Add group-to-scope mappings in scopes.yml for consistent authorization between M2M and session cookie auth mode; Updated auth server to use configuration-driven scope mapping instead of hardcoded logic; Updated library package;

Author: westonbrown

auth_server/pyproject.toml

@@ -20,7 +20,8 @@ dependencies = [
     "boto3>=1.28.0",
     "pyjwt>=2.6.0",
     "cryptography>=40.0.0",
-    "pyyaml>=6.0.0"
+    "pyyaml>=6.0.0",
+    "itsdangerous>=2.0.0"
 ]
 
 [project.optional-dependencies]

auth_server/scopes.yml

@@ -1,6 +1,34 @@
 # MCP Server Access Scopes Configuration
 # This file defines access permissions for MCP servers and their tools
 
+# Group to scope mappings for user authentication
+# Maps Cognito groups to MCP scopes for consistent authorization
+group_mappings:
+  # Administrative access
+  mcp-admin:
+    - mcp-servers-unrestricted/read
+    - mcp-servers-unrestricted/execute
+  
+  # Standard user access
+  mcp-user:
+    - mcp-servers-restricted/read
+  
+  # Server-specific access groups
+  mcp-server-currenttime:
+    - mcp-servers-restricted/execute
+  mcp-server-fininfo:
+    - mcp-servers-restricted/execute
+  mcp-server-mcpgw:
+    - mcp-servers-restricted/execute
+  
+  # Fine-grained tool access (optional)
+  mcp-server-currenttime-tool-current_time_by_timezone:
+    - mcp-servers-restricted/execute
+  mcp-server-fininfo-tool-get_stock_price:
+    - mcp-servers-restricted/execute
+  mcp-server-fininfo-tool-get_company_info:
+    - mcp-servers-restricted/execute
+
 mcp-servers-unrestricted/read:
   - server: auth_server
     methods:

auth_server/server.py

@@ -46,7 +46,9 @@ def load_scopes_config():
 
 def map_cognito_groups_to_scopes(groups: List[str]) -> List[str]:
     """
-    Map Cognito groups to MCP scopes using the same format as M2M resource server scopes.
+    Map Cognito groups to MCP scopes using scopes.yml configuration.
+    
+    Uses the same scope format as M2M tokens for consistency.
     
     Args:
         groups: List of Cognito group names
@@ -56,34 +58,27 @@ def map_cognito_groups_to_scopes(groups: List[str]) -> List[str]:
     """
     scopes = []
 
+    # Use group mappings from scopes.yml if available
+    group_mappings = SCOPES_CONFIG.get('group_mappings', {})
+    
     for group in groups:
-        if group == 'mcp-admin':
-            # Admin gets unrestricted read and execute access
-            scopes.append('mcp-servers-unrestricted/read')
-            scopes.append('mcp-servers-unrestricted/execute')
-        elif group == 'mcp-user':
-            # Regular users get restricted read access by default
-            scopes.append('mcp-servers-restricted/read')
-        elif group.startswith('mcp-server-'):
-            # Server-specific groups grant access based on server permissions
-            # For now, grant restricted execute access for specific servers
-            # This allows access to the servers defined in the restricted scope
-            scopes.append('mcp-servers-restricted/execute')
-            
-            # Note: The actual server access control is handled by the
-            # validate_server_tool_access function which checks the scopes.yml
-            # configuration. The group names are preserved in the 'groups' field
-            # for potential future fine-grained access control.
+        if group in group_mappings:
+            # Use configured mapping
+            scopes.extend(group_mappings[group])
+        else:
+            # Legacy fallback for backward compatibility
+            logger.debug(f"Group '{group}' not in group_mappings, using legacy mapping")
+            
+            if group == 'mcp-admin':
+                scopes.extend(['mcp-servers-unrestricted/read', 
+                              'mcp-servers-unrestricted/execute'])
+            elif group == 'mcp-user':
+                scopes.append('mcp-servers-restricted/read')
+            elif group.startswith('mcp-server-'):
+                scopes.append('mcp-servers-restricted/execute')
 
     # Remove duplicates while preserving order
-    seen = set()
-    unique_scopes = []
-    for scope in scopes:
-        if scope not in seen:
-            seen.add(scope)
-            unique_scopes.append(scope)
-    
-    return unique_scopes
+    return list(dict.fromkeys(scopes))
 
 def validate_session_cookie(cookie_value: str) -> Dict[str, any]:
     """