split resource server and auth server

Signed-off-by: Jesse Sanford <108698+jessesanford@users.noreply.github.com>

Author: jessesanford

examples/servers/proxy-auth/tests/test_proxy_oauth_endpoints.py

@@ -14,6 +14,14 @@
 import httpx  # type: ignore
 import pytest  # type: ignore
 
+# Import constants at the module level
+from proxy_auth.combo_server import (
+    CLIENT_ID,
+    UPSTREAM_AUTHORIZE,
+    UPSTREAM_BASE,
+    UPSTREAM_TOKEN,
+)
+
 
 @pytest.fixture
 def proxy_server(monkeypatch):
@@ -35,23 +43,39 @@ def proxy_server(monkeypatch):
     # Stub library-level fetch_upstream_metadata to avoid network I/O.
     from mcp.server.auth.proxy import routes as proxy_routes
 
+<<<<<<< HEAD
+=======
+    # Import the module and the combo_server instance
+    from proxy_auth import combo_server
+
+>>>>>>> fbb3cb4 (fix imports)
     async def _fake_metadata() -> dict[str, Any]:  # noqa: D401
+        # Access module-level constants directly
         return {
-            "issuer": proxy_server_module.UPSTREAM_BASE,
-            "authorization_endpoint": proxy_server_module.UPSTREAM_AUTHORIZE,
-            "token_endpoint": proxy_server_module.UPSTREAM_TOKEN,
+            "issuer": UPSTREAM_BASE,
+            "authorization_endpoint": UPSTREAM_AUTHORIZE,
+            "token_endpoint": UPSTREAM_TOKEN,
             "registration_endpoint": "/register",
             "jwks_uri": "",
         }
 
+<<<<<<< HEAD
     monkeypatch.setattr(proxy_routes, "fetch_upstream_metadata", _fake_metadata, raising=True)
     return proxy_server_module
+=======
+    monkeypatch.setattr(
+        proxy_routes, "fetch_upstream_metadata", _fake_metadata, raising=True
+    )
+
+    # Return the combo_server instance
+    return combo_server
+>>>>>>> fbb3cb4 (fix imports)
 
 
 @pytest.fixture
 def app(proxy_server):
     """Return the Starlette ASGI app for tests."""
-    return proxy_server.mcp.streamable_http_app()
+    return proxy_server.streamable_http_app()
 
 
 @pytest.fixture
@@ -78,24 +102,24 @@ async def test_metadata_endpoint(client):
 
 
 @pytest.mark.anyio
-async def test_registration_endpoint(client, proxy_server):
+async def test_registration_endpoint(client):
     payload = {"redirect_uris": ["https://client.example.com/callback"]}
     r = await client.post("/register", json=payload)
     assert r.status_code == 201
     body = r.json()
-    assert body["client_id"] == proxy_server.CLIENT_ID
+    assert body["client_id"] == CLIENT_ID
     assert body["redirect_uris"] == payload["redirect_uris"]
     # client_secret may be None, but the field should exist (masked or real)
     assert "client_secret" in body
 
 
 @pytest.mark.anyio
-async def test_authorize_redirect(client, proxy_server):
+async def test_authorize_redirect(client):
     params = {
         "response_type": "code",
         "state": "xyz",
         "redirect_uri": "https://client.example.com/callback",
-        "client_id": proxy_server.CLIENT_ID,
+        "client_id": CLIENT_ID,
         "code_challenge": "testchallenge",
         "code_challenge_method": "S256",
     }
@@ -105,18 +129,22 @@ async def test_authorize_redirect(client, proxy_server):
     location = r.headers["location"]
     parsed = urllib.parse.urlparse(location)
     assert parsed.scheme.startswith("http")
+<<<<<<< HEAD
     assert parsed.netloc == urllib.parse.urlparse(proxy_server.UPSTREAM_AUTHORIZE).netloc
+=======
+    assert parsed.netloc == urllib.parse.urlparse(UPSTREAM_AUTHORIZE).netloc
+>>>>>>> fbb3cb4 (fix imports)
 
     qs = urllib.parse.parse_qs(parsed.query)
     # Proxy should inject client_id & default scope
-    assert qs["client_id"][0] == proxy_server.CLIENT_ID
+    assert qs["client_id"][0] == CLIENT_ID
     assert "scope" in qs
     # Original params preserved
     assert qs["state"][0] == "xyz"
 
 
 @pytest.mark.anyio
-async def test_revoke_proxy(client, monkeypatch, proxy_server):
+async def test_revoke_proxy(client, monkeypatch):
     original_post = httpx.AsyncClient.post
 
     async def _mock_post(self, url, data=None, timeout=10, **kwargs):  # noqa: D401
@@ -133,7 +161,7 @@ async def _mock_post(self, url, data=None, timeout=10, **kwargs):  # noqa: D401
 
 
 @pytest.mark.anyio
-async def test_token_passthrough(client, monkeypatch, proxy_server):
+async def test_token_passthrough(client, monkeypatch):
     """Ensure /token is proxied unchanged and response is returned verbatim."""
 
     # Capture outgoing POSTs made by ProxyTokenHandler
@@ -142,7 +170,7 @@ async def test_token_passthrough(client, monkeypatch, proxy_server):
     original_post = httpx.AsyncClient.post
 
     async def _mock_post(self, url, *args, **kwargs):  # noqa: D401
-        if str(url).startswith(proxy_server.UPSTREAM_TOKEN):
+        if str(url).startswith(UPSTREAM_TOKEN):
             # Record exactly what was sent upstream
             captured["url"] = str(url)
             captured["data"] = kwargs.get("data")
@@ -164,7 +192,7 @@ async def _mock_post(self, url, *args, **kwargs):  # noqa: D401
     form = {
         "grant_type": "authorization_code",
         "code": "dummy-code",
-        "client_id": proxy_server.CLIENT_ID,
+        "client_id": CLIENT_ID,
     }
     r = await client.post("/token", data=form)
 
@@ -207,7 +235,7 @@ def _fake_get_access_token():  # noqa: D401
 
     monkeypatch.setattr(auth_context, "get_access_token", _fake_get_access_token, raising=True)
 
-    result = await proxy_server.mcp.call_tool("user_info", {})
+    result = await proxy_server.call_tool("user_info", {})
 
     # call_tool returns (content_blocks, raw_result)
     if isinstance(result, tuple):

examples/servers/proxy_oauth/auth_server.py

@@ -0,0 +1,204 @@
+# pyright: reportMissingImports=false
+import logging
+import os
+import time
+
+from dotenv import load_dotenv  # type: ignore
+from mcp.server.auth.provider import AccessToken, OAuthToken
+from mcp.server.auth.providers.transparent_proxy import (
+    ProxySettings,  # type: ignore
+    TransparentOAuthProxyProvider,
+    ProxyTokenHandler,
+)
+from mcp.server.auth.routes import cors_middleware, create_auth_routes
+from mcp.server.auth.settings import ClientRegistrationOptions
+from pydantic import AnyHttpUrl
+from starlette.applications import Starlette
+from starlette.requests import Request  # type: ignore
+from starlette.responses import JSONResponse, Response
+from starlette.routing import Route
+from uvicorn import Config, Server
+
+# Load environment variables from .env if present
+load_dotenv()
+
+# Configure logging after .env so LOG_LEVEL can come from environment
+LOG_LEVEL = os.getenv("LOG_LEVEL", "INFO").upper()
+
+logging.basicConfig(
+    level=LOG_LEVEL,
+    format="%(asctime)s [%(levelname)s] %(name)s: %(message)s",
+    datefmt="%Y-%m-%d %H:%M:%S",
+)
+
+# Dedicated logger for this server module
+logger = logging.getLogger("proxy_oauth.auth_server")
+
+# Suppress noisy INFO messages from the FastMCP low-level server unless we are
+# explicitly running in DEBUG mode. These logs (e.g. "Processing request of type
+# ListToolsRequest") are helpful for debugging but clutter normal output.
+
+_mcp_lowlevel_logger = logging.getLogger("mcp.server.lowlevel.server")
+if LOG_LEVEL == "DEBUG":
+    # In full debug mode, allow the library to emit its detailed logs
+    _mcp_lowlevel_logger.setLevel(logging.DEBUG)
+else:
+    # Otherwise, only warnings and above
+    _mcp_lowlevel_logger.setLevel(logging.WARNING)
+
+# ----------------------------------------------------------------------------
+# Environment configuration
+# ----------------------------------------------------------------------------
+# Load and validate settings from the environment (uses .env automatically)
+settings = ProxySettings.load()
+
+# Upstream endpoints (fully-qualified URLs)
+UPSTREAM_AUTHORIZE: str = str(settings.upstream_authorize)
+UPSTREAM_TOKEN: str = str(settings.upstream_token)
+UPSTREAM_JWKS_URI = settings.jwks_uri
+# Derive base URL from the authorize endpoint for convenience / tests
+UPSTREAM_BASE: str = UPSTREAM_AUTHORIZE.rsplit("/", 1)[0]
+
+# Client credentials & defaults
+CLIENT_ID: str = settings.client_id or "demo-client-id"
+CLIENT_SECRET = settings.client_secret
+DEFAULT_SCOPE: str = settings.default_scope
+
+# Optional audience passthrough (not part of ProxySettings yet)
+AUDIENCE = os.getenv("PROXY_AUDIENCE")
+
+# Metadata URL (only used if we need to fetch from upstream)
+UPSTREAM_METADATA = f"{UPSTREAM_BASE}/.well-known/oauth-authorization-server"
+
+# ---------------------------------------------------------------------------
