Skip to content

feat(mcp): add OAuth 2.1 auth flow with Guard and Auth JWT validation#869

Merged
hamir-suspect merged 48 commits intomainfrom
has/mcp/oauth-rebase-no-kc
Apr 16, 2026
Merged

feat(mcp): add OAuth 2.1 auth flow with Guard and Auth JWT validation#869
hamir-suspect merged 48 commits intomainfrom
has/mcp/oauth-rebase-no-kc

Conversation

@hamir-suspect
Copy link
Copy Markdown
Contributor

📝 Description

  • Adds MCP OAuth 2.1 support on mcp., with Guard acting as the authorization server for /mcp/oauth/*.
  • Routes OAuth discovery, registration, authorization, consent, and token exchange through Emissary to Guard; routes protected /mcp/* traffic to mcp-server via Auth ext_authz.
  • Updates Auth to validate Guard-issued MCP JWT access tokens and set x-semaphore-user-id for downstream MCP requests.
  • Preserves backward compatibility by falling back to legacy API token auth when JWT validation fails.
  • Returns MCP/OAuth-compliant 401 responses (including WWW-Authenticate with resource metadata) when credentials are missing or invalid.
  • Adds Guard persistence for OAuth clients and auth codes, plus periodic cleanup of expired auth codes.

✅ Checklist

  • I have tested this change
  • This change requires documentation update

@github-project-automation github-project-automation Bot moved this to Backlog in Roadmap Feb 18, 2026
@hamir-suspect hamir-suspect force-pushed the has/mcp/oauth-rebase-no-kc branch 3 times, most recently from 155e0ba to fd7ebb5 Compare February 19, 2026 09:28
Comment thread guard/lib/guard/mcp_oauth/server.ex Outdated
dexyk
dexyk previously approved these changes Mar 18, 2026
@hamir-suspect hamir-suspect enabled auto-merge (squash) March 18, 2026 10:16
@hamir-suspect hamir-suspect disabled auto-merge March 18, 2026 10:18
dexyk
dexyk previously approved these changes Mar 19, 2026
…no-kc

# Conflicts:
#	bootstrapper/Dockerfile
@hamir-suspect hamir-suspect merged commit 5d4a753 into main Apr 16, 2026
1 of 2 checks passed
@hamir-suspect hamir-suspect deleted the has/mcp/oauth-rebase-no-kc branch April 16, 2026 09:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Backlog

Development

Successfully merging this pull request may close these issues.

4 participants