feat(mcp): add OAuth 2.1 auth flow with Guard and Auth JWT validation by hamir-suspect · Pull Request #869 · semaphoreio/semaphore

hamir-suspect · 2026-02-18T23:26:26Z

📝 Description

Adds MCP OAuth 2.1 support on mcp., with Guard acting as the authorization server for /mcp/oauth/*.
Routes OAuth discovery, registration, authorization, consent, and token exchange through Emissary to Guard; routes protected /mcp/* traffic to mcp-server via Auth ext_authz.
Updates Auth to validate Guard-issued MCP JWT access tokens and set x-semaphore-user-id for downstream MCP requests.
Preserves backward compatibility by falling back to legacy API token auth when JWT validation fails.
Returns MCP/OAuth-compliant 401 responses (including WWW-Authenticate with resource metadata) when credentials are missing or invalid.
Adds Guard persistence for OAuth clients and auth codes, plus periodic cleanup of expired auth codes.

✅ Checklist

I have tested this change
This change requires documentation update

The previous fix skipped JSON parsing by adding "application/json" to the pass list, which told Plug.Parsers to NOT parse JSON content. This left body_params empty for DCR registration requests. Now we explicitly add :json to the parsers list and remove the skip, ensuring JSON requests are properly parsed before reaching the handlers.

…no-kc # Conflicts: # bootstrapper/Dockerfile

hamir-suspect requested review from DamjanBecirovic, dexyk, loadez, radwo and skipi as code owners February 18, 2026 23:26

github-project-automation Bot added this to Roadmap Feb 18, 2026

github-project-automation Bot moved this to Backlog in Roadmap Feb 18, 2026

hamir-suspect force-pushed the has/mcp/oauth-rebase-no-kc branch 3 times, most recently from 155e0ba to fd7ebb5 Compare February 19, 2026 09:28

hamir-suspect added 20 commits February 26, 2026 11:02

chore(auth): cherry pick changes

3e4d768

feat(guard): oauth server

b214cb8

mappings for guard oauth for mcp

66aa770

enable mcp server in helm chart

ef9dc85

add mcp helm chart

94e811f

fix(guard): formatting

acb09a4

remove leftover grant code

20abc3e

chore(auth): refresh protos

3c1d7a5

generate MCP_OAUTH_JWT_KEYS during bootstrap

4199729

fix(auth): leftover deps from cherry-pick

2433262

fix: csrf protection blocking DCR

e55a171

add route to csrf protection exclusion

9b8d993

add grant-selection to normal authorization path

38e2949

add logging for auth code

6b42bac

add logging for auth code

fb74ddb

truncate milisecond precision

16b4fbd

add mcp server to helm chart

fe92ab6

add mcp to helm chart and hack the image name

8d6d2ca

give a json error when unauthorized

b9663c4

Merge branch 'main' into has/mcp/oauth-rebase-no-kc

b13ccc7

hamir-suspect dismissed DamjanBecirovic’s stale review via b13ccc7 March 12, 2026 11:50

hamir-suspect force-pushed the has/mcp/oauth-rebase-no-kc branch from 4a1606b to b13ccc7 Compare March 12, 2026 11:50

hamir-suspect added 2 commits March 12, 2026 17:19

Merge branch 'main' into has/mcp/oauth-rebase-no-kc

34a749d

Merge branch 'main' into has/mcp/oauth-rebase-no-kc

c854e67

DamjanBecirovic approved these changes Mar 15, 2026

View reviewed changes

hamir-suspect requested a review from DamjanBecirovic March 16, 2026 09:51

DamjanBecirovic previously approved these changes Mar 16, 2026

View reviewed changes

Merge branch 'main' into has/mcp/oauth-rebase-no-kc

3f7e52f

dexyk requested changes Mar 17, 2026

View reviewed changes

Comment thread guard/lib/guard/mcp_oauth/server.ex Outdated

fix(guard): do not redirect when redirect url does not match

62271c8

hamir-suspect dismissed DamjanBecirovic’s stale review via 62271c8 March 17, 2026 13:28

dexyk self-requested a review March 17, 2026 14:28

dexyk previously approved these changes Mar 18, 2026

View reviewed changes

hamir-suspect enabled auto-merge (squash) March 18, 2026 10:16

hamir-suspect disabled auto-merge March 18, 2026 10:18

fix(mcp_oauth): ensure protected resource metadata matches

48c7b01

hamir-suspect dismissed dexyk’s stale review via 48c7b01 March 18, 2026 13:06

hamir-suspect force-pushed the has/mcp/oauth-rebase-no-kc branch from 5e96ebf to 48c7b01 Compare March 18, 2026 13:06

dexyk previously approved these changes Mar 19, 2026

View reviewed changes

Merge remote-tracking branch 'origin/main' into has/mcp/oauth-rebase-…

a03980d

…no-kc # Conflicts: # bootstrapper/Dockerfile

hamir-suspect dismissed dexyk’s stale review via a03980d April 9, 2026 09:44

hamir-suspect enabled auto-merge (squash) April 9, 2026 09:44

DamjanBecirovic approved these changes Apr 9, 2026

View reviewed changes

dexyk approved these changes Apr 14, 2026

View reviewed changes

Merge branch 'main' into has/mcp/oauth-rebase-no-kc

78a2ba1

skipi approved these changes Apr 16, 2026

View reviewed changes

Merge branch 'main' into has/mcp/oauth-rebase-no-kc

b1505ae

hamir-suspect merged commit 5d4a753 into main Apr 16, 2026
1 of 2 checks passed

hamir-suspect deleted the has/mcp/oauth-rebase-no-kc branch April 16, 2026 09:19

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(mcp): add OAuth 2.1 auth flow with Guard and Auth JWT validation#869

feat(mcp): add OAuth 2.1 auth flow with Guard and Auth JWT validation#869
hamir-suspect merged 48 commits intomainfrom
has/mcp/oauth-rebase-no-kc

hamir-suspect commented Feb 18, 2026

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

hamir-suspect commented Feb 18, 2026

📝 Description

✅ Checklist

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants