RFC: Multi-upstream authorization for MCPServer/MCPRemoteProxy

[jhrozek]

Summary

• Enable MCPServer and MCPRemoteProxy to use two upstream providers: one for identity/authorization (whose JWT claims merge into the Cedar evaluation context) and one for backend token injection
• Add a role field (identity | backend) to UpstreamProviderConfig
• Implement upstreamclaims middleware with a protected-allowlist merge strategy (12 claims protected)
• Lift the MultiUpstreamNotSupported controller guards

Key Design Decisions

• Protected-allowlist strategy: 12 infrastructure claims (iss, aud, exp, iat, nbf, jti, tsid, client_id, sub, name, email, acr, amr) are preserved from the TH JWT; all other upstream claims merge naturally
• sub is a critical security control: The TH JWT sub is an internal UUID from ResolveUser(), not the raw upstream subject. Overwriting would change the Cedar principal entity ID
• ParseUnverified for upstream tokens within the server trust boundary; opaque tokens silently skip enrichment
• Cedar policies reference upstream claims naturally as claim_groups, claim_roles, etc.

Dependencies

• RFC-0052: Multi-upstream IDP support (provides identity.UpstreamTokens)
• RFC-0054: vMCP upstream inject strategy (provides role: backend token injection)

Test plan

• Verify Cedar policies reference claim_groups from identity upstream
• Verify all 12 protected claims remain from the TH JWT
• Verify backend token injection works independently
• Verify single-upstream backward compatibility
• Verify opaque identity token causes graceful degradation

🤖 Generated with Claude Code

[jhrozek]

duplicate of #4408