Fix SSE transport authentication by implementing proper header extraction

- Add SSE context function to extract HTTP headers from requests and store in context
- Implement debug logging throughout authentication flow to troubleshoot header issues
- Add RequestHeaderKey() function to export context key for cross-package access
- Configure SSE server with WithSSEContextFunc to enable header extraction
- Add comprehensive error logging for authentication failures
- Fix mcp-go framework integration to properly handle X-OCM-OFFLINE-TOKEN header

Resolves SSE transport authentication failures where headers were not being
passed to the authentication context, enabling successful ROSA HCP cluster creation.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: tiwillia

README.md

@@ -71,7 +71,9 @@ export OCM_OFFLINE_TOKEN="your-ocm-token-here"
 # Start SSE server
 ./rosa-mcp-server --transport=sse --port=8080
 
-# Server will be available at http://localhost:8080/sse
+# Server will be available at:
+# - SSE stream: http://localhost:8080/sse
+# - MCP messages: http://localhost:8080/message
 # Send X-OCM-OFFLINE-TOKEN header with requests
 ```
 
@@ -244,13 +246,16 @@ Add to your mcpServers list:
 
 ### SSE Integration
 
-For remote integrations, use the SSE endpoint:
+For remote integrations, use the SSE endpoints:
 
 ```bash
-# Server endpoint
-POST http://localhost:8080/sse
+# SSE stream endpoint (for Server-Sent Events)
+GET http://localhost:8080/sse
 
-# Required header
+# MCP message endpoint (for sending JSON-RPC messages)
+POST http://localhost:8080/message
+
+# Required header for both endpoints
 X-OCM-OFFLINE-TOKEN: your-token-here
 ```
 

pkg/mcp/server.go

@@ -58,58 +58,54 @@ func (s *Server) ServeStdio() error {
 
 // ServeSSE serves the MCP server via SSE transport
 func (s *Server) ServeSSE() error {
-	mux := http.NewServeMux()
-
-	httpServer := &http.Server{
-		Addr:    fmt.Sprintf(":%d", s.config.Port),
-		Handler: mux,
-	}
-
-	// Create SSE server similar
-	sseServer := s.ServeSse(s.config.SSEBaseURL, httpServer)
-
-	// Register SSE endpoints
-	mux.Handle("/sse", sseServer)
-	mux.Handle("/message", sseServer)
-
-	// Health endpoint
-	mux.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) {
-		w.WriteHeader(http.StatusOK)
-	})
-
 	glog.Infof("Starting SSE server on port %d", s.config.Port)
-	return httpServer.ListenAndServe()
-}
-
-// ServeSse creates SSE server
-func (s *Server) ServeSse(baseURL string, httpServer *http.Server) http.Handler {
-	options := []server.SSEOption{
-		server.WithHTTPServer(httpServer),
-	}
-	if baseURL != "" {
-		options = append(options, server.WithBaseURL(baseURL))
+	
+	// Create SSE server using mcp-go library
+	options := []server.SSEOption{}
+	if s.config.SSEBaseURL != "" {
+		options = append(options, server.WithBaseURL(s.config.SSEBaseURL))
 	}
-	return server.NewSSEServer(s.mcpServer, options...)
+	
+	// Add context function to extract headers from HTTP request
+	options = append(options, server.WithSSEContextFunc(s.extractHeadersToContext))
+	
+	sseServer := server.NewSSEServer(s.mcpServer, options...)
+	return sseServer.Start(fmt.Sprintf(":%d", s.config.Port))
 }
 
+
 // getAuthenticatedOCMClient extracts token from context and creates authenticated OCM client
 func (s *Server) getAuthenticatedOCMClient(ctx context.Context) (*ocm.Client, error) {
 	// Extract token based on transport mode
 	token, err := ocm.ExtractTokenFromContext(ctx, s.config.Transport)
 	if err != nil {
+		glog.Errorf("Failed to extract OCM token: %v", err)
 		return nil, err
 	}
 
 	// Create OCM client and authenticate
 	baseClient := ocm.NewClient(s.config.OCMBaseURL, s.config.OCMClientID)
 	authenticatedClient, err := baseClient.WithToken(token)
 	if err != nil {
-		return nil, fmt.Errorf("OCM authentication failed: %w", err)
+		authErr := fmt.Errorf("OCM authentication failed: %w", err)
+		glog.Errorf("OCM client authentication failed: %v", authErr)
+		return nil, authErr
 	}
 
 	return authenticatedClient, nil
 }
 
+// extractHeadersToContext is an SSE context function that extracts HTTP headers 
+// from the request and stores them in the context for later authentication use
+func (s *Server) extractHeadersToContext(ctx context.Context, r *http.Request) context.Context {
+	glog.V(2).Infof("SSE context function: extracting headers from HTTP request")
+	glog.V(3).Infof("Request headers: %+v", r.Header)
+	
+	// Store the HTTP headers in the context using the same key type that our auth code expects
+	// We need to use the contextKey type defined in our auth package
+	return context.WithValue(ctx, ocm.RequestHeaderKey(), r.Header)
+}
+
 // logToolCall logs tool execution with structured logging
 func (s *Server) logToolCall(toolName string, params map[string]interface{}) {
 	glog.V(2).Infof("Tool called: %s with params: %v", toolName, params)

pkg/ocm/auth.go

@@ -5,8 +5,23 @@ import (
 	"fmt"
 	"net/http"
 	"os"
+
+	"github.com/golang/glog"
 )
 
+// contextKey type for context value storage
+type contextKey int
+
+const (
+	// requestHeader key used by mcp-go framework to store HTTP headers in context
+	requestHeader contextKey = iota
+)
+
+// RequestHeaderKey returns the context key used for storing HTTP headers
+func RequestHeaderKey() contextKey {
+	return requestHeader
+}
+
 const (
 	// SSE transport header for OCM offline token
 	// NOTE: http.Header keys are stored in canonical format, hence the different casing required here.
@@ -19,12 +34,16 @@ const (
 
 // ExtractTokenFromSSE extracts OCM offline token from X-OCM-OFFLINE-TOKEN header
 func ExtractTokenFromSSE(headers map[string]string) (string, error) {
+	glog.V(3).Infof("SSE headers received: %+v", headers)
+	
 	// Try exact header name first
 	token, exists := headers[SSETokenHeader]
 	if exists && token != "" {
+		glog.V(3).Infof("Found OCM token in header %s", SSETokenHeader)
 		return token, nil
 	}
 
+	glog.Warningf("Missing or empty %s header in SSE request. Available headers: %+v", SSETokenHeader, headers)
 	return "", fmt.Errorf("missing or empty %s header", SSETokenHeader)
 }
 
@@ -39,57 +58,95 @@ func ExtractTokenFromStdio() (string, error) {
 
 // ExtractTokenFromContext extracts OCM offline token from context based on transport mode
 func ExtractTokenFromContext(ctx context.Context, transport string) (string, error) {
+	glog.V(2).Infof("Extracting token for transport mode: %s", transport)
+	
 	switch transport {
 	case "stdio":
 		return ExtractTokenFromStdio()
 	case "sse":
 		// For SSE transport, extract token from HTTP headers in the context
-		if headers := extractHeadersFromContext(ctx); headers != nil {
+		headers := extractHeadersFromContext(ctx)
+		if headers != nil {
+			glog.V(2).Infof("Headers found in context for SSE transport")
 			if token, err := ExtractTokenFromSSE(headers); err == nil {
 				return token, nil
+			} else {
+				glog.Warningf("Failed to extract token from SSE headers: %v", err)
 			}
+		} else {
+			glog.Warningf("No headers found in context for SSE transport")
 		}
 
 		// Fallback to environment variable for MVP compatibility
 		token := os.Getenv(StdioTokenEnv)
 		if token == "" {
-			return "", fmt.Errorf("SSE transport requires %s header or %s environment variable", SSETokenHeader, StdioTokenEnv)
+			err := fmt.Errorf("SSE transport requires %s header or %s environment variable", SSETokenHeader, StdioTokenEnv)
+			glog.Errorf("Authentication failed: %v", err)
+			return "", err
 		}
+		glog.V(2).Infof("Using fallback environment variable for SSE transport")
 		return token, nil
 	default:
-		return "", fmt.Errorf("unsupported transport mode: %s", transport)
+		err := fmt.Errorf("unsupported transport mode: %s", transport)
+		glog.Errorf("Authentication failed: %v", err)
+		return "", err
 	}
 }
 
 // extractHeadersFromContext extracts HTTP headers from the context
 // This function looks for headers stored in the context by the mcp-go SSE server
 func extractHeadersFromContext(ctx context.Context) map[string]string {
-	// Check for headers stored in context by mcp-go framework
+	glog.V(2).Infof("Extracting headers from context")
+	
+	// Check for headers stored by mcp-go framework using requestHeader key
+	if headerValue := ctx.Value(requestHeader); headerValue != nil {
+		glog.V(2).Infof("Found requestHeader context value")
+		if httpHeader, ok := headerValue.(http.Header); ok {
+			headers := make(map[string]string)
+			for key, values := range httpHeader {
+				if len(values) > 0 {
+					headers[key] = values[0]
+				}
+			}
+			glog.V(2).Infof("Extracted %d headers from mcp-go context", len(headers))
+			return headers
+		} else {
+			glog.V(2).Infof("requestHeader context value is not http.Header type: %T", headerValue)
+		}
+	} else {
+		glog.V(2).Infof("No requestHeader found in context")
+	}
+
+	// Fallback: Check for headers stored as map[string]string (legacy)
 	if headers, ok := ctx.Value("headers").(map[string]string); ok {
+		glog.V(2).Infof("Found legacy headers map in context with %d entries", len(headers))
 		return headers
 	}
 
-	// Check for HTTP request in context
+	// Fallback: Check for HTTP request in context
 	if req, ok := ctx.Value("http.request").(*http.Request); ok {
 		headers := make(map[string]string)
 		for key, values := range req.Header {
 			if len(values) > 0 {
 				headers[key] = values[0]
 			}
 		}
+		glog.V(2).Infof("Extracted %d headers from http.request context", len(headers))
 		return headers
 	}
 
-	// Check for request context pattern used by some HTTP frameworks
+	// Fallback: Check for request context pattern used by some HTTP frameworks
 	if req, ok := ctx.Value("request").(*http.Request); ok {
 		headers := make(map[string]string)
 		for key, values := range req.Header {
 			if len(values) > 0 {
 				headers[key] = values[0]
 			}
 		}
+		glog.V(2).Infof("Extracted %d headers from request context", len(headers))
 		return headers
 	}
 
+	glog.V(2).Infof("No headers found in any context format")
 	return nil
 }