Skip to content

feat: add claims field to AccessToken for decoded token payload #1165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 9 commits into from
Closed

feat: add claims field to AccessToken for decoded token payload #1165

wants to merge 9 commits into from

Conversation

@robertofalk
Copy link

@robertofalk robertofalk commented Jul 17, 2025
edited
Loading

Add optional claims dict to AccessToken class to provide access to all decoded JWT claims (both standard and custom) instead of restricting to only specific fields like scopes and expires_at.

Motivation and Context

FastMCP provides a BearerAuthProvider class to validate bearer tokens and returns it using the AccessToken class (https://github.com/jlowin/fastmcp/blob/main/src/fastmcp/server/auth/providers/bearer.py#L387). With the current implementation the claims from the token are limited to the ones defined so far, so any additional claim is not available and to get it currently I had to define an additional middleware that decodes the token again, which is a waste since the token is was already decoded by BearerAuthProvider.

How Has This Been Tested?

I was not able to test it since it's just an attribute that will be used by applications relying on the python-sdk AccessToken class.

Breaking Changes

No, it's an optional attribute.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Resolves #1038

@ihrpr ihrpr added this to the auth milestone Jul 17, 2025
@robertofalk robertofalk requested review from a team and ochafik July 18, 2025 20:16
@robertofalk
Copy link
Author

@ihrpr, @ochafik Any comments? since you have been driving the auth milestone.

@dsp-ant dsp-ant self-requested a review August 4, 2025 10:09
ochafik
ochafik requested changes Aug 4, 2025
View reviewed changes
Copy link

@ochafik ochafik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @robertofalk, thanks for sending this PR!

Currently, there is no JWT payload used to build the AccessToken, afaict.

To handle JWT tokens, you might want to create a new JWTAccessToken / created by a new JWTTokenVerifier (responsible for verifying the token signature), used by a JWT-specific OAuthAuthorizationServerProvider subclass distinct from SimpleOAuthProvider.

(and if we get there, I reckon the non-standard claims should go to a JWTAccessToken.additional_claims field to avoid duplication)

Does this make sense?

@felixweinberger felixweinberger added bug Something isn't working needs more work Not ready to be merged yet, needs additional changes. auth Issues and PRs related to Authentication / OAuth labels Sep 22, 2025
@felixweinberger
Copy link
Contributor

Closing this as per @ochafik's comment this is incomplete and it's been a while since the last update here.

If others find this PR and need this, feel free to submit a fresh PR.

@felixweinberger felixweinberger mentioned this pull request Oct 6, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ochafik ochafik ochafik requested changes

@dsp-ant dsp-ant Awaiting requested review from dsp-ant

Assignees

No one assigned

Labels

auth Issues and PRs related to Authentication / OAuth bug Something isn't working needs more work Not ready to be merged yet, needs additional changes.

Projects

None yet

Milestone

OAuth Improvements & Fixes

Development

Successfully merging this pull request may close these issues.

MCP server: AccessToken class should have field for subject claim ("sub")

4 participants

@robertofalk @felixweinberger @ochafik @ihrpr