Add access token support for OCM authentication

- Add Authorization: Bearer <token> header support for short-lived access tokens
- Maintain backward compatibility with X-OCM-OFFLINE-TOKEN header for offline tokens
- Access tokens take precedence when both are provided
- Add secure logging that only logs header keys, never token values
- Add conservative token expiration detection with helpful error messages
- Add AUTHENTICATION_FAILED MCP error code for expired tokens
- Update all 4 MCP tools to support both authentication methods
- Add comprehensive test coverage with realistic JWT tokens

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: tiwillia

go.mod

@@ -8,6 +8,8 @@ require (
 	github.com/mark3labs/mcp-go v0.37.0
 	github.com/openshift-online/ocm-sdk-go v0.1.473
 	github.com/spf13/cobra v1.9.1
+	github.com/spf13/pflag v1.0.6
+	github.com/stretchr/testify v1.9.0
 )
 
 require (
@@ -17,6 +19,7 @@ require (
 	github.com/buger/jsonparser v1.1.1 // indirect
 	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/golang-jwt/jwt/v4 v4.5.2 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/uuid v1.6.0 // indirect
@@ -31,13 +34,13 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/openshift-online/ocm-api-model/clientapi v0.0.426 // indirect
 	github.com/openshift-online/ocm-api-model/model v0.0.426 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_golang v1.12.1 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
 	github.com/prometheus/common v0.32.1 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
 	github.com/spf13/cast v1.7.1 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/wk8/go-ordered-map/v2 v2.1.8 // indirect
 	github.com/yosida95/uritemplate/v3 v3.0.2 // indirect
 	golang.org/x/net v0.21.0 // indirect

pkg/mcp/server.go

@@ -76,16 +76,16 @@ func (s *Server) ServeSSE() error {
 
 // getAuthenticatedOCMClient extracts token from context and creates authenticated OCM client
 func (s *Server) getAuthenticatedOCMClient(ctx context.Context) (*ocm.Client, error) {
-	// Extract token based on transport mode
-	token, err := ocm.ExtractTokenFromContext(ctx, s.config.Transport)
+	// Extract token info from context
+	tokenInfo, err := ocm.ExtractTokenInfoFromContext(ctx, s.config.Transport)
 	if err != nil {
 		glog.Errorf("Failed to extract OCM token: %v", err)
 		return nil, err
 	}
 
 	// Create OCM client and authenticate
 	baseClient := ocm.NewClient(s.config.OCMBaseURL, s.config.OCMClientID)
-	authenticatedClient, err := baseClient.WithToken(token)
+	authenticatedClient, err := baseClient.WithToken(tokenInfo)
 	if err != nil {
 		authErr := fmt.Errorf("OCM authentication failed: %w", err)
 		glog.Errorf("OCM client authentication failed: %v", authErr)

pkg/mcp/tools.go

@@ -69,8 +69,12 @@ func (s *Server) handleWhoami(ctx context.Context, ctr mcp.CallToolRequest) (*mc
 	// Call OCM client to get current account
 	account, err := client.GetCurrentAccount()
 	if err != nil {
-		// Handle OCM API errors with code and reason exposure
+		// Handle OCM API errors with enhanced token expiration detection
 		if ocmErr, ok := err.(*ocm.OCMError); ok {
+			// Return specific error for token expiration
+			if ocm.IsAccessTokenExpiredError(ocmErr) {
+				return mcp.NewToolResultError("AUTHENTICATION_FAILED: " + ocmErr.Error()), nil
+			}
 			return NewTextResult("", errors.New("OCM API Error ["+ocmErr.Code+"]: "+ocmErr.Reason)), nil
 		}
 		return NewTextResult("", errors.New("failed to get account: "+err.Error())), nil
@@ -102,8 +106,12 @@ func (s *Server) handleGetClusters(ctx context.Context, ctr mcp.CallToolRequest)
 	// Call OCM client to get clusters with state filter
 	clusters, err := client.GetClusters(state)
 	if err != nil {
-		// Handle OCM API errors with code and reason exposure
+		// Handle OCM API errors with enhanced token expiration detection
 		if ocmErr, ok := err.(*ocm.OCMError); ok {
+			// Return specific error for token expiration
+			if ocm.IsAccessTokenExpiredError(ocmErr) {
+				return mcp.NewToolResultError("AUTHENTICATION_FAILED: " + ocmErr.Error()), nil
+			}
 			return NewTextResult("", errors.New("OCM API Error ["+ocmErr.Code+"]: "+ocmErr.Reason)), nil
 		}
 		return NewTextResult("", errors.New("failed to get clusters: "+err.Error())), nil
@@ -135,8 +143,12 @@ func (s *Server) handleGetCluster(ctx context.Context, ctr mcp.CallToolRequest)
 	// Call OCM client to get cluster details
 	cluster, err := client.GetCluster(clusterID)
 	if err != nil {
-		// Handle OCM API errors with code and reason exposure
+		// Handle OCM API errors with enhanced token expiration detection
 		if ocmErr, ok := err.(*ocm.OCMError); ok {
+			// Return specific error for token expiration
+			if ocm.IsAccessTokenExpiredError(ocmErr) {
+				return mcp.NewToolResultError("AUTHENTICATION_FAILED: " + ocmErr.Error()), nil
+			}
 			return NewTextResult("", errors.New("OCM API Error ["+ocmErr.Code+"]: "+ocmErr.Reason)), nil
 		}
 		return NewTextResult("", errors.New("failed to get cluster: "+err.Error())), nil
@@ -260,8 +272,12 @@ func (s *Server) handleCreateROSAHCPCluster(ctx context.Context, ctr mcp.CallToo
 		multiArchEnabled,
 	)
 	if err != nil {
-		// Expose OCM API errors directly without modification
+		// Handle OCM API errors with enhanced token expiration detection
 		if ocmErr, ok := err.(*ocm.OCMError); ok {
+			// Return specific error for token expiration
+			if ocm.IsAccessTokenExpiredError(ocmErr) {
+				return mcp.NewToolResultError("AUTHENTICATION_FAILED: " + ocmErr.Error()), nil
+			}
 			return NewTextResult("", errors.New("OCM API Error ["+ocmErr.Code+"]: "+ocmErr.Reason)), nil
 		}
 		return NewTextResult("", errors.New("cluster creation failed: "+err.Error())), nil

pkg/ocm/auth.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+	"strings"
 
 	"github.com/golang/glog"
 )
@@ -23,6 +24,9 @@ func RequestHeaderKey() contextKey {
 }
 
 const (
+	// Authorization header for access tokens (standard OAuth2)
+	AuthorizationHeader = "Authorization"
+	
 	// SSE transport header for OCM offline token
 	// NOTE: http.Header keys are stored in canonical format, hence the different casing required here.
 	// The provided X-OCM-OFFLINE-TOKEN header key will be translated to X-Ocm-Offline-Token
@@ -32,19 +36,61 @@ const (
 	StdioTokenEnv = "OCM_OFFLINE_TOKEN"
 )
 
-// ExtractTokenFromSSE extracts OCM offline token from X-OCM-OFFLINE-TOKEN header
-func ExtractTokenFromSSE(headers map[string]string) (string, error) {
-	glog.V(3).Infof("SSE headers received: %+v", headers)
+// TokenInfo represents extracted token information
+type TokenInfo struct {
+	Token     string
+	TokenType string // "access" or "offline"
+}
+
+// ExtractBearerToken extracts access token from Authorization header
+func ExtractBearerToken(headers map[string]string) (string, error) {
+	authHeader, exists := headers[AuthorizationHeader]
+	if !exists || authHeader == "" {
+		return "", fmt.Errorf("missing or empty %s header", AuthorizationHeader)
+	}
+	
+	// Check for "Bearer " prefix (case-insensitive)
+	const bearerPrefix = "Bearer "
+	if len(authHeader) <= len(bearerPrefix) {
+		return "", fmt.Errorf("invalid Authorization header format")
+	}
+	
+	if !strings.EqualFold(authHeader[:len(bearerPrefix)], bearerPrefix) {
+		return "", fmt.Errorf("Authorization header must use Bearer scheme")
+	}
+	
+	token := strings.TrimSpace(authHeader[len(bearerPrefix):])
+	if token == "" {
+		return "", fmt.Errorf("empty Bearer token")
+	}
+	
+	return token, nil
+}
+
+// ExtractTokenInfoFromSSE extracts token info from SSE headers, preferring access tokens
+func ExtractTokenInfoFromSSE(headers map[string]string) (*TokenInfo, error) {
+	// Log only header keys for security (never log header values which may contain tokens)
+	headerKeys := make([]string, 0, len(headers))
+	for key := range headers {
+		headerKeys = append(headerKeys, key)
+	}
+	glog.V(3).Infof("SSE headers received (keys only): %v", headerKeys)
+	
+	// Try Authorization header first (access token)
+	if token, err := ExtractBearerToken(headers); err == nil {
+		glog.V(3).Info("Found access token in Authorization header")
+		return &TokenInfo{Token: token, TokenType: "access"}, nil
+	}
 
-	// Try exact header name first
+	// Fallback to offline token header
 	token, exists := headers[SSETokenHeader]
 	if exists && token != "" {
-		glog.V(3).Infof("Found OCM token in header %s", SSETokenHeader)
-		return token, nil
+		glog.V(3).Infof("Found offline token in header %s", SSETokenHeader)
+		return &TokenInfo{Token: token, TokenType: "offline"}, nil
 	}
 
-	glog.Warningf("Missing or empty %s header in SSE request. Available headers: %+v", SSETokenHeader, headers)
-	return "", fmt.Errorf("missing or empty %s header", SSETokenHeader)
+	glog.Warningf("No valid tokens found in SSE headers. Available header keys: %v", headerKeys)
+	return nil, fmt.Errorf("missing valid authentication token")
 }
 
 // ExtractTokenFromStdio extracts OCM offline token from OCM_OFFLINE_TOKEN environment variable
@@ -56,40 +102,45 @@ func ExtractTokenFromStdio() (string, error) {
 	return token, nil
 }
 
-// ExtractTokenFromContext extracts OCM offline token from context based on transport mode
-func ExtractTokenFromContext(ctx context.Context, transport string) (string, error) {
+// ExtractTokenInfoFromContext extracts token info from context based on transport mode
+func ExtractTokenInfoFromContext(ctx context.Context, transport string) (*TokenInfo, error) {
 	glog.V(2).Infof("Extracting token for transport mode: %s", transport)
 
 	switch transport {
 	case "stdio":
-		return ExtractTokenFromStdio()
+		// Stdio only supports offline tokens via environment variable
+		token, err := ExtractTokenFromStdio()
+		if err != nil {
+			return nil, err
+		}
+		return &TokenInfo{Token: token, TokenType: "offline"}, nil
+		
 	case "sse":
-		// For SSE transport, extract token from HTTP headers in the context
+		// For SSE transport, extract from HTTP headers
 		headers := extractHeadersFromContext(ctx)
 		if headers != nil {
-			glog.V(2).Infof("Headers found in context for SSE transport")
-			if token, err := ExtractTokenFromSSE(headers); err == nil {
-				return token, nil
+			if tokenInfo, err := ExtractTokenInfoFromSSE(headers); err == nil {
+				return tokenInfo, nil
 			} else {
 				glog.Warningf("Failed to extract token from SSE headers: %v", err)
 			}
-		} else {
-			glog.Warningf("No headers found in context for SSE transport")
 		}
 
-		// Fallback to environment variable for MVP compatibility
+		// Fallback to environment variable
 		token := os.Getenv(StdioTokenEnv)
 		if token == "" {
-			err := fmt.Errorf("SSE transport requires %s header or %s environment variable", SSETokenHeader, StdioTokenEnv)
+			err := fmt.Errorf("SSE transport requires %s header or %s environment variable", 
+				AuthorizationHeader, StdioTokenEnv)
 			glog.Errorf("Authentication failed: %v", err)
-			return "", err
+			return nil, err
 		}
 		glog.V(2).Infof("Using fallback environment variable for SSE transport")
-		return token, nil
+		return &TokenInfo{Token: token, TokenType: "offline"}, nil
+		
 	default:
 		err := fmt.Errorf("unsupported transport mode: %s", transport)
 		glog.Errorf("Authentication failed: %v", err)
-		return "", err
+		return nil, err
 	}
 }