From 367b523aa3c0e9d4efa0b408914da81f8b905946 Mon Sep 17 00:00:00 2001 From: Paulo Arruda Date: Thu, 6 Nov 2025 18:51:02 -0400 Subject: [PATCH 1/5] Add comprehensive OAuth 2.1 support for MCP servers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Implements full OAuth 2.1 authentication and authorization for HTTP-based MCP transports (SSE and StreamableHTTP), following security best practices and RFC compliance standards. Features: - Complete OAuth 2.1 flow with PKCE (RFC 7636, S256 SHA256) - Dynamic client registration (RFC 7591) - Server discovery (RFC 8414, RFC 9728) - Resource indicators for token binding (RFC 8707) - Automatic token refresh with 5-minute proactive buffer - Browser-based authentication with local callback server - Pluggable storage interface with in-memory default - CSRF protection via state parameter - URL normalization for security - Comprehensive test coverage Implementation: - Add OAuth data models (Token, ClientMetadata, ClientInfo, etc.) - Add OAuthProvider for complete OAuth flow orchestration - Add BrowserOAuth for browser-based authentication - Integrate OAuth into SSE transport - Replace HTTPX OAuth plugin in StreamableHTTP with robust implementation - Add OAuth provider creation in Transport layer - Add comprehensive unit tests - Add detailed OAUTH.md documentation with examples Security: - PKCE mandatory with S256 (32-byte random verifier) - State parameter for CSRF protection (32-byte random) - Resource indicators bind tokens to specific servers - Proactive token refresh prevents expiration - Sensitive data filtering in configuration šŸ¤– Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- OAUTH.md | 671 ++++++++++++++++++ lib/ruby_llm/mcp/auth.rb | 305 ++++++++ lib/ruby_llm/mcp/auth/browser_oauth.rb | 435 ++++++++++++ lib/ruby_llm/mcp/auth/oauth_provider.rb | 586 +++++++++++++++ lib/ruby_llm/mcp/transport.rb | 38 +- lib/ruby_llm/mcp/transports/sse.rb | 33 +- lib/ruby_llm/mcp/transports/stdio.rb | 3 +- .../mcp/transports/streamable_http.rb | 56 +- spec/ruby_llm/mcp/auth/oauth_provider_spec.rb | 236 ++++++ spec/ruby_llm/mcp/auth_spec.rb | 292 ++++++++ 10 files changed, 2609 insertions(+), 46 deletions(-) create mode 100644 OAUTH.md create mode 100644 lib/ruby_llm/mcp/auth.rb create mode 100644 lib/ruby_llm/mcp/auth/browser_oauth.rb create mode 100644 lib/ruby_llm/mcp/auth/oauth_provider.rb create mode 100644 spec/ruby_llm/mcp/auth/oauth_provider_spec.rb create mode 100644 spec/ruby_llm/mcp/auth_spec.rb diff --git a/OAUTH.md b/OAUTH.md new file mode 100644 index 0000000..75e841f --- /dev/null +++ b/OAUTH.md @@ -0,0 +1,671 @@ +# OAuth 2.1 Support in ruby_llm-mcp + +This gem implements comprehensive OAuth 2.1 support for MCP (Model Context Protocol) servers, providing secure authentication and authorization for HTTP-based transports (SSE and StreamableHTTP). + +## Table of Contents + +- [Features](#features) +- [Architecture](#architecture) +- [Quick Start](#quick-start) +- [Configuration](#configuration) +- [Usage Examples](#usage-examples) +- [Browser-Based Authentication](#browser-based-authentication) +- [Custom Storage](#custom-storage) +- [Security Considerations](#security-considerations) +- [Troubleshooting](#troubleshooting) + +## Features + +### OAuth 2.1 Compliance + +- āœ… **PKCE (RFC 7636)**: Mandatory Proof Key for Code Exchange with S256 (SHA256) +- āœ… **Dynamic Client Registration (RFC 7591)**: Automatic client registration with OAuth servers +- āœ… **Server Discovery (RFC 8414)**: Automatic authorization server metadata discovery +- āœ… **Protected Resource Metadata (RFC 9728)**: Support for delegated authorization servers +- āœ… **Resource Indicators (RFC 8707)**: Token binding to specific MCP servers +- āœ… **State Parameter**: CSRF protection for authorization flows +- āœ… **Automatic Token Refresh**: Proactive token refresh with 5-minute buffer +- āœ… **Secure Token Storage**: Pluggable storage with in-memory default + +### Transport Support + +- **SSE (Server-Sent Events)**: Full OAuth support for event streams and message endpoints +- **StreamableHTTP**: Complete OAuth integration with session management +- **Stdio**: Not applicable (local process communication) + +## Architecture + +### Core Components + +``` +ā”Œā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā” +ā”‚ OAuth Provider ā”‚ +ā”‚ (Discovery, Registration, Tokens) ā”‚ +ā”œā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”¤ +ā”‚ Browser OAuth ā”‚ +ā”‚ (Local callback server) ā”‚ +ā”œā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”¤ +ā”‚ Storage Layer ā”‚ +ā”‚ (Tokens, Client Info, Metadata) ā”‚ +ā”œā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”¤ +ā”‚ Transport Layer ā”‚ +ā”‚ (SSE, StreamableHTTP) ā”‚ +ā””ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”˜ +``` + +### OAuth Flow + +``` +1. Client Configuration ā†’ OAuth Provider Creation +2. Server Discovery ā†’ Authorization Server Metadata +3. Client Registration ā†’ Client ID & Client Secret +4. Authorization Request ā†’ PKCE + State Generation +5. User Authorization ā†’ Browser/Manual +6. Token Exchange ā†’ Access Token + Refresh Token +7. API Requests ā†’ Automatic Token Refresh +``` + +## Quick Start + +### Basic Configuration + +Add OAuth configuration to your MCP client: + +```ruby +require "ruby_llm/mcp" + +client = RubyLLM::MCP.client( + name: "oauth-mcp-server", + transport_type: :sse, # or :streamable + config: { + url: "https://mcp.example.com/api", + oauth: { + redirect_uri: "http://localhost:8080/callback", + scope: "mcp:read mcp:write" + } + } +) +``` + +### File-Based Configuration + +Create `config/mcp_servers.yml`: + +```yaml +mcp_servers: + protected_server: + transport_type: streamable + url: https://mcp.example.com/api + oauth: + redirect_uri: http://localhost:8080/callback + scope: mcp:read mcp:write +``` + +Load configuration: + +```ruby +RubyLLM.configure do |config| + config.config_path = "config/mcp_servers.yml" +end + +RubyLLM::MCP.establish_connection +``` + +## Configuration + +### OAuth Configuration Options + +| Option | Type | Required | Description | +|--------|------|----------|-------------| +| `redirect_uri` | String | No | Callback URL for authorization (default: `http://localhost:8080/callback`) | +| `scope` | String | No | OAuth scopes to request (e.g., `"mcp:read mcp:write"`) | +| `storage` | Object | No | Custom storage implementation (default: in-memory) | + +### Environment Variables + +Use ERB in configuration files for sensitive data: + +```yaml +mcp_servers: + production_server: + transport_type: streamable + url: <%= ENV['MCP_SERVER_URL'] %> + oauth: + redirect_uri: <%= ENV['OAUTH_REDIRECT_URI'] %> + scope: <%= ENV['OAUTH_SCOPE'] %> +``` + +## Usage Examples + +### Example 1: Simple SSE Client with OAuth + +```ruby +require "ruby_llm/mcp" +require "ruby_llm/mcp/auth/browser_oauth" + +# Create client with OAuth +client = RubyLLM::MCP.client( + name: "secure-server", + transport_type: :sse, + start: false, # Don't auto-start + config: { + url: "https://mcp.example.com/sse", + oauth: { + redirect_uri: "http://localhost:8080/callback", + scope: "mcp:read mcp:write" + } + } +) + +# Get OAuth provider from transport +transport = client.instance_variable_get(:@coordinator).send(:transport) +oauth_provider = transport.oauth_provider + +# Perform browser-based authentication +browser_oauth = RubyLLM::MCP::Auth::BrowserOAuth.new( + oauth_provider, + callback_port: 8080, + callback_path: "/callback" +) + +# This will: +# 1. Start local callback server +# 2. Open browser to authorization URL +# 3. Wait for user to authorize +# 4. Exchange code for token +# 5. Store token +token = browser_oauth.authenticate(timeout: 300, auto_open_browser: true) + +puts "Successfully authenticated!" +puts "Access token: #{token.access_token[0..20]}..." + +# Now start the client - it will use the stored token +client.start + +# Use the client normally +tools = client.tools +puts "Available tools: #{tools.map(&:name).join(', ')}" +``` + +### Example 2: StreamableHTTP with OAuth + +```ruby +require "ruby_llm/mcp" + +client = RubyLLM::MCP.client( + name: "streamable-server", + transport_type: :streamable, + start: false, + config: { + url: "https://api.example.com/mcp", + oauth: { + redirect_uri: "http://localhost:9000/callback", + scope: "mcp:full" + } + } +) + +# Authenticate (same as above) +transport = client.instance_variable_get(:@coordinator).send(:transport) +browser_oauth = RubyLLM::MCP::Auth::BrowserOAuth.new( + transport.oauth_provider, + callback_port: 9000 +) +browser_oauth.authenticate + +# Start client +client.start + +# Execute tools +result = client.tool("search").execute(params: { query: "Ruby MCP" }) +puts result +``` + +### Example 3: Manual Authorization Flow + +For scenarios where browser opening isn't possible: + +```ruby +require "ruby_llm/mcp" + +client = RubyLLM::MCP.client( + name: "manual-auth", + transport_type: :sse, + start: false, + config: { + url: "https://mcp.example.com/api", + oauth: { + redirect_uri: "http://localhost:8080/callback", + scope: "mcp:read" + } + } +) + +transport = client.instance_variable_get(:@coordinator).send(:transport) +oauth_provider = transport.oauth_provider + +# Start authorization flow +auth_url = oauth_provider.start_authorization_flow + +puts "\nPlease visit this URL to authorize:" +puts auth_url +puts "\nAfter authorization, you'll be redirected to:" +puts "#{oauth_provider.redirect_uri}?code=...&state=..." +puts "\nEnter the 'code' parameter from the URL:" + +code = gets.chomp + +puts "Enter the 'state' parameter:" +state = gets.chomp + +# Complete authorization +token = oauth_provider.complete_authorization_flow(code, state) +puts "\nAuthentication successful!" + +# Start client +client.start +``` + +### Example 4: Multiple Clients with Different Auth + +```ruby +require "ruby_llm/mcp" + +RubyLLM.configure do |config| + config.mcp_configuration = [ + { + name: "public-server", + transport_type: :stdio, + config: { + command: "mcp-server-filesystem", + args: ["/tmp"] + } + }, + { + name: "secure-server-1", + transport_type: :sse, + start: false, + config: { + url: "https://secure1.example.com", + oauth: { + redirect_uri: "http://localhost:8080/callback", + scope: "mcp:read" + } + } + }, + { + name: "secure-server-2", + transport_type: :streamable, + start: false, + config: { + url: "https://secure2.example.com", + oauth: { + redirect_uri: "http://localhost:8081/callback", + scope: "mcp:admin" + } + } + } + ] +end + +# Start public server immediately +RubyLLM::MCP.establish_connection do |clients| + # public-server auto-starts + puts "Public server tools: #{clients[:public_server].tools.count}" +end + +# Authenticate secure servers separately +def authenticate_client(client, port) + transport = client.instance_variable_get(:@coordinator).send(:transport) + browser_oauth = RubyLLM::MCP::Auth::BrowserOAuth.new( + transport.oauth_provider, + callback_port: port + ) + browser_oauth.authenticate + client.start +end + +clients = RubyLLM::MCP.clients +authenticate_client(clients[:secure_server_1], 8080) +authenticate_client(clients[:secure_server_2], 8081) + +# Now all clients are ready +RubyLLM::MCP.tools.each do |tool| + puts "Tool: #{tool.name}" +end +``` + +## Browser-Based Authentication + +The `BrowserOAuth` class provides a complete browser-based OAuth flow: + +### Features + +- **Automatic Browser Opening**: Opens default browser to authorization URL +- **Local Callback Server**: Pure Ruby TCP server (no external dependencies) +- **Beautiful UI**: Styled HTML success/error pages +- **Cross-Platform**: Supports macOS, Linux, Windows +- **Timeout Support**: Configurable timeout for user authorization +- **Thread-Safe**: Safe for concurrent use + +### Usage + +```ruby +require "ruby_llm/mcp/auth/browser_oauth" + +# Create OAuth provider +oauth_provider = RubyLLM::MCP::Auth::OAuthProvider.new( + server_url: "https://mcp.example.com", + redirect_uri: "http://localhost:8080/callback", + scope: "mcp:read mcp:write" +) + +# Create browser OAuth helper +browser_oauth = RubyLLM::MCP::Auth::BrowserOAuth.new( + oauth_provider, + callback_port: 8080, + callback_path: "/callback" +) + +# Authenticate (opens browser automatically) +begin + token = browser_oauth.authenticate( + timeout: 300, # 5 minutes + auto_open_browser: true # Set to false for manual opening + ) + + puts "Access token: #{token.access_token}" + puts "Expires at: #{token.expires_at}" + puts "Refresh token: #{token.refresh_token}" if token.refresh_token +rescue RubyLLM::MCP::Errors::TimeoutError + puts "Authorization timed out" +rescue RubyLLM::MCP::Errors::TransportError => e + puts "Authorization failed: #{e.message}" +end +``` + +### Custom Callback Port + +If port 8080 is in use: + +```ruby +browser_oauth = RubyLLM::MCP::Auth::BrowserOAuth.new( + oauth_provider, + callback_port: 9999, + callback_path: "/oauth/callback" +) + +# Update OAuth provider redirect URI to match +oauth_provider.redirect_uri = "http://localhost:9999/oauth/callback" +``` + +## Custom Storage + +Implement custom storage for production deployments: + +### Storage Interface + +```ruby +class CustomStorage + # Token storage + def get_token(server_url); end + def set_token(server_url, token); end + + # Client registration storage + def get_client_info(server_url); end + def set_client_info(server_url, client_info); end + + # Server metadata caching + def get_server_metadata(server_url); end + def set_server_metadata(server_url, metadata); end + + # PKCE state management (temporary) + def get_pkce(server_url); end + def set_pkce(server_url, pkce); end + def delete_pkce(server_url); end + + # State parameter management (temporary) + def get_state(server_url); end + def set_state(server_url, state); end + def delete_state(server_url); end +end +``` + +### Example: Redis Storage + +```ruby +require "redis" +require "json" + +class RedisOAuthStorage + def initialize(redis_url = ENV["REDIS_URL"]) + @redis = Redis.new(url: redis_url) + end + + def get_token(server_url) + data = @redis.get("oauth:token:#{server_url}") + data ? RubyLLM::MCP::Auth::Token.from_h(JSON.parse(data, symbolize_names: true)) : nil + end + + def set_token(server_url, token) + @redis.set("oauth:token:#{server_url}", token.to_h.to_json) + @redis.expire("oauth:token:#{server_url}", 86400) # 24 hours + end + + def get_client_info(server_url) + data = @redis.get("oauth:client:#{server_url}") + data ? RubyLLM::MCP::Auth::ClientInfo.from_h(JSON.parse(data, symbolize_names: true)) : nil + end + + def set_client_info(server_url, client_info) + @redis.set("oauth:client:#{server_url}", client_info.to_h.to_json) + end + + # ... implement other methods ... +end + +# Use custom storage +client = RubyLLM::MCP.client( + name: "redis-backed", + transport_type: :sse, + config: { + url: "https://mcp.example.com", + oauth: { + storage: RedisOAuthStorage.new, + scope: "mcp:read" + } + } +) +``` + +### Example: Database Storage + +```ruby +class DatabaseOAuthStorage + def initialize(db_connection) + @db = db_connection + end + + def get_token(server_url) + record = @db[:oauth_tokens].where(server_url: server_url).first + return nil unless record + + RubyLLM::MCP::Auth::Token.from_h(JSON.parse(record[:token_data], symbolize_names: true)) + end + + def set_token(server_url, token) + @db[:oauth_tokens].insert_conflict( + target: :server_url, + update: { token_data: token.to_h.to_json, updated_at: Time.now } + ).insert( + server_url: server_url, + token_data: token.to_h.to_json, + created_at: Time.now, + updated_at: Time.now + ) + end + + # ... implement other methods ... +end +``` + +## Security Considerations + +### PKCE (Proof Key for Code Exchange) + +All OAuth flows use PKCE with S256 (SHA256) hashing: + +- **Code Verifier**: 32 bytes of cryptographically secure random data +- **Code Challenge**: SHA256 hash of the verifier +- **Protection**: Prevents authorization code interception attacks + +### State Parameter + +CSRF protection via state parameter: + +- **Generation**: 32 bytes of random data (base64url encoded) +- **Validation**: Strict equality check on callback +- **Storage**: Temporary storage, deleted after flow completion + +### Token Security + +- **Automatic Refresh**: Tokens refreshed proactively (5-minute buffer before expiration) +- **Secure Storage**: Tokens stored securely via pluggable storage interface +- **HTTPS Only**: OAuth flows require HTTPS endpoints (except localhost) +- **Resource Binding**: RFC 8707 resource indicators prevent token reuse across servers + +### URL Normalization + +Server URLs are normalized to prevent token confusion: + +``` +https://MCP.EXAMPLE.COM:443/api/ ā†’ https://mcp.example.com/api +http://example.com:80 ā†’ http://example.com +``` + +### Sensitive Data Filtering + +Configuration objects automatically filter sensitive data: + +```ruby +config = { oauth: { scope: "read", client_secret: "secret123" } } +config.inspect # client_secret shown as [FILTERED] +``` + +## Troubleshooting + +### Port Already in Use + +If callback port is in use: + +```ruby +browser_oauth = RubyLLM::MCP::Auth::BrowserOAuth.new( + oauth_provider, + callback_port: 8081 # Try different port +) +``` + +### Browser Doesn't Open + +Set `auto_open_browser: false` and manually copy URL: + +```ruby +token = browser_oauth.authenticate(auto_open_browser: false) +# Manually open the displayed URL +``` + +### Token Refresh Fails + +Check server logs and ensure refresh tokens are being returned: + +```ruby +token = oauth_provider.access_token +if token&.refresh_token + puts "Refresh token present" +else + puts "No refresh token - re-authentication required" +end +``` + +### Discovery Fails + +Verify OAuth server endpoints: + +```ruby +# Check discovery URLs +discovery_url = "https://mcp.example.com/.well-known/oauth-authorization-server" +response = HTTParty.get(discovery_url) +puts response.body +``` + +### Custom Redirect URI Not Working + +Ensure redirect URI matches exactly: + +```ruby +# Server expects +"http://localhost:8080/callback" + +# Not +"http://localhost:8080/callback/" # Trailing slash +"http://127.0.0.1:8080/callback" # Different host +``` + +## Advanced Topics + +### Custom OAuth Provider + +For advanced use cases, create OAuth provider directly: + +```ruby +require "ruby_llm/mcp/auth/oauth_provider" + +provider = RubyLLM::MCP::Auth::OAuthProvider.new( + server_url: "https://mcp.example.com", + redirect_uri: "http://localhost:8080/callback", + scope: "custom:scope", + logger: Logger.new($stdout, level: Logger::DEBUG), + storage: CustomStorage.new +) + +# Manual flow control +auth_url = provider.start_authorization_flow +# ... user authorization ... +token = provider.complete_authorization_flow(code, state) +``` + +### Token Introspection + +Check token status: + +```ruby +token = oauth_provider.access_token + +if token + puts "Valid: #{!token.expired?}" + puts "Expires soon: #{token.expires_soon?}" + puts "Expires at: #{token.expires_at}" + puts "Scope: #{token.scope}" +end +``` + +### Logging + +Enable debug logging: + +```ruby +RubyLLM.configure do |config| + config.log_level = Logger::DEBUG +end + +# Or set environment variable +ENV["RUBYLLM_MCP_DEBUG"] = "1" +``` + +## License + +See [LICENSE](LICENSE) file. + +## Contributing + +See [CONTRIBUTING.md](CONTRIBUTING.md) for contribution guidelines. diff --git a/lib/ruby_llm/mcp/auth.rb b/lib/ruby_llm/mcp/auth.rb new file mode 100644 index 0000000..c0f35df --- /dev/null +++ b/lib/ruby_llm/mcp/auth.rb @@ -0,0 +1,305 @@ +# frozen_string_literal: true + +require "base64" +require "digest/sha2" +require "securerandom" +require "time" + +module RubyLLM + module MCP + module Auth + # Represents an OAuth 2.1 access token with expiration tracking + class Token + attr_reader :access_token, :token_type, :expires_in, :scope, :refresh_token, :expires_at + + def initialize(access_token:, token_type: "Bearer", expires_in: nil, scope: nil, refresh_token: nil) + @access_token = access_token + @token_type = token_type + @expires_in = expires_in + @scope = scope + @refresh_token = refresh_token + @expires_at = expires_in ? Time.now + expires_in : nil + end + + # Check if token has expired + # @return [Boolean] true if token is expired + def expired? + return false unless @expires_at + + Time.now >= @expires_at + end + + # Check if token expires soon (within 5-minute buffer) + # This enables proactive token refresh + # @return [Boolean] true if token expires within 5 minutes + def expires_soon? + return false unless @expires_at + + Time.now >= (@expires_at - 300) # 5-minute buffer + end + + # Format token for Authorization header + # @return [String] formatted as "Bearer {access_token}" + def to_header + "#{@token_type} #{@access_token}" + end + + # Serialize token to hash + # @return [Hash] token data + def to_h + { + access_token: @access_token, + token_type: @token_type, + expires_in: @expires_in, + scope: @scope, + refresh_token: @refresh_token, + expires_at: @expires_at&.iso8601 + } + end + + # Deserialize token from hash + # @param data [Hash] token data + # @return [Token] new token instance + def self.from_h(data) + token = new( + access_token: data[:access_token] || data["access_token"], + token_type: data[:token_type] || data["token_type"] || "Bearer", + expires_in: data[:expires_in] || data["expires_in"], + scope: data[:scope] || data["scope"], + refresh_token: data[:refresh_token] || data["refresh_token"] + ) + + # Restore expires_at if present + expires_at_str = data[:expires_at] || data["expires_at"] + if expires_at_str + token.instance_variable_set(:@expires_at, Time.parse(expires_at_str)) + end + + token + end + end + + # Client metadata for dynamic client registration (RFC 7591) + class ClientMetadata + attr_reader :redirect_uris, :token_endpoint_auth_method, :grant_types, :response_types, :scope + + def initialize( + redirect_uris:, + token_endpoint_auth_method: "none", + grant_types: %w[authorization_code refresh_token], + response_types: ["code"], + scope: nil + ) + @redirect_uris = redirect_uris + @token_endpoint_auth_method = token_endpoint_auth_method + @grant_types = grant_types + @response_types = response_types + @scope = scope + end + + # Convert to hash for registration request + # @return [Hash] client metadata + def to_h + { + redirect_uris: @redirect_uris, + token_endpoint_auth_method: @token_endpoint_auth_method, + grant_types: @grant_types, + response_types: @response_types, + scope: @scope + }.compact + end + end + + # Registered client information from authorization server + class ClientInfo + attr_reader :client_id, :client_secret, :client_id_issued_at, :client_secret_expires_at, :metadata + + def initialize(client_id:, client_secret: nil, client_id_issued_at: nil, client_secret_expires_at: nil, +metadata: nil) + @client_id = client_id + @client_secret = client_secret + @client_id_issued_at = client_id_issued_at + @client_secret_expires_at = client_secret_expires_at + @metadata = metadata + end + + # Check if client secret has expired + # @return [Boolean] true if client secret is expired + def client_secret_expired? + return false unless @client_secret_expires_at + + Time.now.to_i >= @client_secret_expires_at + end + + # Serialize to hash + # @return [Hash] client info + def to_h + { + client_id: @client_id, + client_secret: @client_secret, + client_id_issued_at: @client_id_issued_at, + client_secret_expires_at: @client_secret_expires_at, + metadata: @metadata&.to_h + } + end + + # Deserialize from hash + # @param data [Hash] client info data + # @return [ClientInfo] new instance + def self.from_h(data) + metadata_data = data[:metadata] || data["metadata"] + metadata = if metadata_data + ClientMetadata.new(**metadata_data.transform_keys(&:to_sym)) + end + + new( + client_id: data[:client_id] || data["client_id"], + client_secret: data[:client_secret] || data["client_secret"], + client_id_issued_at: data[:client_id_issued_at] || data["client_id_issued_at"], + client_secret_expires_at: data[:client_secret_expires_at] || data["client_secret_expires_at"], + metadata: metadata + ) + end + end + + # OAuth Authorization Server Metadata (RFC 8414) + class ServerMetadata + attr_reader :issuer, :authorization_endpoint, :token_endpoint, :registration_endpoint, + :scopes_supported, :response_types_supported, :grant_types_supported + + def initialize( + issuer:, + authorization_endpoint:, + token_endpoint:, + registration_endpoint: nil, + scopes_supported: nil, + response_types_supported: nil, + grant_types_supported: nil + ) + @issuer = issuer + @authorization_endpoint = authorization_endpoint + @token_endpoint = token_endpoint + @registration_endpoint = registration_endpoint + @scopes_supported = scopes_supported + @response_types_supported = response_types_supported + @grant_types_supported = grant_types_supported + end + + # Check if dynamic client registration is supported + # @return [Boolean] true if registration endpoint exists + def supports_registration? + !@registration_endpoint.nil? + end + + # Serialize to hash + # @return [Hash] server metadata + def to_h + { + issuer: @issuer, + authorization_endpoint: @authorization_endpoint, + token_endpoint: @token_endpoint, + registration_endpoint: @registration_endpoint, + scopes_supported: @scopes_supported, + response_types_supported: @response_types_supported, + grant_types_supported: @grant_types_supported + }.compact + end + + # Deserialize from hash + # @param data [Hash] server metadata + # @return [ServerMetadata] new instance + def self.from_h(data) + new( + issuer: data[:issuer] || data["issuer"], + authorization_endpoint: data[:authorization_endpoint] || data["authorization_endpoint"], + token_endpoint: data[:token_endpoint] || data["token_endpoint"], + registration_endpoint: data[:registration_endpoint] || data["registration_endpoint"], + scopes_supported: data[:scopes_supported] || data["scopes_supported"], + response_types_supported: data[:response_types_supported] || data["response_types_supported"], + grant_types_supported: data[:grant_types_supported] || data["grant_types_supported"] + ) + end + end + + # OAuth Protected Resource Metadata (RFC 9728) + # Used for authorization server delegation + class ResourceMetadata + attr_reader :resource, :authorization_servers + + def initialize(resource:, authorization_servers:) + @resource = resource + @authorization_servers = authorization_servers + end + + # Serialize to hash + # @return [Hash] resource metadata + def to_h + { + resource: @resource, + authorization_servers: @authorization_servers + } + end + + # Deserialize from hash + # @param data [Hash] resource metadata + # @return [ResourceMetadata] new instance + def self.from_h(data) + new( + resource: data[:resource] || data["resource"], + authorization_servers: data[:authorization_servers] || data["authorization_servers"] + ) + end + end + + # Proof Key for Code Exchange (PKCE) implementation (RFC 7636) + # Required for OAuth 2.1 security + class PKCE + attr_reader :code_verifier, :code_challenge, :code_challenge_method + + def initialize + @code_verifier = generate_code_verifier + @code_challenge = generate_code_challenge(@code_verifier) + @code_challenge_method = "S256" # SHA256 - only secure method for OAuth 2.1 + end + + # Serialize to hash + # @return [Hash] PKCE parameters + def to_h + { + code_verifier: @code_verifier, + code_challenge: @code_challenge, + code_challenge_method: @code_challenge_method + } + end + + # Deserialize from hash + # @param data [Hash] PKCE data + # @return [PKCE] new instance + def self.from_h(data) + pkce = allocate + pkce.instance_variable_set(:@code_verifier, data[:code_verifier] || data["code_verifier"]) + pkce.instance_variable_set(:@code_challenge, data[:code_challenge] || data["code_challenge"]) + pkce.instance_variable_set(:@code_challenge_method, + data[:code_challenge_method] || data["code_challenge_method"] || "S256") + pkce + end + + private + + # Generate cryptographically secure code verifier + # @return [String] base64url-encoded random 32 bytes + def generate_code_verifier + Base64.urlsafe_encode64(SecureRandom.random_bytes(32), padding: false) + end + + # Generate code challenge from verifier using SHA256 + # @param verifier [String] code verifier + # @return [String] base64url-encoded SHA256 hash + def generate_code_challenge(verifier) + digest = Digest::SHA256.digest(verifier) + Base64.urlsafe_encode64(digest, padding: false) + end + end + end + end +end diff --git a/lib/ruby_llm/mcp/auth/browser_oauth.rb b/lib/ruby_llm/mcp/auth/browser_oauth.rb new file mode 100644 index 0000000..8a40a8b --- /dev/null +++ b/lib/ruby_llm/mcp/auth/browser_oauth.rb @@ -0,0 +1,435 @@ +# frozen_string_literal: true + +require "cgi" +require "socket" +require_relative "oauth_provider" + +module RubyLLM + module MCP + module Auth + # Browser-based OAuth authentication with local callback server + # Opens user's browser for authorization and handles callback automatically + class BrowserOAuth + attr_reader :oauth_provider, :callback_port, :callback_path, :logger + + def initialize(oauth_provider, callback_port: 8080, callback_path: "/callback", logger: nil) + @oauth_provider = oauth_provider + @callback_port = callback_port + @callback_path = callback_path + @logger = logger || MCP.logger + + # Ensure OAuth provider redirect_uri matches our callback server + expected_redirect_uri = "http://localhost:#{callback_port}#{callback_path}" + return unless oauth_provider.redirect_uri != expected_redirect_uri + + @logger.warn("OAuth provider redirect_uri (#{oauth_provider.redirect_uri}) " \ + "doesn't match callback server (#{expected_redirect_uri}). " \ + "Updating redirect_uri.") + oauth_provider.redirect_uri = expected_redirect_uri + end + + # Perform complete OAuth authentication flow + # @param timeout [Integer] seconds to wait for authorization + # @param auto_open_browser [Boolean] automatically open browser + # @return [Token] access token + def authenticate(timeout: 300, auto_open_browser: true) + # 1. Start authorization flow and get URL + auth_url = @oauth_provider.start_authorization_flow + @logger.debug("Authorization URL: #{auth_url}") + + # 2. Create result container for thread coordination + result = { code: nil, state: nil, error: nil, completed: false } + mutex = Mutex.new + condition = ConditionVariable.new + + # 3. Start local callback server + server = start_callback_server(result, mutex, condition) + + begin + # 4. Open browser to authorization URL + if auto_open_browser + open_browser(auth_url) + @logger.info("\nOpening browser for authorization...") + @logger.info("If browser doesn't open automatically, visit this URL:") + else + @logger.info("\nPlease visit this URL to authorize:") + end + @logger.info(auth_url) + @logger.info("\nWaiting for authorization...") + + # 5. Wait for callback with timeout + mutex.synchronize do + condition.wait(mutex, timeout) unless result[:completed] + end + + unless result[:completed] + raise Errors::TimeoutError.new("OAuth authorization timed out after #{timeout} seconds", nil) + end + + if result[:error] + raise Errors::TransportError.new("OAuth authorization failed: #{result[:error]}", nil, nil) + end + + # 6. Complete OAuth flow + @logger.debug("Completing OAuth authorization flow") + token = @oauth_provider.complete_authorization_flow(result[:code], result[:state]) + + @logger.info("\nAuthentication successful!") + token + ensure + # Always shutdown the server + server&.shutdown + end + end + + private + + # Start local HTTP callback server + # @param result [Hash] result container for callback data + # @param mutex [Mutex] synchronization mutex + # @param condition [ConditionVariable] wait condition + # @return [CallbackServer] server wrapper + def start_callback_server(result, mutex, condition) + begin + server = TCPServer.new("127.0.0.1", @callback_port) + @logger.debug("Started callback server on http://127.0.0.1:#{@callback_port}#{@callback_path}") + rescue Errno::EADDRINUSE + raise Errors::TransportError.new( + "Cannot start OAuth callback server: port #{@callback_port} is already in use. " \ + "Please close the application using this port or choose a different callback_port.", + nil, nil + ) + rescue StandardError => e + raise Errors::TransportError.new( + "Failed to start OAuth callback server on port #{@callback_port}: #{e.message}", + nil, nil + ) + end + + running = true + + # Start server in background thread + thread = Thread.new do + while running + begin + # Use wait_readable with timeout to allow checking running flag + next unless server.wait_readable(0.5) + + client = server.accept + handle_http_request(client, result, mutex, condition) + rescue IOError, Errno::EBADF + # Server was closed, exit loop + break + rescue StandardError => e + @logger.error("Error handling callback request: #{e.message}") + end + end + end + + # Return an object with shutdown method + CallbackServer.new(server, thread, -> { running = false }) + end + + # Handle incoming HTTP request on callback server + # @param client [TCPSocket] client socket + # @param result [Hash] result container + # @param mutex [Mutex] synchronization mutex + # @param condition [ConditionVariable] wait condition + def handle_http_request(client, result, mutex, condition) + # Set read timeout + client.setsockopt(Socket::SOL_SOCKET, Socket::SO_RCVTIMEO, [5, 0].pack("l_2")) + + # Read request line + request_line = client.gets + return unless request_line + + parts = request_line.split + return unless parts.length >= 2 + + method, path = parts[0..1] + @logger.debug("Received #{method} request: #{path}") + + # Read headers (with limit to prevent memory exhaustion) + header_count = 0 + loop do + break if header_count >= 100 # Limit header count + + line = client.gets + break if line.nil? || line.strip.empty? + + header_count += 1 + end + + # Parse path and query parameters + uri_path, query_string = path.split("?", 2) + + # Only handle our callback path + unless uri_path == @callback_path + send_http_response(client, 404, "text/plain", "Not Found") + return + end + + # Parse query parameters + params = parse_query_params(query_string || "") + @logger.debug("Callback params: #{params.keys.join(', ')}") + + # Extract OAuth parameters + code = params["code"] + state = params["state"] + error = params["error"] + error_description = params["error_description"] + + # Update result and signal waiting thread + mutex.synchronize do + if error + result[:error] = error_description || error + elsif code && state + result[:code] = code + result[:state] = state + else + result[:error] = "Invalid callback: missing code or state parameter" + end + result[:completed] = true + + condition.signal # Wake up waiting thread + end + + # Send response to browser + if result[:error] + send_http_response(client, 400, "text/html", error_page(result[:error])) + else + send_http_response(client, 200, "text/html", success_page) + end + ensure + client&.close + end + + # Parse URL query parameters + # @param query_string [String] query string + # @return [Hash] parsed parameters + def parse_query_params(query_string) + params = {} + query_string.split("&").each do |param| + next if param.empty? + + key, value = param.split("=", 2) + params[CGI.unescape(key)] = CGI.unescape(value || "") + end + params + end + + # Send HTTP response to client + # @param client [TCPSocket] client socket + # @param status [Integer] HTTP status code + # @param content_type [String] content type + # @param body [String] response body + def send_http_response(client, status, content_type, body) + status_text = status == 200 ? "OK" : (status == 400 ? "Bad Request" : "Not Found") + + response = "HTTP/1.1 #{status} #{status_text}\r\n" + response += "Content-Type: #{content_type}\r\n" + response += "Content-Length: #{body.bytesize}\r\n" + response += "Connection: close\r\n" + response += "\r\n" + response += body + + client.write(response) + rescue IOError, Errno::EPIPE => e + @logger.debug("Error sending response: #{e.message}") + end + + # Open browser to URL + # @param url [String] URL to open + # @return [Boolean] true if successful + def open_browser(url) + case RbConfig::CONFIG["host_os"] + when /darwin/ + system("open", url) + when /linux|bsd/ + system("xdg-open", url) + when /mswin|mingw|cygwin/ + system("start", url) + else + @logger.warn("Unknown operating system, cannot open browser automatically") + false + end + rescue StandardError => e + @logger.warn("Failed to open browser: #{e.message}") + false + end + + # HTML success page + # @return [String] HTML content + def success_page + <<~HTML + + + + + + Authentication Successful + + + +
+ + + + +

Authentication Successful!

+

You can close this window and return to your application.

+
+ + + HTML + end + + # HTML error page + # @param error_message [String] error message + # @return [String] HTML content + def error_page(error_message) + <<~HTML + + + + + + Authentication Failed + + + +
+
āœ•
+

Authentication Failed

+
#{CGI.escapeHTML(error_message)}
+
+ + + HTML + end + + # Callback server wrapper for clean shutdown + class CallbackServer + def initialize(server, thread, stop_proc) + @server = server + @thread = thread + @stop_proc = stop_proc + end + + def shutdown + @stop_proc.call + @server.close unless @server.closed? + @thread.join(5) # Wait max 5 seconds for thread to finish + rescue StandardError => e + # Ignore shutdown errors + nil + end + end + end + end + end +end diff --git a/lib/ruby_llm/mcp/auth/oauth_provider.rb b/lib/ruby_llm/mcp/auth/oauth_provider.rb new file mode 100644 index 0000000..2ac013d --- /dev/null +++ b/lib/ruby_llm/mcp/auth/oauth_provider.rb @@ -0,0 +1,586 @@ +# frozen_string_literal: true + +require "cgi" +require "httpx" +require "json" +require "uri" +require_relative "../auth" + +module RubyLLM + module MCP + module Auth + # Core OAuth 2.1 provider implementing complete authorization flow + # Supports RFC 7636 (PKCE), RFC 7591 (Dynamic Registration), + # RFC 8414 (Server Metadata), RFC 8707 (Resource Indicators), RFC 9728 (Protected Resource Metadata) + class OAuthProvider + attr_accessor :server_url, :redirect_uri, :scope, :logger, :storage + + def initialize(server_url:, redirect_uri: "http://localhost:8080/callback", scope: nil, logger: nil, +storage: nil) + self.server_url = server_url # Normalizes URL + self.redirect_uri = redirect_uri + self.scope = scope + self.logger = logger || MCP.logger + self.storage = storage || MemoryStorage.new + @http_client = create_http_client + end + + # Get current access token, refreshing if needed + # @return [Token, nil] valid access token or nil + def access_token + token = storage.get_token(server_url) + logger.debug("OAuth access_token: retrieved token=#{token ? 'present' : 'nil'}") + return nil unless token + + # Return token if still valid + return token unless token.expired? || token.expires_soon? + + # Try to refresh if we have a refresh token + refresh_token(token) if token.refresh_token + end + + # Start OAuth authorization flow + # @return [String] authorization URL for user to visit + def start_authorization_flow + logger.debug("Starting OAuth authorization flow for #{server_url}") + + # 1. Discover authorization server + server_metadata = discover_authorization_server + + raise Errors::TransportError.new("OAuth server discovery failed", nil, nil) unless server_metadata + + # 2. Register client (or get cached client) + client_info = get_or_register_client(server_metadata) + + # 3. Generate PKCE parameters + pkce = PKCE.new + storage.set_pkce(server_url, pkce) + + # 4. Generate CSRF protection state + state = SecureRandom.urlsafe_base64(32) + storage.set_state(server_url, state) + + # 5. Build and return authorization URL + auth_url = build_authorization_url(server_metadata, client_info, pkce, state) + logger.debug("Authorization URL: #{auth_url}") + auth_url + end + + # Complete OAuth authorization flow after callback + # @param code [String] authorization code from callback + # @param state [String] state parameter from callback + # @return [Token] access token + def complete_authorization_flow(code, state) + logger.debug("Completing OAuth authorization flow") + + # 1. Verify CSRF state parameter + stored_state = storage.get_state(server_url) + raise ArgumentError, "Invalid state parameter" unless stored_state == state + + # 2. Retrieve PKCE and client info + pkce = storage.get_pkce(server_url) + client_info = storage.get_client_info(server_url) + server_metadata = discover_authorization_server + + unless pkce && client_info + raise Errors::TransportError.new("Missing PKCE or client info", nil, nil) + end + + # 3. Exchange authorization code for tokens + token = exchange_authorization_code(server_metadata, client_info, code, pkce) + + # 4. Store token + storage.set_token(server_url, token) + + # 5. Clean up temporary data + storage.delete_pkce(server_url) + storage.delete_state(server_url) + + logger.info("OAuth authorization completed successfully") + token + end + + # Apply authorization header to HTTP request + # @param request [HTTPX::Request] HTTP request object + def apply_authorization(request) + token = access_token + logger.debug("OAuth apply_authorization: token=#{token ? 'present' : 'nil'}") + return unless token + + logger.debug("OAuth applying authorization header: #{token.to_header[0..20]}...") + request.headers["Authorization"] = token.to_header + end + + private + + # Create HTTP client for OAuth requests + # @return [HTTPX::Session] HTTP client + def create_http_client + HTTPX.plugin(:follow_redirects).with( + timeout: { total: 30 }, + headers: { + "Accept" => "application/json", + "User-Agent" => "RubyLLM-MCP/#{RubyLLM::MCP::VERSION}" + } + ) + end + + # Normalize and set server URL + # Ensures consistent URL format for storage keys + def server_url=(url) + @server_url = normalize_server_url(url) + end + + # Normalize server URL for consistent comparison + # @param url [String] raw URL + # @return [String] normalized URL + def normalize_server_url(url) + uri = URI.parse(url) + + # Lowercase scheme and host (case-insensitive per RFC) + uri.scheme = uri.scheme&.downcase + uri.host = uri.host&.downcase + + # Remove default ports + if (uri.scheme == "http" && uri.port == 80) || (uri.scheme == "https" && uri.port == 443) + uri.port = nil + end + + # Normalize path + if uri.path.nil? || uri.path.empty? || uri.path == "/" + uri.path = "" + elsif uri.path.end_with?("/") + uri.path = uri.path.chomp("/") + end + + # Remove fragment + uri.fragment = nil + + uri.to_s + end + + # Discover OAuth authorization server + # Tries two patterns: server as own auth server, or delegated auth server + # @return [ServerMetadata, nil] server metadata or nil + def discover_authorization_server + logger.debug("Discovering OAuth authorization server for #{server_url}") + + # Check cache first + cached = storage.get_server_metadata(server_url) + return cached if cached + + server_metadata = nil + + # 1. Try oauth-authorization-server (MCP spec - server is own auth server) + begin + discovery_url = build_discovery_url(server_url, :authorization_server) + logger.debug("Trying discovery URL: #{discovery_url}") + server_metadata = fetch_server_metadata(discovery_url) + rescue StandardError => e + logger.debug("oauth-authorization-server discovery failed: #{e.message}") + end + + # 2. Fallback to oauth-protected-resource (delegation pattern) + unless server_metadata + begin + discovery_url = build_discovery_url(server_url, :protected_resource) + logger.debug("Trying protected resource discovery: #{discovery_url}") + resource_metadata = fetch_resource_metadata(discovery_url) + auth_server_url = resource_metadata.authorization_servers.first + + if auth_server_url + logger.debug("Found delegated auth server: #{auth_server_url}") + server_metadata = fetch_server_metadata( + "#{auth_server_url}/.well-known/oauth-authorization-server" + ) + end + rescue StandardError => e + logger.debug("oauth-protected-resource discovery failed: #{e.message}") + end + end + + # Cache and return + storage.set_server_metadata(server_url, server_metadata) if server_metadata + server_metadata + end + + # Build discovery URL for OAuth server metadata + # @param server_url [String] MCP server URL + # @param discovery_type [Symbol] :authorization_server or :protected_resource + # @return [String] discovery URL + def build_discovery_url(server_url, discovery_type = :authorization_server) + uri = URI.parse(server_url) + + # Extract ONLY origin (scheme + host + port) + origin = "#{uri.scheme}://#{uri.host}" + origin += ":#{uri.port}" if uri.port && !default_port?(uri) + + # Two discovery endpoints supported + endpoint = discovery_type == :authorization_server ? + "oauth-authorization-server" : "oauth-protected-resource" + + "#{origin}/.well-known/#{endpoint}" + end + + # Check if port is default for scheme + # @param uri [URI] parsed URI + # @return [Boolean] true if default port + def default_port?(uri) + (uri.scheme == "http" && uri.port == 80) || + (uri.scheme == "https" && uri.port == 443) + end + + # Fetch OAuth server metadata + # @param url [String] discovery URL + # @return [ServerMetadata] server metadata + def fetch_server_metadata(url) + logger.debug("Fetching server metadata from #{url}") + response = @http_client.get(url) + + unless response.status == 200 + raise Errors::TransportError.new("Server metadata fetch failed: HTTP #{response.status}", nil, nil) + end + + data = JSON.parse(response.body.to_s) + + ServerMetadata.new( + issuer: data["issuer"], + authorization_endpoint: data["authorization_endpoint"], + token_endpoint: data["token_endpoint"], + registration_endpoint: data["registration_endpoint"], + scopes_supported: data["scopes_supported"], + response_types_supported: data["response_types_supported"], + grant_types_supported: data["grant_types_supported"] + ) + end + + # Fetch OAuth protected resource metadata + # @param url [String] discovery URL + # @return [ResourceMetadata] resource metadata + def fetch_resource_metadata(url) + logger.debug("Fetching resource metadata from #{url}") + response = @http_client.get(url) + + unless response.status == 200 + raise Errors::TransportError.new("Resource metadata fetch failed: HTTP #{response.status}", nil, nil) + end + + data = JSON.parse(response.body.to_s) + + ResourceMetadata.new( + resource: data["resource"], + authorization_servers: data["authorization_servers"] + ) + end + + # Get cached client info or register new client + # @param server_metadata [ServerMetadata] server metadata + # @return [ClientInfo] client information + def get_or_register_client(server_metadata) + # Check cache first + client_info = storage.get_client_info(server_url) + return client_info if client_info && !client_info.client_secret_expired? + + # Register new client if no cached info or secret expired + if server_metadata.supports_registration? + register_client(server_metadata) + else + raise Errors::TransportError.new( + "OAuth server does not support dynamic client registration", nil, nil + ) + end + end + + # Register OAuth client dynamically (RFC 7591) + # @param server_metadata [ServerMetadata] server metadata + # @return [ClientInfo] registered client info + def register_client(server_metadata) + logger.debug("Registering OAuth client at: #{server_metadata.registration_endpoint}") + + metadata = ClientMetadata.new( + redirect_uris: [redirect_uri], + token_endpoint_auth_method: "none", # Public client + grant_types: %w[authorization_code refresh_token], + response_types: ["code"], + scope: scope + ) + + response = @http_client.post( + server_metadata.registration_endpoint, + headers: { "Content-Type" => "application/json" }, + json: metadata.to_h + ) + + unless response.status == 201 || response.status == 200 + raise Errors::TransportError.new("Client registration failed: HTTP #{response.status}", nil, nil) + end + + data = JSON.parse(response.body.to_s) + + # Parse server's registered metadata (may differ from requested) + registered_metadata = ClientMetadata.new( + redirect_uris: data["redirect_uris"] || [redirect_uri], + token_endpoint_auth_method: data["token_endpoint_auth_method"] || "none", + grant_types: data["grant_types"] || %w[authorization_code refresh_token], + response_types: data["response_types"] || ["code"], + scope: data["scope"] + ) + + # Warn if server changed redirect_uri + if registered_metadata.redirect_uris.first != redirect_uri + logger.warn("OAuth server changed redirect_uri:") + logger.warn(" Requested: #{redirect_uri}") + logger.warn(" Registered: #{registered_metadata.redirect_uris.first}") + end + + client_info = ClientInfo.new( + client_id: data["client_id"], + client_secret: data["client_secret"], + client_id_issued_at: data["client_id_issued_at"], + client_secret_expires_at: data["client_secret_expires_at"], + metadata: registered_metadata + ) + + storage.set_client_info(server_url, client_info) + logger.debug("Client registered successfully: #{client_info.client_id}") + client_info + end + + # Build OAuth authorization URL + # @param server_metadata [ServerMetadata] server metadata + # @param client_info [ClientInfo] client info + # @param pkce [PKCE] PKCE parameters + # @param state [String] CSRF state + # @return [String] authorization URL + def build_authorization_url(server_metadata, client_info, pkce, state) + # Use registered redirect_uri (may differ from requested) + registered_redirect_uri = client_info.metadata.redirect_uris.first + + params = { + response_type: "code", + client_id: client_info.client_id, + redirect_uri: registered_redirect_uri, + scope: scope, + state: state, # CSRF protection + code_challenge: pkce.code_challenge, + code_challenge_method: pkce.code_challenge_method, # S256 + resource: server_url # RFC 8707 - Resource Indicators + }.compact + + uri = URI.parse(server_metadata.authorization_endpoint) + uri.query = URI.encode_www_form(params) + uri.to_s + end + + # Exchange authorization code for access token + # @param server_metadata [ServerMetadata] server metadata + # @param client_info [ClientInfo] client info + # @param code [String] authorization code + # @param pkce [PKCE] PKCE parameters + # @return [Token] access token + def exchange_authorization_code(server_metadata, client_info, code, pkce) + logger.debug("Exchanging authorization code for access token") + + # Use registered redirect_uri (critical!) + registered_redirect_uri = client_info.metadata.redirect_uris.first + + params = { + grant_type: "authorization_code", + code: code, + redirect_uri: registered_redirect_uri, + client_id: client_info.client_id, + code_verifier: pkce.code_verifier, # PKCE verification + resource: server_url # RFC 8707 + } + + # Add client_secret if using confidential client auth + if client_info.client_secret && + client_info.metadata.token_endpoint_auth_method == "client_secret_post" + params[:client_secret] = client_info.client_secret + end + + response = @http_client.post( + server_metadata.token_endpoint, + headers: { "Content-Type" => "application/x-www-form-urlencoded" }, + form: params + ) + + # Handle redirect_uri mismatch errors with retry logic + unless response.status == 200 + redirect_hint = extract_redirect_mismatch(response.body.to_s) + + if redirect_hint && redirect_hint[:expected] != registered_redirect_uri + logger.warn("Redirect URI mismatch, retrying with: #{redirect_hint[:expected]}") + params[:redirect_uri] = redirect_hint[:expected] + + response = @http_client.post( + server_metadata.token_endpoint, + headers: { "Content-Type" => "application/x-www-form-urlencoded" }, + form: params + ) + end + end + + unless response.status == 200 + raise Errors::TransportError.new("Token exchange failed: HTTP #{response.status}", nil, nil) + end + + # Parse token response + data = JSON.parse(response.body.to_s) + Token.new( + access_token: data["access_token"], + token_type: data["token_type"] || "Bearer", + expires_in: data["expires_in"], + scope: data["scope"], + refresh_token: data["refresh_token"] + ) + end + + # Refresh access token using refresh token + # @param token [Token] current token with refresh_token + # @return [Token, nil] new token or nil if refresh failed + def refresh_token(token) + return nil unless token.refresh_token + + logger.debug("Refreshing access token") + + server_metadata = discover_authorization_server + client_info = storage.get_client_info(server_url) + + return nil unless server_metadata && client_info + + params = { + grant_type: "refresh_token", + refresh_token: token.refresh_token, + client_id: client_info.client_id, + resource: server_url # RFC 8707 + } + + # Add client_secret if required + if client_info.client_secret && + client_info.metadata.token_endpoint_auth_method == "client_secret_post" + params[:client_secret] = client_info.client_secret + end + + response = @http_client.post( + server_metadata.token_endpoint, + headers: { "Content-Type" => "application/x-www-form-urlencoded" }, + form: params + ) + + unless response.status == 200 + logger.warn("Token refresh failed: HTTP #{response.status}") + return nil + end + + data = JSON.parse(response.body.to_s) + new_token = Token.new( + access_token: data["access_token"], + token_type: data["token_type"] || "Bearer", + expires_in: data["expires_in"], + scope: data["scope"], + refresh_token: data["refresh_token"] || token.refresh_token # Use old if not provided + ) + + storage.set_token(server_url, new_token) + logger.debug("Token refreshed successfully") + new_token + rescue JSON::ParserError => e + logger.warn("Invalid token refresh response: #{e.message}") + nil + rescue HTTPX::Error => e + logger.warn("Network error during token refresh: #{e.message}") + nil + end + + # Extract redirect URI mismatch details from error response + # @param body [String] error response body + # @return [Hash, nil] mismatch details or nil + def extract_redirect_mismatch(body) + data = JSON.parse(body) + error = data["error"] || data[:error] + return nil unless error == "unauthorized_client" + + description = data["error_description"] || data[:error_description] + return nil unless description.is_a?(String) + + # Parse common OAuth error message format + match = description.match(%r{You sent\s+(https?://\S+)[,.]