Skip to content

Enforce MCP spec OAuth 2.1 authorization requirements #132

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Copilot wants to merge 5 commits into from
Closed

Enforce MCP spec OAuth 2.1 authorization requirements #132

Copilot wants to merge 5 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Jan 10, 2026
edited
Loading

The gateway's authorization implementation deviated from the MCP specification (2025-03-26) in several ways: accepting plain API keys without Bearer prefix, allowing tokens in query strings, and lacking validation for malformed authorization headers.

Changes

Authorization Middleware (internal/server/auth.go)

  • Enforce strict Authorization: Bearer <token> format per OAuth 2.1
  • Reject tokens in query parameters (?token=, ?access_token=, ?apiKey=)
  • Return HTTP 400 for malformed headers (missing Bearer prefix, empty tokens)
  • Return HTTP 401 for invalid/missing tokens
  • Document HTTP 403 reserved for future scope-based permissions

Architecture Documentation (docs/AUTHORIZATION.md)

  • Two-layer architecture: auth middleware validates token, transport layer extracts session ID
  • HTTP status code semantics per MCP spec
  • Configuration patterns for dev vs production
  • Security considerations and future OAuth scope support

Tests (internal/server/auth_test.go)

11 test cases covering:

  • Bearer format validation
  • Query string rejection
  • Empty/whitespace token handling
  • Case sensitivity
  • Multiple authorization headers

Updated Existing Tests

Modified integration_test.go and routed_test.go to use Bearer format:

// Before
req.Header.Set("Authorization", apiKey)

// After
req.Header.Set("Authorization", "Bearer "+apiKey)

Transport Layer Comments

Added clarifying comments in transport.go and routed.go explaining that these layers extract Bearer tokens for session identification only—token validation happens in auth middleware when API key is configured.

Compliance

MCP Spec Requirement Status
Bearer token format ✅ Enforced
No tokens in query strings ✅ Validated
HTTP 400 for malformed auth ✅ Implemented
HTTP 401 for invalid tokens ✅ Implemented
HTTP 403 for insufficient permissions ✅ Documented (future OAuth scopes)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • modelcontextprotocol.io
    • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

Review compliance of the authorization of requests with respect to the latest MCP gateway specification. Add tests.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 4 commits January 10, 2026 17:59
@pelikhan
Fix authorization to comply with MCP spec: Bearer token only, query s…
fc661b0 
…tring validation

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Document HTTP 403 usage per MCP spec and update auth comments
595e1be 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Add comprehensive authorization documentation and inline comments
1fc520a 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Format code with gofmt
fce27b7 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Review authorization compliance with MCP gateway specification Enforce MCP spec OAuth 2.1 authorization requirements Jan 10, 2026
Copilot AI requested a review from pelikhan January 10, 2026 18:08
@pelikhan pelikhan closed this Jan 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan