Skip to content

fix(auth): honour TRUST_PROXY_AUTH for virtual MCP-server HTTP calls (/servers/<id>/mcp) #843

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 7, 2025
Merged

fix(auth): honour TRUST_PROXY_AUTH for virtual MCP-server HTTP calls (/servers/<id>/mcp) #843

merged 2 commits into from
Sep 7, 2025
+57 −1

Conversation

shams858
Copy link
Contributor

Summary

Virtual MCP-server invocations sent to
/servers/<uuid>/mcp returned 401 Unauthorized even when:

  • MCP_CLIENT_AUTH_ENABLED=false
  • TRUST_PROXY_AUTH=true
  • proxy forwarded header (X-Authenticated-User) was present.

This PR restores the behaviour promised by #710 and documented in docs/deployment/proxy-auth.md.

What changed

  1. streamablehttp_transport.py
    • Refactored streamable_http_auth()
      • Accept proxy header when client auth is disabled and proxy trust is enabled.
      • Falls back to JWT validation when client auth is enabled.
    • Removed unconditional 401 when Authorization header missing.

How to test

export MCP_CLIENT_AUTH_ENABLED=false
export TRUST_PROXY_AUTH=true
export PROXY_USER_HEADER=X-Auth-Request-User
uvicorn mcpgateway.main:app --reload  # or make dev

curl -X POST http://localhost:4444/servers/${SERVER_ID}/mcp \
     -H 'Content-Type: application/json' \
     -H 'X-Authenticated-User: alice' \
     -d '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}'
# → 200 OK

Shamsul Arefin added 2 commits September 7, 2025 15:15
@crivetimihai
fix: trust proxy auth for virtual mcp server invocation
10cb0e6 
Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com>
@crivetimihai
tests and clean-up
f3989cf 
Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com>
@crivetimihai crivetimihai force-pushed the fix-trust-proxy-auth-for-mcp-endpoint branch from 8a6fafa to f3989cf Compare September 7, 2025 14:16
@crivetimihai crivetimihai merged commit 39a8837 into IBM:main Sep 7, 2025
35 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@crivetimihai crivetimihai Awaiting requested review from crivetimihai crivetimihai is a code owner

@kevalmahajan kevalmahajan Awaiting requested review from kevalmahajan kevalmahajan is a code owner

@madhav165 madhav165 Awaiting requested review from madhav165 madhav165 is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@shams858 @crivetimihai