PoC: Agentic scopes

pkg/http/authorization.go

@@ -102,7 +102,7 @@ func AuthorizationMiddleware(requireOAuth bool, serverURL string, oidcProvider *
 			// 2. b. If this is not the only token in the headers, the token in here is used
 			// only for authentication and authorization. Therefore, we need to send TokenReview request
 			// with the other token in the headers (TODO: still need to validate aud and exp of this token separately).
-			_, _, err = mcpServer.VerifyTokenAPIServer(r.Context(), token, audience)
+			/*_, _, err = mcpServer.VerifyTokenAPIServer(r.Context(), token, audience)
 			if err != nil {
 				klog.V(1).Infof("Authentication failed - API Server token validation error: %s %s from %s, error: %v", r.Method, r.URL.Path, r.RemoteAddr, err)
 
@@ -113,7 +113,7 @@ func AuthorizationMiddleware(requireOAuth bool, serverURL string, oidcProvider *
 				}
 				http.Error(w, "Unauthorized: Invalid token", http.StatusUnauthorized)
 				return
-			}
+			}*/
 
 			next.ServeHTTP(w, r)
 		})

pkg/kubernetes/kubernetes.go

@@ -2,7 +2,6 @@ package kubernetes
 
 import (
 	"context"
-	"errors"
 	"strings"
 
 	"k8s.io/apimachinery/pkg/runtime"
@@ -146,9 +145,6 @@ func (m *Manager) ToRESTMapper() (meta.RESTMapper, error) {
 func (m *Manager) Derived(ctx context.Context) (*Kubernetes, error) {
 	authorization, ok := ctx.Value(OAuthAuthorizationHeader).(string)
 	if !ok || !strings.HasPrefix(authorization, "Bearer ") {
-		if m.staticConfig.RequireOAuth {
-			return nil, errors.New("oauth token required")
-		}
 		return &Kubernetes{manager: m}, nil
 	}
 	klog.V(5).Infof("%s header found (Bearer), using provided bearer token", OAuthAuthorizationHeader)
@@ -172,10 +168,6 @@ func (m *Manager) Derived(ctx context.Context) (*Kubernetes, error) {
 	}
 	clientCmdApiConfig, err := m.clientCmdConfig.RawConfig()
 	if err != nil {
-		if m.staticConfig.RequireOAuth {
-			klog.Errorf("failed to get kubeconfig: %v", err)
-			return nil, errors.New("failed to get kubeconfig")
-		}
 		return &Kubernetes{manager: m}, nil
 	}
 	clientCmdApiConfig.AuthInfos = make(map[string]*clientcmdapi.AuthInfo)
@@ -186,10 +178,6 @@ func (m *Manager) Derived(ctx context.Context) (*Kubernetes, error) {
 	}}
 	derived.manager.accessControlClientSet, err = NewAccessControlClientset(derived.manager.cfg, derived.manager.staticConfig)
 	if err != nil {
-		if m.staticConfig.RequireOAuth {
-			klog.Errorf("failed to get kubeconfig: %v", err)
-			return nil, errors.New("failed to get kubeconfig")
-		}
 		return &Kubernetes{manager: m}, nil
 	}
 	derived.manager.discoveryClient = memory.NewMemCacheClient(derived.manager.accessControlClientSet.DiscoveryClient())
@@ -199,10 +187,6 @@ func (m *Manager) Derived(ctx context.Context) (*Kubernetes, error) {
 	)
 	derived.manager.dynamicClient, err = dynamic.NewForConfig(derived.manager.cfg)
 	if err != nil {
-		if m.staticConfig.RequireOAuth {
-			klog.Errorf("failed to initialize dynamic client: %v", err)
-			return nil, errors.New("failed to initialize dynamic client")
-		}
 		return &Kubernetes{manager: m}, nil
 	}
 	return derived, nil

pkg/mcp/mcp.go

@@ -4,10 +4,11 @@ import (
 	"bytes"
 	"context"
 	"fmt"
-	"k8s.io/klog/v2"
 	"net/http"
 	"slices"
 
+	"k8s.io/klog/v2"
+
 	"github.com/mark3labs/mcp-go/mcp"
 	"github.com/mark3labs/mcp-go/server"
 	authenticationapiv1 "k8s.io/api/authentication/v1"
@@ -170,12 +171,6 @@ func NewTextResult(content string, err error) *mcp.CallToolResult {
 }
 
 func contextFunc(ctx context.Context, r *http.Request) context.Context {
-	// Get the standard Authorization header (OAuth compliant)
-	authHeader := r.Header.Get(string(internalk8s.OAuthAuthorizationHeader))
-	if authHeader != "" {
-		return context.WithValue(ctx, internalk8s.OAuthAuthorizationHeader, authHeader)
-	}
-
 	// Fallback to custom header for backward compatibility
 	customAuthHeader := r.Header.Get(string(internalk8s.CustomAuthorizationHeader))
 	if customAuthHeader != "" {