feat(auth): add reusable OAuth2 base helper library#2858
feat(auth): add reusable OAuth2 base helper library#2858LOVECAO1011 wants to merge 1 commit intoIBM:mainfrom
Conversation
Introduce a canonical OAuth2/OIDC helper module for token validation, claims extraction, metadata discovery, token exchange/refresh, and scope operations so auth plugins can share consistent protocol logic. Add focused unit coverage for the new helper APIs and RFC-oriented behaviors. Co-authored-by: Cursor <cursoragent@cursor.com> Signed-off-by: hany1 <hany1@tcd.ie>
ca7dafc to
d8953f1
Compare
|
Thanks @LOVECAO1011. A reusable OAuth2/OIDC helper module could reduce duplication across our OAuth integrations. Key concerns:
|
|
Thanks for the detailed review and questions.
|
Introduce a canonical OAuth2/OIDC helper module for token validation, claims extraction, metadata discovery, token exchange/refresh, and scope operations so auth plugins can share consistent protocol logic. Add focused unit coverage for the new helper APIs and RFC-oriented behaviors.
🔗 Related Issue
Closes #
📝 Summary
mcpgateway/oauth2/base.pyvalidate_token()with JWKS JWT verification and introspection fallbackextract_claims()canonical claim mappingdiscover_authorization_server_metadata()(RFC 8414)discover_oidc_metadata()(OIDC discovery)discover_protected_resource_metadata()(RFC 9728)exchange_token()(RFC 8693)refresh_token()(RFC 6749)mcpgateway/oauth2/models.pytyped request/response config modelsmcpgateway/oauth2/exceptions.pyunified OAuth2 error typesmcpgateway/oauth2/__init__.pypublic exportstests/unit/mcpgateway/oauth2/test_base.pyfocused unit tests for helper APIs and error paths🏷️ Type of Change
🧪 Verification
make lintmake testmake coverage✅ Checklist
make black isort pre-commit)📓 Notes (optional)
This PR delivers the OAuth2 base helper layer requested by #1434 and is designed to be consumed by plugin/auth flows in the #1422 epic.