Skip to content

[CHORE][AUTH]: Add sso_entra_admin_groups to _parse_list_from_env validator #2265

Closed
Feature
#2269
Closed
[CHORE][AUTH]: Add sso_entra_admin_groups to _parse_list_from_env validator#2265
Feature
#2269
Assignees
Lang-Akshay
Labels
MUSTP1: Non-negotiable, critical requirements without which the product is non-functional or unsafeenhancementNew feature or requestpythonPython / backend development (FastAPI)securityImproves security
Milestone
Release 1.0.0-RC1
@jonpspri

Description

@jonpspri
jonpspri
opened on Jan 21, 2026

Summary

The sso_entra_admin_groups setting in mcpgateway/config.py uses Annotated[list[str], NoDecode()] but is not included in the _parse_list_from_env field validator.

Details

All other list[str] settings with NoDecode are validated by _parse_list_from_env (line 1530):

  • sso_trusted_domains
  • sso_auto_admin_domains
  • sso_github_admin_orgs
  • sso_google_admin_domains
  • insecure_queryparam_auth_allowed_hosts

But sso_entra_admin_groups (line 259) is missing from this validator, despite using the same type annotation and description format ("CSV/JSON").

Fix

Add "sso_entra_admin_groups" to the @field_validator decorator at line 1530:

@field_validator(
    "sso_entra_admin_groups",  # Add this line
    "sso_trusted_domains",
    "sso_auto_admin_domains",
    "sso_github_admin_orgs",
    "sso_google_admin_domains",
    "insecure_queryparam_auth_allowed_hosts",
    mode="before",
)

Impact

Without this validator, environment variable values for SSO_ENTRA_ADMIN_GROUPS may not be properly parsed from CSV or JSON format strings.

Metadata

Metadata

Assignees

Labels

MUSTP1: Non-negotiable, critical requirements without which the product is non-functional or unsafeenhancementNew feature or requestpythonPython / backend development (FastAPI)securityImproves security

Type

Feature

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions