oauth_proxy.rs

A developer implemented an OAuth2 proxy service in Rust to handle MCP server authentication, intercepting requests to Auth0 to provide static credentials and fix compliance issues. The service replaces the `audience` parameter with `resource` and overrides the audience to match the CORE API, enabling smooth token generation without dynamic client registration.

| /// Oauth2Service is a service that handles the proxying of oauth2 requests in the case of MCP server | | | /// We use/forward to Auth0 behind the scene but we need to intercept because: | | | /// We don't want to support dynamic client registration in auth0, as we should enable it for the whole tenant and it causes security implications | | | /// but we wants users to use it without having to give them our oauth2 client and secret id before hands | | | /// thus we need to fake it in this server and returns our static creds. So it provides a smooth experience. Other implementations seems to do it too | | | /// There is new rfc/spec in progress to paliate to this https://auth0.com/blog/cimd-vs-dcr-mcp-registration/ | | | /// | | | /// Auth0 is not Oauth2 MCP compliant by default. It uses audience as a parameter in the token request, but MCP/oauth2 expects resource | | | /// We want users to generate a token for the audience/api of the CORE, but it is not possible by default as client check the audience/resource is the same | | | /// as the hostname of this server. So we intercept the request and replace the audience/resource with the audience of the CORE. | | | pub struct Oauth2Service { | | | original oauth server: Uri, | | | current oauth server: Uri, | | | oauth client id: String, | | | oauth client secret: String, | | | oauth audience override: String, | | | http client: reqwest::Client, | | | response auth required: StatusCode, HeaderMap , | | | response oauth2 protected resources: Arc<Value , | | | } | | | impl Oauth2Service { | | | pub fn new | | | original oauth server: Uri, | | | current oauth server: Uri, | | | oauth client id: String, | | | oauth client secret: String, | | | oauth audience: String, | | | - Arc<Self { | | | let response auth required = { | | | let headers = HeaderMap::from iter | | | CONTENT TYPE, HeaderValue::from static "application/json" , | | | WWW AUTHENTICATE, HeaderValue::from str &format "Bearer error=\"authentification required\" resource metadata=\"{}.well-known/oauth-protected-resource\"", current oauth server .expect "Failed to format WWW-Authenticate header" | | | ; | | | StatusCode::UNAUTHORIZED, headers | | | }; | | | let response oauth2 protected resources = Arc::new json { | | | "resource": current oauth server.to string , | | | "authorization servers": | | | current oauth server.to string | | | , | | | "scopes supported": | | | "email", "offline access" | | | , | | | "bearer methods supported": | | | "header" | | | | | | } ; | | | let this = Self { | | | original oauth server, | | | current oauth server, | | | oauth client id, | | | oauth client secret, | | | oauth audience override: oauth audience, | | | http client: reqwest::Client::builder | | | .timeout Duration::from secs 30 | | | .connect timeout Duration::from secs 10 | | | .redirect reqwest::redirect::Policy::none | | | .gzip true | | | .user agent "Qovery MCP Server" | | | .build | | | .expect "Cannot build reqwest client" , | | | response auth required, | | | response oauth2 protected resources, | | | }; | | | Arc::new this | | | } | | | pub fn axum router self: Arc<Self - Router { | | | Router::new | | | .route "/oauth/register", post Self::oidc register | | | .route "/oauth/authorize", get Self::oauth2 authorize | | | .route "/oauth/token", post Self::oauth2 token proxy | | | .route | | | "/.well-known/oauth-protected-resource", | | | get Self::oauth2 protected resources , | | | | | | .route "/.well-known/oauth-authorization-server", get Self::oauth2 auth server | | | .with state self | | | } | | | pub fn response auth required &self - axum::response::Response { | | | self.response auth required.clone .into response | | | } | | | async fn oidc register | | | State srv : State<Arc<Oauth2Service , | | | Json auth request : Json<RegisterPayload , | | | - Json<Value { | | | // const CALLBACK URL: &str; 2 = | | | // "http://localhost:4242/callback", | | | // "https://claude.ai/api/mcp/auth callback", | | | // ; | | | // | | | // if auth request | | | // .redirect uris | | | // .iter | | | // .any |uri| CALLBACK URL.iter .any |callback| callback == uri | | | // { | | | // return Json json { | | | // "error": "invalid redirect uri", | | | // "description": format "The only redirect uri/callback allowed is {CALLBACK URL:?