[EPIC][AUTH]: Streamlined Authentication Model & Secure Defaults #2555
Description
🔐 Epic: Streamlined Authentication Model & Secure Defaults
Goal
Deliver a clear, consistent authentication model across the gateway with:
- Unified authentication for Admin UI and API endpoints
- Granular controls for different authentication methods
- Secure-by-default token validation requirements
- Session management with proper access controls
The authentication model should be intuitive for operators and provide flexibility for different deployment scenarios.
Why Now?
Authentication clarity is essential for production deployments:
- Operator clarity: Clear separation between Admin UI login and API authentication
- Deployment flexibility: Different environments need different auth configurations
- Secure defaults: Production-ready settings out of the box
- Token lifecycle: Support for token revocation and expiration requirements
- Session management: Proper access controls for multi-user environments
📖 User Stories
US-1: Platform Admin - Secure defaults out of the box
As a Platform Administrator
I want secure authentication defaults enabled automatically
So that new deployments are production-ready without manual hardening
Acceptance Criteria:
Given a fresh gateway deployment
When I use default configuration
Then REQUIRE_TOKEN_EXPIRATION=true (tokens must expire)
And REQUIRE_JTI=true (tokens must have ID for revocation)
And API_ALLOW_BASIC_AUTH=false (JWT required for API)US-2: Platform Admin - Configure authentication per environment
As a Platform Administrator
I want granular control over authentication methods
So that I can configure auth appropriately for dev vs production
Acceptance Criteria:
Given API_ALLOW_BASIC_AUTH is configurable
When I set API_ALLOW_BASIC_AUTH=true in development
Then Basic auth is accepted for API endpoints
When I leave default (false) in production
Then only JWT tokens are acceptedUS-3: Operator - Understand Admin UI vs API auth
As an Operator
I want clear documentation on authentication methods
So that I know which credentials to use where
Acceptance Criteria:
Given Admin UI at /admin
When I access the login page
Then I use PLATFORM_ADMIN_EMAIL and PASSWORD
Given API endpoints
When I make authenticated requests
Then I use JWT Bearer tokensUS-4: Security Admin - Enforce token requirements
As a Security Administrator
I want to require expiration and JTI claims in tokens
So that I can enforce token lifecycle policies
Acceptance Criteria:
Given REQUIRE_TOKEN_EXPIRATION=true (default)
When a token without exp claim is presented
Then the request is rejected
Given REQUIRE_JTI=true (default)
When a token without jti claim is presented
Then the request is rejectedUS-5: User - View only my sessions
As a Regular User
I want to see only my active sessions
So that I have visibility into my own activity
Acceptance Criteria:
Given I am a regular user
When I query /reverse-proxy/sessions
Then I see only sessions I created
Given I am an admin
When I query /reverse-proxy/sessions
Then I see all active sessions✅ Acceptance Criteria (Epic)
- Secure defaults enabled out of the box
- Admin UI uses session-based email/password authentication
- API endpoints use JWT Bearer token authentication
-
API_ALLOW_BASIC_AUTHsetting controls Basic auth for API (default:false) -
REQUIRE_TOKEN_EXPIRATIONenforces exp claim (default:true) -
REQUIRE_JTIenforces jti claim for revocation (default:true) - Token revocation checks in admin middleware
- Session listings filtered by user ownership
- Proxy authentication support for reverse proxy deployments
- Documentation updated across all guides
- Test coverage for all auth scenarios
🧠 Design Notes
Authentication Methods by Endpoint
| Endpoint | Auth Method | Configuration |
|---|---|---|
/admin/* |
Session (email/password) | PLATFORM_ADMIN_EMAIL/PASSWORD |
/api/* |
JWT Bearer | JWT_SECRET_KEY |
/api/* |
Basic (optional) | API_ALLOW_BASIC_AUTH=true |
/docs |
JWT or Basic (optional) | DOCS_ALLOW_BASIC_AUTH |
Key Configuration
# Secure defaults (all enabled by default)
REQUIRE_TOKEN_EXPIRATION=true
REQUIRE_JTI=true
API_ALLOW_BASIC_AUTH=false
# Admin UI credentials
PLATFORM_ADMIN_EMAIL=admin@example.com
PLATFORM_ADMIN_PASSWORD=changeme
# Proxy authentication (for reverse proxy deployments)
TRUST_PROXY_AUTH=false
PROXY_USER_HEADER=X-Forwarded-UserMigration Notes
Tokens: Existing tokens without
jtiorexpclaims will be rejected. Generate new tokens:python -m mcpgateway.utils.create_jwt_token --username admin@example.com --exp 10080 --secret $JWT_SECRET_KEY
Basic Auth: If you use Basic auth for API access:
- (Recommended) Migrate to JWT tokens
- Set
API_ALLOW_BASIC_AUTH=trueto restore previous behavior
🧰 Implementation Checklist
- AdminAuthMiddleware with token revocation checks
- Proxy authentication support (
TRUST_PROXY_AUTH) - Session ownership filtering
-
API_ALLOW_BASIC_AUTHsetting - Token validation defaults updated
- SSO redirect validation (server-side allowlist)
- Gateway credentials scoped to local auth
- Documentation updated (25+ files)
- Test coverage added
🔗 Related
- PR feat(auth): add token revocation and proxy auth to middleware #2548: Implementation
- ADR-004: JWT and Basic Auth combination