Skip to content

feat(auth): add reusable OAuth2 base helper library#3198

Open
crivetimihai wants to merge 1 commit intomainfrom
issue#1434
Open

feat(auth): add reusable OAuth2 base helper library#3198
crivetimihai wants to merge 1 commit intomainfrom
issue#1434

Conversation

@crivetimihai
Copy link
Copy Markdown
Member

@crivetimihai crivetimihai commented Feb 24, 2026

Note: This PR was re-created from #2858 due to repository maintenance. Your code and branch are intact. @LOVECAO1011 please verify everything looks good.

Introduce a canonical OAuth2/OIDC helper module for token validation, claims extraction, metadata discovery, token exchange/refresh, and scope operations so auth plugins can share consistent protocol logic. Add focused unit coverage for the new helper APIs and RFC-oriented behaviors.

🔗 Related Issue

Closes #

📝 Summary

  • mcpgateway/oauth2/base.py
  • validate_token() with JWKS JWT verification and introspection fallback
  • extract_claims() canonical claim mapping
  • discover_authorization_server_metadata() (RFC 8414)
  • discover_oidc_metadata() (OIDC discovery)
  • discover_protected_resource_metadata() (RFC 9728)
  • exchange_token() (RFC 8693)
  • refresh_token() (RFC 6749)
  • scope normalization/modification utilities
  • authorization URL builder with resource indicators (RFC 8707)
  • mcpgateway/oauth2/models.py typed request/response config models
  • mcpgateway/oauth2/exceptions.py unified OAuth2 error types
  • mcpgateway/oauth2/__init__.py public exports
  • tests/unit/mcpgateway/oauth2/test_base.py focused unit tests for helper APIs and error paths

🏷️ Type of Change

  • Bug fix
  • Feature / Enhancement
  • Documentation
  • Refactor
  • Chore (deps, CI, tooling)
  • Other (describe below)

🧪 Verification

Check Command Status
Lint suite make lint
Unit tests make test
Coverage ≥ 80% make coverage

✅ Checklist

  • Code formatted (make black isort pre-commit)
  • [x ] Tests added/updated for changes
  • Documentation updated (if applicable)
  • [x ] No secrets or credentials committed

📓 Notes (optional)

This PR delivers the OAuth2 base helper layer requested by #1434 and is designed to be consumed by plugin/auth flows in the #1422 epic.

  • It is additive and does not remove existing OAuth manager/DCR behavior.

@LOVECAO1011 @cursoragent @crivetimihai
feat(auth): add reusable OAuth2 base helper library
e739155 
Introduce a canonical OAuth2/OIDC helper module for token validation, claims extraction, metadata discovery, token exchange/refresh, and scope operations so auth plugins can share consistent protocol logic. Add focused unit coverage for the new helper APIs and RFC-oriented behaviors.

Co-authored-by: Cursor <cursoragent@cursor.com>
Signed-off-by: hany1 <hany1@tcd.ie>
@crivetimihai crivetimihai added this to the Release 1.0.0-GA milestone Feb 24, 2026
@crivetimihai crivetimihai added enhancement New feature or request SHOULD P2: Important but not vital; high-value items that are not crucial for the immediate release labels Feb 24, 2026
@crivetimihai crivetimihai mentioned this pull request Feb 24, 2026
Closed
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kevalmahajan kevalmahajan Awaiting requested review from kevalmahajan kevalmahajan is a code owner

@madhav165 madhav165 Awaiting requested review from madhav165 madhav165 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

enhancement New feature or request SHOULD P2: Important but not vital; high-value items that are not crucial for the immediate release

Projects

None yet

Milestone

Release 1.1.0

Development

Successfully merging this pull request may close these issues.

2 participants

@crivetimihai @LOVECAO1011