Add audience-bound OAuth user JWT auth strategy (RFC 8707) on run +…#3381
Merged
Conversation
) * [US-001] enable DCR + validAudiences on better-auth oauthProvider * [US-002] finalize run-domain OAuth user JWT strategy with tests * [US-003] mirror audience-bound OAuth user JWT strategy onto manageAuth * fixup! local-review: address findings (pass 1) * feat(agents-api): expose /mcp as an OAuth 2.1 resource server (RFC 9728) * fix(agents-api): accept base, base/ and /mcp resource indicators for MCP OAuth * fix(agents-api): populate MCP tool display titles from operation summaries * feat(agents-api): curate and harden the /mcp management server 167-tool golden-path allowlist (default-deny), server instructions, tool description examples, and OAuth-session tenantId binding. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(agents-api): authorize org-level permissions for OAuth JWT principals requirePermission now authorizes from the resolved org role via the shared access-control definitions instead of a better-auth session lookup, so project create/delete works for MCP/OAuth callers; authz denials map to 403. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * feat(agents-manage-ui): add Management MCP Server card to settings; improve OAuth consent UX Settings card with one-click 'Add to Cursor/VS Code' + manual config for the OAuth /mcp server; consent page resolves the client name and handles native-app (custom-scheme) redirect completion. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * docs(mcp): tool-curation allowlist, tool inventory, and consolidation research Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(agents-api): address PR review findings on /mcp server Consolidate SDK-internal accessors into mcpServerInternals; capture oauthClientId into request context + OTEL span; log tenant-bind and missing-claim cases; document the intentional non-JWT bearer fall-through. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(agents-api): harden /mcp tenant binding and align OAuth claim handling Make bindTenantId fail-closed (injection decoupled from schema-drop, returns counts; route warns on shortfall); reject verified JWTs missing the tenant claim; align runAuth claim extraction to typeof guards; narrow the SDK constructor cast; document the resource/AS audience invariant. Adds tests for the bypass paths, missing-claim challenge, and bind-coverage drift. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix(agents-api): log JWKS-outage vs invalid-token on /mcp; review polish Discriminate jose validation errors (debug) from operational failures like a JWKS-endpoint outage (warn) so auth outages are visible. Surface the consent client_name lookup failure instead of swallowing it. Rename tryOAuthUserJwt to tryOAuthUserAuth for cross-domain consistency. Add an x-forwarded-cookie pass-through test. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * feat(agents-manage-ui): state management capabilities on the OAuth consent screen Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com> GitOrigin-RevId: 4dde32bb148ec122f69edf8036388b65484e50ec
🦋 Changeset detectedLatest commit: 25cc6cd The changes in this PR will be included in the next version bump. This PR includes changesets to release 10 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
![inkeep-internal-ci[bot]](https://avatars.githubusercontent.com/u/123133689?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Automated approval from agents-private public-mirror-sync (run: https://github.com/inkeep/agents-private/actions/runs/27699855539). Source of truth is the monorepo; direct edits on inkeep/agents are overwritten on next sync.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add audience-bound OAuth user JWT auth strategy (RFC 8707) on run + manage domains for any DCR'd client (MCP clients, Gram) and advertise an oauth2 authorizationCode security scheme in the generated OpenAPI alongside the existing apiKey/bearer schemes
Enable DCR + RFC 8707 validAudiences on the better-auth oauthProvider and expose oauthClientId on BaseExecutionContext.metadata so MCP clients can self-register and audit-trail their DCR client_id
Fix org-level permission checks (requirePermission) for OAuth user JWT principals: authorize from the resolved org role via the shared access-control definitions instead of a better-auth session lookup, so project create/delete works for MCP/OAuth callers (not just session/UI); map authz denials to 403 instead of 500
Improve /mcp ergonomics: add a happy-path example to create-full-agent's description (and a full-replace warning to update-full-agent), and re-add the lightweight agents-update-agent / projects-update-project tools for targeted edits (165 to 167)
Add Management MCP Server section to organization settings with one-click install buttons (Add to Cursor, Install in VS Code) plus manual config for Windsurf and Claude Code, using OAuth login instead of an API key
Curate the /mcp management server: restrict the auto-generated tool surface to a 165-tool golden-path allowlist (down from ~290), and add server-level instructions to guide tool selection (prefer full-agent/full-project composites)
Bind tenantId to the OAuth session on the /mcp management server: drop tenantId from tool input schemas and inject it from the authenticated user's token, so MCP agents no longer pass (or mis-pass) it