Skip to content

add authorizer plugin to enable fine grained authorization checks on … #1032

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 13 commits into from
Closed

add authorizer plugin to enable fine grained authorization checks on … #1032

wants to merge 13 commits into from

Conversation

davemssavage
Copy link

@davemssavage davemssavage commented Jun 25, 2025
edited
Loading

Enable fine grained authorization checks for tools/resources/prompts

Motivation and Context

#1031

Advanced use cases for authorization require fine grained permissions checks, this patch enables a plugin to be provided to the FastMCP server to check if the caller has permission to get/list/call.

The intention is to combine this with auth_context_var to retrieve mcp.server.auth.middleware.bearer_auth.AuthenticatedUser that is performing the action

How Has This Been Tested?

Unit tests and local server testing

Breaking Changes

None

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

The behaviour has been implemented such that a permission failure is indistinguisable to the caller from a non existant item in order to prevent leaking information about the existence or not of the tool/prompt/resource

@davemssavage davemssavage marked this pull request as draft June 25, 2025 19:51
@davemssavage davemssavage changed the title add authorizer plugin to enable fine granded authorization checks on … add authorizer plugin to enable fine grained authorization checks on … Jun 27, 2025
@davemssavage davemssavage marked this pull request as ready for review July 28, 2025 16:44
@davemssavage davemssavage requested review from a team and Kludex July 28, 2025 16:44
@felixweinberger
Copy link
Contributor

felixweinberger commented Aug 21, 2025
edited
Loading

Hi @davemssavage thank you for this contribution!

This looks like a new feature and enhancement to the protocol that we'd want to implement in all SDKs to ensure parity. For this kind of change, we generally require a SEP (Spec Enhancement Proposal) before we can accept changes to the actual SDKs to ensure the standards are implemented equally across implementations: https://modelcontextprotocol.io/community/sep-guidelines

I will close this PR for now, but we can reopen / resubmit once we have the SEP and it's admitted to the spec - feel free to use this PR as an attachment to the proposal during submission for ease of discussion!

@davemssavage
Copy link
Author

@felixweinberger thx for looking into this, I've raised 1386 as a placeholder it is very draft at the moment as I'm multi tasking, I'll try to get it into a reviewable state by the end of the week.

@davemssavage davemssavage mentioned this pull request Aug 26, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kludex Kludex Awaiting requested review from Kludex

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@davemssavage @felixweinberger