modelcontextprotocol
diff --git a/‎src/mcp/server/auth/middleware/bearer_auth.py‎
Lines changed: 15 additions & 35 deletions b/‎src/mcp/server/auth/middleware/bearer_auth.py‎
Lines changed: 15 additions & 35 deletions
diff --git a/‎src/mcp/server/fastmcp/server.py‎
Lines changed: 13 additions & 10 deletions b/‎src/mcp/server/fastmcp/server.py‎
Lines changed: 13 additions & 10 deletions
diff --git a/‎src/mcp/server/sse.py‎
Lines changed: 8 additions & 1 deletion b/‎src/mcp/server/sse.py‎
Lines changed: 8 additions & 1 deletion
@@ -9,8 +9,9 @@
 
 from starlette.requests import HTTPConnection, Request
 from starlette.exceptions import HTTPException
-from starlette.authentication import AuthCredentials, AuthenticationBackend, AuthenticationError, BaseUser, SimpleUser, UnauthenticatedUser
+from starlette.authentication import AuthCredentials, AuthenticationBackend, AuthenticationError, BaseUser, SimpleUser, UnauthenticatedUser, has_required_scope
 from starlette.middleware.authentication import AuthenticationMiddleware
+from starlette.types import Scope
 
 from mcp.server.auth.errors import InsufficientScopeError, InvalidTokenError, OAuthError
 from mcp.server.auth.provider import OAuthServerProvider
@@ -34,22 +35,12 @@ class BearerAuthBackend(AuthenticationBackend):
     def __init__(
         self,
         provider: OAuthServerProvider,
-        required_scopes: Optional[List[str]] = None
     ):
-        """
-        Initialize the backend.
-        
-        Args:
-            provider: Authentication provider to validate tokens
-            required_scopes: Optional list of scopes that the token must have
-        """
         self.provider = provider
-        self.required_scopes = required_scopes or []
 
     async def authenticate(self, conn: HTTPConnection):
 
         if "Authorization" not in conn.headers:
-            raise AuthenticationError()
             return None
 
         auth_header = conn.headers["Authorization"]
@@ -61,14 +52,7 @@ async def authenticate(self, conn: HTTPConnection):
         try:
             # Validate the token with the provider
             auth_info = await self.provider.verify_access_token(token)
-            
-            # Check if the token has all required scopes
-            if self.required_scopes:
-                has_all_scopes = all(scope in auth_info.scopes for scope in self.required_scopes)
-                if not has_all_scopes:
-                    raise InsufficientScopeError("Insufficient scope")
-            
-            # Check if the token is expired
+
             if auth_info.expires_at and auth_info.expires_at < int(time.time()):
                 raise InvalidTokenError("Token has expired")
 
@@ -79,7 +63,7 @@ async def authenticate(self, conn: HTTPConnection):
             return None
 
 
-class BearerAuthMiddleware:
+class RequireAuthMiddleware:
     """
     Middleware that requires a valid Bearer token in the Authorization header.
     
@@ -92,8 +76,7 @@ class BearerAuthMiddleware:
     def __init__(
         self,
         app: Any,
-        provider: OAuthServerProvider,
-        required_scopes: Optional[List[str]] = None
+        required_scopes: list[str]
     ):
         """
         Initialize the middleware.
@@ -103,18 +86,15 @@ def __init__(
             provider: Authentication provider to validate tokens
             required_scopes: Optional list of scopes that the token must have
         """
-        self.app = AuthenticationMiddleware(
-            app, 
-            backend=BearerAuthBackend(provider, required_scopes)
-        )
-    
-    async def __call__(self, scope: Dict, receive: Callable, send: Callable) -> None:
-        """
-        Process the request and validate the bearer token.
+        self.app = app
+        self.required_scopes = required_scopes
+
+    async def __call__(self, scope: Scope, receive: Callable, send: Callable) -> None:
+        auth_credentials = scope.get('auth')
 