+# Logging helpers
+# ---------------------------------------------------------------------------
+
+
+def _mask_secret(secret: str | None) -> str | None:  # noqa: D401
+    """Return a masked version of the given secret.
+
+    The first and last four characters are preserved (if available) and the
+    middle section is replaced by asterisks. If the secret is shorter than
+    eight characters, the entire value is replaced by ``*``.
+    """
+
+    if not secret:
+        return None
+
+    if len(secret) <= 8:
+        return "*" * len(secret)
+
+    return f"{secret[:4]}{'*' * (len(secret) - 8)}{secret[-4:]}"
+
+
+# Consolidated configuration (with sensitive data redacted)
+_masked_settings = settings.model_dump(exclude_none=True).copy()
+
+if "client_secret" in _masked_settings:
+    _masked_settings["client_secret"] = _mask_secret(_masked_settings["client_secret"])
+
+# Log configuration at *debug* level only so it can be enabled when needed
+logger.debug("[Auth Proxy Config] %s", _masked_settings)
+
+# Server host/port
+AUTH_SERVER_PORT = int(os.getenv("AUTH_SERVER_PORT", "9000"))
+AUTH_SERVER_HOST = os.getenv("AUTH_SERVER_HOST", "localhost")
+AUTH_SERVER_URL = os.getenv(
+    "AUTH_SERVER_URL", f"http://{AUTH_SERVER_HOST}:{AUTH_SERVER_PORT}"
+)
+
+# ----------------------------------------------------------------------------
+# Auth Server
+# ----------------------------------------------------------------------------
+
+# Create auth provider
+oauth_provider = TransparentOAuthProxyProvider(settings=settings)
+
+# Enable client registration
+client_registration_options = ClientRegistrationOptions(
+    enabled=True,
+    valid_scopes=["openid"],
+    default_scopes=["openid"],
+)
+
+# Create auth routes
+routes = create_auth_routes(
+    provider=oauth_provider,
+    issuer_url=AnyHttpUrl(AUTH_SERVER_URL),
+    service_documentation_url=None,
+    client_registration_options=client_registration_options,
+    revocation_options=None,
+)
+
+# Add token endpoint handler
+# We need to replace any existing token endpoint route
+routes = [r for r in routes if not (hasattr(r, "path") and r.path == "/token")]
+
+# Create token handler and add it to routes
+proxy_token_handler = ProxyTokenHandler(oauth_provider)
+routes.append(Route("/token", endpoint=proxy_token_handler.handle, methods=["POST"]))
+
+# Add token introspection endpoint for Resource Servers
+async def introspect_handler(request: Request) -> Response:
+    """
+    Token introspection endpoint for Resource Servers.
+
+    Resource Servers call this endpoint to validate tokens without
+    needing direct access to token storage.
+    """
+    form = await request.form()
+    token = form.get("token")
+    if not token or not isinstance(token, str):
+        return JSONResponse({"active": False}, status_code=400)
+
+    # For the transparent proxy, we don't actually validate tokens
+    # Just create a dummy AccessToken like the provider does
+    access_token = AccessToken(
+        token=token, client_id=str(CLIENT_ID), scopes=[DEFAULT_SCOPE], expires_at=None
+    )
+
+    return JSONResponse(
+        {
+            "active": True,
+            "client_id": access_token.client_id,
+            "scope": " ".join(access_token.scopes),
+            "exp": access_token.expires_at,
+            "iat": int(time.time()),
+            "token_type": "Bearer",
+            "aud": access_token.resource,  # RFC 8707 audience claim
+        }
+    )
+
+
+routes.append(
+    Route(
+        "/introspect",
+        endpoint=cors_middleware(introspect_handler, ["POST", "OPTIONS"]),
+        methods=["POST", "OPTIONS"],
+    )
+)
+
+# Create Starlette app with routes
+auth_app = Starlette(routes=routes)
+
+
+async def run_server():
+    """Run the Authorization Server."""
+    config = Config(
+        auth_app,
+        host=AUTH_SERVER_HOST,
+        port=AUTH_SERVER_PORT,
+        log_level="info",
+    )
+    server = Server(config)
+
+    logger.info(f"🚀 MCP Authorization Server running on {AUTH_SERVER_URL}")
+
+    await server.serve()
+
+
+if __name__ == "__main__":
+    import asyncio
+
+    asyncio.run(run_server())