} . It is a limitation of our IDP provider Auth0 . Please pin the port with --callback-port in claude or use a token" | | | // } ; | | | // } | | | let json = json { | | | "client id": srv.oauth client id, | | | "client secret": srv.oauth client secret, | | | "client id issued at": 1710000000, | | | "client name": auth request.client name, | | | "redirect uris": auth request.redirect uris, | | | "grant types": auth request.grant types, | | | "response types": auth request.response types, | | | "token endpoint auth method": auth request.token endpoint auth method, | | | } ; | | | Json json | | | } | | | // We intercept to inject correct audience/resource and ask to contact Auth0 to get the token | | | async fn oauth2 authorize State srv : State<Arc<Oauth2Service , req: Parts - Redirect { | | | info "Oauth2 authorize request: {:?}", req ; | | | let query = req.uri.path and query .and then |p| p.query .unwrap or "" ; | | | let mut params: HashMap<String, String = serde urlencoded::from str query .unwrap or default ; | | | params.insert "resource".to string , srv.oauth audience override.clone ; | | | params.insert "audience".to string , srv.oauth audience override.clone ; | | | Redirect::to | | | format | | | "{}authorize?{}", | | | srv.original oauth server, | | | serde urlencoded::to string ¶ms .unwrap or default | | | | | | .as str , | | | | | | } | | | /// OAuth2 flow is done/user authentificated, we fetch the token from Auth0 with the correct audience/resource | | | /// We proxy and not redirect as the info is inside the body of the request. | | | async fn oauth2 token proxy | | | State srv : State<Arc<Oauth2Service , | | | mut req: Parts, | | | body: Bytes, | | | - Result< StatusCode, http::HeaderMap, Bytes , StatusCode, String { | | | trace "Token proxy request: {:?} {:?}", req, body ; | | | const EMPTY HEADER: fn - HeaderValue = || HeaderValue::from static "" ; | | | let mut params: HashMap<String, String = | | | serde urlencoded::from bytes &body .map err |e| StatusCode::BAD REQUEST, e.to string ?; | | | params.insert "resource".to string , srv.oauth audience override.clone ; | | | params.insert "audience".to string , srv.oauth audience override.clone ; | | | let content type, auth = { | | | let mut headers = std::mem::take &mut req.headers ; | | | | | | headers.remove CONTENT TYPE .unwrap or EMPTY HEADER , | | | headers.remove AUTHORIZATION .unwrap or EMPTY HEADER , | | | | | | }; | | | let mut resp = srv | | | .http client | | | .post format "{}oauth/token", srv.original oauth server | | | .header CONTENT TYPE, content type | | | .header AUTHORIZATION, auth | | | .body serde urlencoded::to string ¶ms .unwrap or default | | | .send | | | .await | | | .map err |e| StatusCode::INTERNAL SERVER ERROR, e.to string ?; | | | let status = resp.status ; | | | let headers = std::mem::take resp.headers mut ; | | | let body = resp | | | .bytes | | | .await | | | .map err |e| StatusCode::INTERNAL SERVER ERROR, e.to string ?; | | | Ok status, headers, body | | | } | | | /// Advertise the oauth2 config of this server to the client. | | | /// The client uses this to know where to authenticate with the oauth2 server | | | async fn oauth2 protected resources State srv : State<Arc<Oauth2Service , req: Request - Json<Arc<Value { | | | trace "Oauth2 protected resource request: {:?}", req ; | | | Json srv.response oauth2 protected resources.clone | | | } | | | /// We fetch the information about the auth server from Auth0. | | | /// And modify only the part we need for the client to contact us on specific endpoints | | | /// ie.:curl https://auth.qovery.com/.well-known/oauth-authorization-server | jq . | | | pub async fn oauth2 auth server | | | State srv : State<Arc<Oauth2Service , | | | - Result<Json<Value , StatusCode, String { | | | let response = srv | | | .http client | | | .get format | | | "{}.well-known/oauth-authorization-server", | | | srv.original oauth server | | | | | | .send | | | .await | | | .map err |e| StatusCode::BAD REQUEST, e.to string ?; | | | trace "Oauth2 auth server response: {:?}", response ; | | | let mut json: Value = response | | | .json | | | .await | | | .map err |e| StatusCode::BAD REQUEST, e.to string ?; | | | json.get mut "token endpoint" .unwrap or &mut Value::Null = | | | Value::String format "{}oauth/token", srv.current oauth server ; | | | json.get mut "authorization endpoint" .unwrap or &mut Value::Null = | | | Value::String format "{}oauth/authorize", srv.current oauth server ; | | | json.get mut "registration endpoint" .unwrap or &mut Value::Null = | | | Value::String format "{}oauth/register", srv.current oauth server ; | | | Ok Json json | | | } | | | } | | | derive Default, Debug, Clone, PartialEq, Deserialize | | | struct RegisterPayload { | | | pub client name: String, | | | pub grant types: Vec<String , | | | pub redirect uris: Vec<String , | | | pub response types: Vec<String , | | | pub token endpoint auth method: String, | | | } |