Skip to content

Fixed inconsistent teams claim structure in Auth tokens#2191

Merged
crivetimihai merged 2 commits intomainfrom
1486_token_teams_consistency
Jan 20, 2026
Merged

Fixed inconsistent teams claim structure in Auth tokens#2191
crivetimihai merged 2 commits intomainfrom
1486_token_teams_consistency

Conversation

@kevalmahajan
Copy link
Copy Markdown
Member

@kevalmahajan kevalmahajan commented Jan 19, 2026
edited
Loading

🐛 Bug-fix PR

📌 Summary

Closes #1486 (Details: #1486 (comment))

Refactored the /auth/login token generation to align the teams claim structure with the /tokens endpoint. Previously, login tokens returned teams as a list of dictionaries, while API tokens returned them as a list of strings (IDs). This change ensures consistency across all token types by standardizing on a list of team IDs.

🔁 Reproduction Steps

  1. Generate an API token via POST /tokens. Inspect the JWT: teams is ["team_id_1", "team_id_2"].
  2. Login via POST /auth/login. Inspect the JWT: teams was [{"id": ..., "name": ...}].
  3. Note the schema mismatch and potential ValueError when the code attempted to cast UUID team IDs to integers during login token creation.

🐞 Root Cause

Two issues were identified in mcpgateway/routers/email_auth.py within create_access_token:

  1. Structure Mismatch: The code assigned the full safe_teams list of dictionaries to the teams claim, instead of just extraction the IDs.
  2. Type Error: The code attempted to cast team.id (a UUID string) to an int, which is invalid for UUID keys.

💡 Fix Description

Modified mcpgateway/routers/email_auth.py:

  1. UUID Support: Changed the safe_teams mapping to cast id to str() instead of int().
  2. Claim Standardization: Updated the teams payload assignment to extract only the IDs ([t["id"] for t in safe_teams]), matching the format used in TokenCatalogService.

🧪 Verification

Check Command Status
Lint suite make lint
Unit tests make test
Coverage ≥ 90 % make coverage
Manual regression no longer fails steps / screenshots

📐 MCP Compliance (if relevant)

  • Matches current MCP spec
  • No breaking change to MCP clients

✅ Checklist

  • Code formatted (make black isort pre-commit)
  • No secrets/credentials committed

@crivetimihai crivetimihai self-assigned this Jan 19, 2026
kevalmahajan and others added 2 commits January 20, 2026 11:42
@kevalmahajan @crivetimihai
token generation consistency
cb3d16f 
Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>
@crivetimihai
test: Add regression test for teams claim format in login tokens
87a5691 
Add tests to verify that login tokens emit teams as List[str] (team IDs
only) to match /tokens behavior. This prevents regression of issue #1486
where UUID team IDs were incorrectly cast to int.

Tests added:
- test_create_access_token_teams_are_list_of_strings
- test_create_access_token_admin_omits_teams

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai crivetimihai force-pushed the 1486_token_teams_consistency branch from 1957d73 to 87a5691 Compare January 20, 2026 12:18
@crivetimihai
Copy link
Copy Markdown
Member

crivetimihai commented Jan 20, 2026
edited
Loading

Review Notes

The fix is correct and tests pass. Added a regression test to prevent this issue from recurring.

Follow-up Recommendation

For full consistency, mcpgateway/services/sso_service.py:892 should also be updated to use the same format:

# Current (dict format):
token_data["teams"] = [{"id": team.id, "name": team.name, "slug": team.slug, ...} for team in teams]

# Recommended (string IDs only, matching /tokens and /auth/login):
token_data["teams"] = [team.id for team in teams]

This isn't blocking because:

  1. _normalize_token_teams() in main.py handles both formats
  2. get_team_from_token() in auth.py has fallback logic for dict format
  3. The namespaces claim is computed before the teams format conversion

Consider addressing this in a separate PR for complete alignment across all token generation paths.

Created: Align SSO service teams claim format with /tokens and /auth/login #2233

@crivetimihai crivetimihai merged commit 6af282a into main Jan 20, 2026
51 checks passed
@crivetimihai crivetimihai deleted the 1486_token_teams_consistency branch January 20, 2026 13:01
This was referenced Jan 20, 2026
Closed
Closed
kcostell06 pushed a commit to kcostell06/mcp-context-forge that referenced this pull request Feb 24, 2026
@kevalmahajan @crivetimihai
Fixed inconsistent teams claim structure in Auth tokens (IBM#2191)
3031814 
* token generation consistency

Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>

* test: Add regression test for teams claim format in login tokens

Add tests to verify that login tokens emit teams as List[str] (team IDs
only) to match /tokens behavior. This prevents regression of issue IBM#1486
where UUID team IDs were incorrectly cast to int.

Tests added:
- test_create_access_token_teams_are_list_of_strings
- test_create_access_token_admin_omits_teams

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

---------

Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crivetimihai crivetimihai crivetimihai approved these changes

@madhav165 madhav165 Awaiting requested review from madhav165 madhav165 is a code owner

Assignees

@crivetimihai crivetimihai

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG][AUTH]: team_id from token can be a dict

2 participants

@kevalmahajan @crivetimihai