Skip to content

fix: allow external token introspection without Portkey API key#1695

Open
bluek1te wants to merge 1 commit into
Portkey-AI:2.0.0from
bluek1te:fix/external-token-introspection
Open

fix: allow external token introspection without Portkey API key#1695
bluek1te wants to merge 1 commit into
Portkey-AI:2.0.0from
bluek1te:fix/external-token-introspection

Conversation

@bluek1te

Copy link
Copy Markdown

Description: (required)

  • When a server is configured with jwt_validation.introspectEndpoint (RFC 7662 external token introspection), tokens issued by an external IdP are rejected
    with 401 because OAuthGateway.introspectToken() only checks the local OAuth store and control plane before returning {active: false} — the configured
    external introspection endpoint is never called
  • Added tryExternalIntrospection() fallback in OAuthGateway.introspectToken() that calls the server's configured introspection endpoint when both the local
    store and control plane have no record of the token
  • Merges external_auth_config credentials (client_id/client_secret) into the introspection request, matching the existing pattern used in mcpJwtMiddleware
  • Caches successfully validated external tokens in the OAuth token cache to avoid repeated introspection calls

Tests Run/Test cases added: (required)

  • Valid external token accepted via introspection endpoint
  • Configured introspection endpoint is actually called
  • Invalid external token rejected
  • Expired external token rejected
  • Server without introspection configured rejects external tokens
  • Validated tokens are cached (no repeat introspection calls)
  • Gateway OAuth registration still works (regression check)
  • List tools after external token authentication
  • Call tools after external token authentication

Type of Change:

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Refactoring (no functional changes)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant