused src/http/tokenExchange.ts
- Update tokenExchange.test.ts to skip (no longer applicable)
- Update environment.ts to remove token exchange validation
- Update documentation (README.md, docs/testing.md, .env.example)
- Update environment tests to reflect new behavior
@tomassurin @claude
Default JWT auth config to api.nutrient.io, drop token exchange tests
211fb31 
JWKS_URL now defaults to https://api.nutrient.io/.well-known/jwks.json
so JWT mode only requires AUTH_MODE=jwt. Remove redundant environment
tests and the empty tokenExchange test file. Update testing.md with
minimal JWT config, localhost DWS debug build section, and current
common failures.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@tomassurin @claude
Extract shared hashPrincipal and parseBearerToken into authUtils
c6b1d87 
Removes duplicate implementations from bearerAuth.ts and jwtAuth.ts
into a single src/http/authUtils.ts module to avoid drift.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@tomassurin @claude
Handle batch JSON-RPC initialize requests, clarify CORS policy
c8c41b2 
- isInitializeRequest now checks array bodies for batch JSON-RPC
- Add comment noting CORS wildcard is intentional for local use

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@tomassurin @claude
Add test for JWT unknown-client fallback when sub/azp are missing
eb53f07 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@tomassurin @claude
Add test for session cleanup via DELETE /mcp
df8de01 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@tomassurin
OAuth in stdio mode
7e2a632
@tomassurin
Add logging in stdio mode and fix the oauth flow in stdio mode
c8f1843
@tomassurin
Defaults
5288407
@tomassurin tomassurin marked this pull request as draft March 16, 2026 18:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@tomassurin tomassurin

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tomassurin