Support separate auth tokens for Onboarding API and MCPs #142
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
…MCPs (#156) Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
There was a problem hiding this comment.
Pull Request Overview
This PR enables separate authentication tokens and flows for the Onboarding API and MCPs by introducing distinct client IDs, session keys, and context providers for each.
- Front-end: Replaced the single
useAuthcontext withuseAuthOnboardingand addeduseAuthMcpfor MCP-specific auth, updated routing and session handling. - Back-end: Split auth routes into
/auth/onboarding/*and/auth/mcp/*, replaced the old secure-session plugin with an encrypted-session implementation, and extended environment validation. - Infrastructure: Introduced
AuthCallbackHandlerto centralize redirect handling, updated the HTTP proxy to select tokens based on request headers, and extended.env.templatewithOIDC_CLIENT_ID_MCPandSESSION_SECRET.
Reviewed Changes
Copilot reviewed 25 out of 26 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| src/spaces/onboarding/auth/AuthContextOnboarding.tsx | Renamed onboarding auth context, updated endpoints and redirects. |
| src/spaces/mcp/auth/AuthContextMcp.tsx | Added MCP-specific auth context and hooks. |
| src/common/auth/AuthCallbackHandler.tsx | New component to handle post-login redirects for both flows. |
| src/lib/shared/McpContext.tsx | Wrapped control-plane view in MCP auth to gate downstream login. |
| src/lib/api/fetch.ts | Changed unauthorized redirect to the onboarding login route. |
| server/routes/auth-onboarding.js | Updated onboarding login, callback, me, and logout endpoints. |
| server/routes/auth-mcp.js | Introduced MCP login, callback, and me endpoints (no logout). |
| server/encrypted-session.js | Replaced secure-session with per-user encrypted session plugin. |
| server/config/env.js | Added OIDC_CLIENT_ID_MCP and SESSION_SECRET to env schema. |
Comments suppressed due to low confidence (5)
server/plugins/http-proxy.js:89
- Combining two tokens into a comma-separated string for the Authorization header is likely invalid; instead select or merge tokens according to the proxy target and format the header as
Bearer <token>.
const accessToken = useCrate ? req.encryptedSession.get("onboarding_accessToken") : `${req.encryptedSession.get("onboarding_accessToken")},${req.encryptedSession.get("mcp_accessToken")}`;
src/lib/api/fetch.ts:52
- The redirect to the onboarding login endpoint no longer includes the original
redirectToor return URL; consider appending?redirectTo=with the current location hash or pathname to preserve post-login navigation.
window.location.replace('/api/auth/onboarding/login');
server/routes/auth-onboarding.js:63
- The onboarding logout endpoint is registered at
/auth/logout, which conflicts with the shared path and may collide with MCP routes; consider namespacing it under/auth/onboarding/logoutfor symmetry and clarity.
fastify.post("/auth/logout", async (req, reply) => {
server/routes/auth-mcp.js:1
- There is no
/auth/mcp/logoutendpoint to allow MCP users to clear their session; adding a corresponding logout route would improve consistency between flows.
import fp from "fastify-plugin";
server/plugins/http-proxy.js:87
- The proxy rewrite logic trusts the
x-use-crateheader and directly reads session tokens; ensure thatx-use-cratecannot be spoofed by clients and consider checking an internal flag or context instead of a client-controlled header.
rewriteRequestHeaders: (req, headers) => {
enrico-kaack-comp
previously approved these changes
Jun 27, 2025
ValentinGerlach
previously approved these changes
Jul 2, 2025
Comment on lines
+25
to
+26
| COOKIE_SECRET: { type: 'string' }, | ||
| SESSION_SECRET: { type: 'string' }, |
There was a problem hiding this comment.
Potential improvement in the future: Add validation to ensure these values cannot be empty (e.g. minLength = 16).
There was a problem hiding this comment.
Good idea, I moved it into the follow-up task: openmcp-project/backlog#162
Co-authored-by: Valentin Gerlach <valentin.gerlach@sap.com>
11 tasks
ValentinGerlach
approved these changes
Jul 2, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implements openmcp-project/backlog#151
Some notes:
OIDC_CLIENT_ID_MCP(see env template)Needs to be merged together with openmcp-project/ui-backend#9