-        Args:
-            scope: ASGI scope
-            receive: ASGI receive function
-            send: ASGI send function
-        """
+        for required_scope in self.required_scopes:
+            # auth_credentials should always be provided; this is just paranoia
+            if auth_credentials is None or required_scope not in auth_credentials.scopes:
+                raise HTTPException(status_code=403, detail="Insufficient scope")
+
         await self.app(scope, receive, send)
@@ -16,12 +16,13 @@
 from starlette.applications import Starlette
 from starlette.authentication import requires
 from starlette.middleware.authentication import AuthenticationMiddleware
+from sse_starlette import EventSourceResponse
 import uvicorn
 from pydantic import BaseModel, Field
 from pydantic.networks import AnyUrl
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
-from mcp.server.auth.middleware.bearer_auth import BearerAuthBackend
+from mcp.server.auth.middleware.bearer_auth import BearerAuthBackend, RequireAuthMiddleware
 from mcp.server.auth.provider import OAuthServerProvider
 from mcp.server.auth.router import ClientRegistrationOptions, RevocationOptions
 from mcp.server.auth.types import AuthInfo
@@ -501,7 +502,7 @@ def starlette_app(self) -> Starlette:
         # Set up auth context and dependencies
 
         sse = SseServerTransport("/messages/")
-        async def handle_sse(request):
+        async def handle_sse(request) -> EventSourceResponse:
             # Add client ID from auth context into request context if available
             request_meta = {}
 
@@ -513,39 +514,41 @@ async def handle_sse(request):
                     streams[1],
                     self._mcp_server.create_initialization_options(),
                 )
+                return streams[2]
 
         # Create routes
         routes = []
         middleware = []
         required_scopes = self.settings.auth_required_scopes or []
+        auth_router = None
 
         # Add auth endpoints if auth provider is configured
         if self._auth_provider and self.settings.auth_issuer_url:
             from mcp.server.auth.router import create_auth_router
-            if "authenticated" not in required_scopes:
-                required_scopes.append("authenticated")
 
             # Set up bearer auth middleware if auth is required
             middleware = [
                 Middleware(
                     AuthenticationMiddleware,
                     backend=BearerAuthBackend(
                         provider=self._auth_provider,
-                        required_scopes=self.settings.auth_required_scopes
                     )
                 )
             ]
             auth_router = create_auth_router(
-                self._auth_provider,
-                self.settings.auth_issuer_url,
-                self.settings.auth_service_documentation_url
+                provider=self._auth_provider,
+                issuer_url=self.settings.auth_issuer_url,
+                service_documentation_url=self.settings.auth_service_documentation_url,
+                client_registration_options=self.settings.auth_client_registration_options,
+                revocation_options=self.settings.auth_revocation_options
             )
 
             # Add the auth router as a mount
-            routes.append(Mount("/", app=auth_router))
 
         routes.append(Route("/sse", endpoint=requires(required_scopes)(handle_sse), methods=["GET"]))
-        routes.append(Mount("/messages/", app=requires(required_scopes)(sse.handle_post_message)))
+        routes.append(Mount("/messages/", app=RequireAuthMiddleware(sse.handle_post_message, required_scopes)))
+        if auth_router:
+            routes.append(Mount("/", app=auth_router))
 
         # Create Starlette app with routes and middleware
         return Starlette(
 
@@ -34,6 +34,7 @@ async def handle_sse(request):
 import logging
 from contextlib import asynccontextmanager
 from typing import Any
+from typing_extensions import deprecated
 from urllib.parse import quote
 from uuid import UUID, uuid4
 
@@ -44,6 +45,7 @@ async def handle_sse(request):
 from starlette.requests import Request
 from starlette.responses import Response
 from starlette.types import Receive, Scope, Send
+from sse_starlette import EventSourceResponse
 
 import mcp.types as types
 
@@ -78,6 +80,7 @@ def __init__(self, endpoint: str) -> None:
         self._read_stream_writers = {}
         logger.debug(f"SseServerTransport initialized with endpoint: {endpoint}")
 
+    @deprecated("use connect_sse_v2 instead")
     @asynccontextmanager
     async def connect_sse(self, scope: Scope, receive: Receive, send: Send):
         if scope["type"] != "http":
@@ -128,7 +131,11 @@ async def sse_writer():
             tg.start_soon(response, scope, receive, send)
 
             logger.debug("Yielding read and write streams")
-            yield (read_stream, write_stream)
+            # TODO: hold on; shouldn't we be returning the EventSourceResponse?
+            # I think this is why the tests hang
+            # TODO: we probably shouldn't return response here, since it's a breaking change
+            # this is just to test
+            yield (read_stream, write_stream, response)
 
     async def handle_post_message(
         self, scope: Scope, receive: Receive, send: Send