Align SSO service teams claim format with /tokens and /auth/login

[madhav165]

🐛 Bug-fix PR

Closes #2233

---

📌 Summary

It is a simple change to treat teams in the token claim format as list of team_ids instead of dicts.

Token reading code at the following places is backward compatible to handle dict format for teams.

• mcpgateway/auth.py:183-185
• mcpgateway/main.py:286-310
• mcpgateway/middleware/token_scoping.py:124-126

🧪 Verification

Check	Command	Status
Lint suite	make lint	pass
Unit tests	make test	pass

📐 MCP Compliance (if relevant)

• Matches current MCP spec
• No breaking change to MCP clients

✅ Checklist

• Code formatted (make black isort pre-commit)
• No secrets/credentials committed

[crivetimihai]

Review Summary

Rebased onto main (6076770) - no conflicts.

✅ Code Review - Approved

The change correctly aligns the SSO service token teams claim format with /auth/login (email_auth.py:191):

# Before (dict format)
token_data["teams"] = [{"id": team.id, "name": team.name, ...} for team in teams]

# After (ID-only format) 
token_data["teams"] = [team.id for team in teams]

Key findings:

1. Format consistency - Now matches /auth/login which uses [t["id"] for t in safe_teams if t.get("id")]

2. Namespace fix - The PR also fixes a bug in namespace generation:

   • Before: namespaces.extend([f"team:{team['slug']}" for team in token_data["teams"]]) - accessing dict key from already-converted list
   • After: namespaces.extend([f"team:{team.slug}" for team in teams]) - correctly uses team objects

3. Backward compatibility - Token readers at auth.py:183-185, main.py:287-324, and token_scoping.py:124-126 already handle both formats via _normalize_token_teams()

4. Security - No issues. Smaller JWT payload (IDs only vs full objects).

5. Performance - Smaller token size = faster encoding/decoding.

Tests

• SSO tests: 79 passed ✅
• Token/auth tests: 966 passed ✅
• E2E tests: passed ✅

Note for Future

There's a pre-existing behavioral difference (outside this PR's scope): SSO admin tokens include the teams key while email auth admin tokens omit it. This affects admin bypass logic (is_admin and token_teams is None). Consider filing a follow-up issue if this needs alignment.