Adding authorization at http layer on streamable_http via httpx auth parameter#715
Closed
didier-durand wants to merge 1 commit intomodelcontextprotocol:mainfrom
Closed
Adding authorization at http layer on streamable_http via httpx auth parameter#715didier-durand wants to merge 1 commit intomodelcontextprotocol:mainfrom
didier-durand wants to merge 1 commit intomodelcontextprotocol:mainfrom
Conversation
Author
|
I'll check the various issues raised above and come back with a new PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…param
We add the use of param auth= to httpx_streamable.py in order to allow access to remote MCP server from local MCP clients when tcp/http level signature is in place.
Motivation and Context
We work on use cases where MCP servers are hosted on cloud while MCP clients can be anywhere
In some environments like AWS, many applications are protected at http layer (API Gateway, Load Balancers, etc.) and require their request to be authenticated via tcp various headers.
In our case we use the tcp signatures supported by httpx_auth (see https://pypi.org/project/httpx-auth/) which works for multiple forms of authentication (incl Oauth2, AWS). See repo doc for all possible signature mechanisms.
How Has This Been Tested?
We have run tests in AWS cloud environments with security gateways imposing signature at TCP level.
Without the TCP signature, the requests to TCP server fail with http code 403. With the signature provided by httpx_auth, they go through the authentication gate.
Breaking Changes
We took precautions in our code to avoid breaking changes:
Types of changes
Checklist
Additional context
We did not add tests here for such signatures as the validation of the signature can only happen when access to a live authorization gateway is in place (signature is time-dependent, account-dependent and validation algorithm of AWS is unknown)