Skip to content

fix(mcp): suppress AuthlibDeprecationWarning from authlib.jose imports#40977

Open
eschutho wants to merge 2 commits into
apache:masterfrom
eschutho:fix/authlib-jose-deprecation-warning
Open

fix(mcp): suppress AuthlibDeprecationWarning from authlib.jose imports#40977
eschutho wants to merge 2 commits into
apache:masterfrom
eschutho:fix/authlib-jose-deprecation-warning

Conversation

@eschutho

@eschutho eschutho commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Member

What's the problem?

authlib 1.3+ marks authlib.jose as deprecated and emits AuthlibDeprecationWarning (configured as "always") every time authlib.jose is first imported per process. fastmcp (the MCP transport) imports authlib.jose during its own startup, so every Superset MCP worker logs this on boot, polluting Datadog.

Root cause

The warning fires when fastmcp/server/auth/providers/jwt.py runs from authlib.jose import JsonWebKey, JsonWebToken. This happens during the import of superset.mcp_service.jwt_verifier (which imports fastmcp). Any warnings.catch_warnings() block placed in jwt_verifier.py or mcp_config.py after their fastmcp imports is a no-op — authlib.jose is already in sys.modules.

Fix

A single warnings.filterwarnings() call in superset/mcp_service/__init__.py. Python always runs package __init__.py before any submodule import, so the filter is active before fastmcp triggers authlib.jose. This covers both the production server path (server.py → jwt_verifier.py → fastmcp) and direct test imports.

Also adds authlib to _suppress_third_party_warnings() in server.py for defense in depth.

Why not migrate to joserfc.errors?
fastmcp's jwt.decode() raises authlib.jose.errors.*. Changing our catch clauses to joserfc.errors.* would silently stop catching real JWT signature/expiry errors until fastmcp migrates. The current error classes are correct.

Files changed

  • superset/mcp_service/__init__.py — module-level filterwarnings before any submodule import fires
  • superset/mcp_service/server.py — adds authlib to _suppress_third_party_warnings() for defense in depth
  • superset/mcp_service/jwt_verifier.py — restores normal import position (filter now handled by __init__.py)
  • superset/mcp_service/mcp_config.py — same
  • tests/unit_tests/mcp_service/test_jwt_verifier.py — same

No behavior change

Warning suppression only. Exception handling is identical to before.

Test plan

  • pytest tests/unit_tests/mcp_service/test_jwt_verifier.py — all existing tests pass
  • Confirm AuthlibDeprecationWarning is not emitted on MCP service startup
  • mypy, ruff, pylint all pass (confirmed via pre-commit)

@eschutho @claude
fix(mcp): suppress AuthlibDeprecationWarning from authlib.jose imports
4d8c3fa 
authlib.jose is deprecated in favor of joserfc, but fastmcp (a hard
dependency of the MCP service) still imports authlib.jose internally.
We cannot migrate the caught error classes to joserfc.errors because the
exceptions raised by fastmcp's jwt.decode() are authlib.jose.errors.*,
not joserfc.errors.* — swapping the catch clauses would silently stop
catching real JWT errors.

Wraps each `from authlib.jose.errors import ...` in
`warnings.catch_warnings()` so the AuthlibDeprecationWarning that fires
on first import (authlib 1.3+) is suppressed at the callsite where we
trigger it. Once fastmcp migrates to joserfc the workaround can be
removed and the imports replaced with joserfc equivalents.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@bito-code-review

bito-code-review Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Code Review Agent Run #40526e

Actionable Suggestions - 0
Review Details
  • Files reviewed - 3 · Commit Range: 4d8c3fa..4d8c3fa
    • superset/mcp_service/jwt_verifier.py
    • superset/mcp_service/mcp_config.py
    • tests/unit_tests/mcp_service/test_jwt_verifier.py
  • Files skipped - 0
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful
Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

@eschutho eschutho requested a review from aminghadersohi June 11, 2026 16:12
@netlify

netlify Bot commented Jun 11, 2026

Copy link
Copy Markdown

Deploy Preview for superset-docs-preview ready!

Name Link
🔨 Latest commit 4d8c3fa
🔍 Latest deploy log https://app.netlify.com/projects/superset-docs-preview/deploys/6a2ade000c860b00081d4f7e
😎 Deploy Preview https://deploy-preview-40977--superset-docs-preview.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@codecov

codecov Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 66.66667% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 64.29%. Comparing base (046b1b6) to head (871c6db).
⚠️ Report is 11 commits behind head on master.

Files with missing lines Patch % Lines
superset/mcp_service/server.py 0.00% 1 Missing ⚠️

❌ Your project check has failed because the head coverage (99.95%) is below the target coverage (100.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master   #40977      +/-   ##
==========================================
- Coverage   64.29%   64.29%   -0.01%     
==========================================
  Files        2657     2657              
  Lines      144027   144061      +34     
  Branches    33207    33215       +8     
==========================================
+ Hits        92604    92622      +18     
- Misses      49803    49815      +12     
- Partials     1620     1624       +4
Flag Coverage Δ
hive 39.44% <66.66%> (-0.02%) ⬇️
mysql 58.19% <66.66%> (+<0.01%) ⬆️
postgres 58.25% <66.66%> (+<0.01%) ⬆️
presto 41.03% <66.66%> (-0.02%) ⬇️
python 59.73% <66.66%> (-0.01%) ⬇️
sqlite 57.88% <66.66%> (+<0.01%) ⬆️
unit 100.00% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@eschutho @claude
fix(mcp): suppress AuthlibDeprecationWarning from authlib.jose imports
871c6db 
authlib 1.3+ emits AuthlibDeprecationWarning (configured as "always")
when authlib.jose is first imported. The warning fires from fastmcp's
own authlib.jose import — not from the superset.mcp_service files — so
wrapping our error-class imports in catch_warnings() was a no-op.

The correct fix is a module-level warnings.filterwarnings() call in
superset/mcp_service/__init__.py, which Python always runs before any
submodule import. This ensures the filter is active before fastmcp
triggers the authlib.jose import in both the production server path and
test imports.

Also adds authlib to _suppress_third_party_warnings() in server.py for
defense in depth (covers any late authlib.jose imports during tool
execution).

The error classes remain from authlib.jose.errors — not joserfc.errors —
because fastmcp's jwt.decode() raises authlib.jose.errors.* subclasses.
Migrating the exception catch clauses to joserfc would silently stop
catching real JWT errors until fastmcp itself migrates.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@pull-request-size pull-request-size Bot added size/S and removed size/M labels Jun 11, 2026
@bito-code-review

bito-code-review Bot commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Code Review Agent Run #d373e7

Actionable Suggestions - 0
Additional Suggestions - 2
  • superset/mcp_service/__init__.py - 1
    • Duplicate filterwarnings call · Line 45-48
      The same `warnings.filterwarnings` call for the `authlib.jose` deprecation warning is duplicated in `server.py` lines 81-84. While `server.py` comment (line 78-80) explains the belt-and-suspenders intent for late imports, maintaining identical filter patterns in two locations creates maintenance risk — if the pattern needs adjustment, both must be updated. Consider extracting the pattern to a shared constant.
  • superset/mcp_service/server.py - 1
    • Missing test for authlib filter · Line 78-84
      The new authlib.jose warning filter at lines 78-84 is not covered by the existing `test_suppress_third_party_warnings` test. Per rule [11731], new MCP features should include unit tests covering their behavior. Add a filter assertion similar to the marshmallow/google checks already present.
      Code suggestion 
      --- a/tests/unit_tests/mcp_service/test_mcp_server.py
+++ b/tests/unit_tests/mcp_service/test_mcp_server.py
 @@ -141,6 +141,16 @@ def test_suppress_third_party_warnings():
          and f[3].pattern == r"google\\..*"
      ]
      assert len(google_filters) >= 1, "Expected google FutureWarning filter"
+
+    # Verify authlib.jose deprecation warning filter is installed
+    authlib_filters = [
+        f
+        for f in warnings.filters
+        if f[0] == "ignore"
+        and isinstance(f[1], re.Pattern)
+        and f[1].pattern == r"authlib\\.jose module is deprecated"
+    ]
+    assert len(authlib_filters) >= 1, "Expected authlib.jose deprecation warning filter"
Review Details
  • Files reviewed - 5 · Commit Range: 4d8c3fa..871c6db
    • superset/mcp_service/__init__.py
    • superset/mcp_service/jwt_verifier.py
    • superset/mcp_service/mcp_config.py
    • superset/mcp_service/server.py
    • tests/unit_tests/mcp_service/test_jwt_verifier.py
  • Files skipped - 0
  • Tools
    • Whispers (Secret Scanner) - ✔︎ Successful
    • Detect-secrets (Secret Scanner) - ✔︎ Successful
    • MyPy (Static Code Analysis) - ✔︎ Successful
    • Astral Ruff (Static Code Analysis) - ✔︎ Successful
Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

  • /review - Manually triggers a full AI review.

  • /pause - Pauses automatic reviews on this pull request.

  • /resume - Resumes automatic reviews.

  • /resolve - Marks all Bito-posted review comments as resolved.

  • /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Superset You can customize the agent settings here or contact your Bito workspace admin at evan@preset.io.

Documentation & Help

AI Code Review powered by Bito Logo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aminghadersohi aminghadersohi Awaiting requested review from aminghadersohi

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size/S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@eschutho