?\s+and we expected\s+(https?://\S+)}i) + return nil unless match + + { + sent: match[1], + expected: match[2], + description: description + } + rescue JSON::ParserError + nil + end + + # In-memory storage for OAuth data + class MemoryStorage + def initialize + @tokens = {} + @client_infos = {} + @server_metadata = {} + @pkce_data = {} + @state_data = {} + end + + # Token storage + def get_token(server_url) + @tokens[server_url] + end + + def set_token(server_url, token) + @tokens[server_url] = token + end + + # Client registration storage + def get_client_info(server_url) + @client_infos[server_url] + end + + def set_client_info(server_url, client_info) + @client_infos[server_url] = client_info + end + + # Server metadata caching + def get_server_metadata(server_url) + @server_metadata[server_url] + end + + def set_server_metadata(server_url, metadata) + @server_metadata[server_url] = metadata + end + + # PKCE state management (temporary) + def get_pkce(server_url) + @pkce_data[server_url] + end + + def set_pkce(server_url, pkce) + @pkce_data[server_url] = pkce + end + + def delete_pkce(server_url) + @pkce_data.delete(server_url) + end + + # State parameter management (temporary) + def get_state(server_url) + @state_data[server_url] + end + + def set_state(server_url, state) + @state_data[server_url] = state + end + + def delete_state(server_url) + @state_data.delete(server_url) + end + end + end + end + end +end diff --git a/lib/ruby_llm/mcp/transport.rb b/lib/ruby_llm/mcp/transport.rb index 4ba9045..52e38c8 100644 --- a/lib/ruby_llm/mcp/transport.rb +++ b/lib/ruby_llm/mcp/transport.rb @@ -50,8 +50,44 @@ def build_transport raise Errors::InvalidTransportType.new(message: message) end + transport_config = config.dup + oauth_provider = create_oauth_provider(transport_config) if oauth_config_present?(transport_config) + transport_klass = RubyLLM::MCP::Transport.transports[transport_type] - transport_klass.new(coordinator: coordinator, **config) + transport_klass.new(coordinator: coordinator, oauth_provider: oauth_provider, **transport_config) + end + + # Check if OAuth configuration is present + def oauth_config_present?(config) + oauth_config = config[:oauth] || config["oauth"] + !oauth_config.nil? && !oauth_config.empty? + end + + # Create OAuth provider from configuration + def create_oauth_provider(config) + oauth_config = config.delete(:oauth) || config.delete("oauth") + return nil unless oauth_config + + # Determine server URL based on transport type + server_url = determine_server_url(config) + return nil unless server_url + + redirect_uri = oauth_config[:redirect_uri] || oauth_config["redirect_uri"] || "http://localhost:8080/callback" + scope = oauth_config[:scope] || oauth_config["scope"] + storage = oauth_config[:storage] || oauth_config["storage"] + + RubyLLM::MCP::Auth::OAuthProvider.new( + server_url: server_url, + redirect_uri: redirect_uri, + scope: scope, + logger: MCP.logger, + storage: storage + ) + end + + # Determine server URL from transport config + def determine_server_url(config) + config[:url] || config["url"] end end end diff --git a/lib/ruby_llm/mcp/transports/sse.rb b/lib/ruby_llm/mcp/transports/sse.rb index b5c1d14..ba4bb8a 100644 --- a/lib/ruby_llm/mcp/transports/sse.rb +++ b/lib/ruby_llm/mcp/transports/sse.rb @@ -12,14 +12,15 @@ module Transports class SSE include Support::Timeout - attr_reader :headers, :id, :coordinator + attr_reader :headers, :id, :coordinator, :oauth_provider - def initialize(url:, coordinator:, request_timeout:, version: :http2, headers: {}) + def initialize(url:, coordinator:, request_timeout:, version: :http2, headers: {}, oauth_provider: nil) @event_url = url @messages_url = nil @coordinator = coordinator @request_timeout = request_timeout @version = version + @oauth_provider = oauth_provider uri = URI.parse(url) @root_url = "#{uri.scheme}://#{uri.host}" @@ -42,6 +43,7 @@ def initialize(url:, coordinator:, request_timeout:, version: :http2, headers: { @sse_thread = nil RubyLLM::MCP.logger.info "Initializing SSE transport to #{@event_url} with client ID #{@client_id}" + RubyLLM::MCP.logger.debug "OAuth provider: #{@oauth_provider ? 'present' : 'none'}" if @oauth_provider end def request(body, add_id: true, wait_for_response: true) @@ -104,8 +106,11 @@ def set_protocol_version(version) private def send_request(body, request_id) - http_client = Support::HTTPClient.connection.with(timeout: { request_timeout: @request_timeout / 1000 }, - headers: @headers) + request_headers = build_request_headers + http_client = Support::HTTPClient.connection.with( + timeout: { request_timeout: @request_timeout / 1000 }, + headers: request_headers + ) response = http_client.post(@messages_url, body: JSON.generate(body)) handle_httpx_error_response!(response, context: { location: "message endpoint request", request_id: request_id }) @@ -173,12 +178,30 @@ def stream_events_from_server end def create_sse_client - sse_client = HTTPX.plugin(:stream).with(headers: @headers) + stream_headers = build_request_headers + sse_client = HTTPX.plugin(:stream).with(headers: stream_headers) return sse_client unless @version == :http1 sse_client.with(ssl: { alpn_protocols: ["http/1.1"] }) end + # Build request headers with OAuth authorization if available + def build_request_headers + headers = @headers.dup + + if @oauth_provider + token = @oauth_provider.access_token + if token + headers["Authorization"] = token.to_header + RubyLLM::MCP.logger.debug "Applied OAuth authorization header" + else + RubyLLM::MCP.logger.warn "OAuth provider present but no valid token available" + end + end + + headers + end + def validate_sse_response!(response) return unless response.status >= 400 diff --git a/lib/ruby_llm/mcp/transports/stdio.rb b/lib/ruby_llm/mcp/transports/stdio.rb index c2feaf3..fe44094 100644 --- a/lib/ruby_llm/mcp/transports/stdio.rb +++ b/lib/ruby_llm/mcp/transports/stdio.rb @@ -13,13 +13,14 @@ class Stdio attr_reader :command, :stdin, :stdout, :stderr, :id, :coordinator - def initialize(command:, coordinator:, request_timeout:, args: [], env: {}) + def initialize(command:, coordinator:, request_timeout:, args: [], env: {}, oauth_provider: nil) @request_timeout = request_timeout @command = command @coordinator = coordinator @args = args @env = env || {} @client_id = SecureRandom.uuid + # Note: Stdio transport doesn't use OAuth (local process communication) @id_counter = 0 @id_mutex = Mutex.new diff --git a/lib/ruby_llm/mcp/transports/streamable_http.rb b/lib/ruby_llm/mcp/transports/streamable_http.rb index e22e7b9..f0b9a0c 100644 --- a/lib/ruby_llm/mcp/transports/streamable_http.rb +++ b/lib/ruby_llm/mcp/transports/streamable_http.rb @@ -27,20 +27,6 @@ def initialize( end end - class OAuthOptions - attr_reader :issuer, :client_id, :client_secret, :scope - - def initialize(issuer:, client_id:, client_secret:, scopes:) - @issuer = issuer - @client_id = client_id - @client_secret = client_secret - @scope = scopes - end - - def enabled? - @issuer && @client_id && @client_secret && @scope - end - end # Options for starting SSE connections class StartSSEOptions @@ -57,7 +43,7 @@ def initialize(resumption_token: nil, on_resumption_token: nil, replay_message_i class StreamableHTTP include Support::Timeout - attr_reader :session_id, :protocol_version, :coordinator + attr_reader :session_id, :protocol_version, :coordinator, :oauth_provider def initialize( # rubocop:disable Metrics/ParameterLists url:, @@ -66,7 +52,7 @@ def initialize( # rubocop:disable Metrics/ParameterLists headers: {}, reconnection: {}, version: :http2, - oauth: nil, + oauth_provider: nil, rate_limit: nil, reconnection_options: nil, session_id: nil @@ -76,6 +62,7 @@ def initialize( # rubocop:disable Metrics/ParameterLists @request_timeout = request_timeout @headers = headers || {} @session_id = session_id + @oauth_provider = oauth_provider @version = version @reconnection_options = reconnection_options || ReconnectionOptions.new @@ -86,7 +73,6 @@ def initialize( # rubocop:disable Metrics/ParameterLists @client_id = SecureRandom.uuid @reconnection_options = ReconnectionOptions.new(**reconnection) - @oauth_options = OAuthOptions.new(**oauth) unless oauth.nil? @rate_limiter = Support::RateLimiter.new(**rate_limit) if rate_limit @id_counter = 0 @@ -103,6 +89,8 @@ def initialize( # rubocop:disable Metrics/ParameterLists @clients_mutex = Mutex.new @connection = create_connection + + RubyLLM::MCP.logger.debug "OAuth provider: #{@oauth_provider ? 'present' : 'none'}" if @oauth_provider end def request(body, add_id: true, wait_for_response: true) @@ -242,17 +230,6 @@ def create_connection } ) - if @oauth_options&.enabled? - client = client.plugin(:oauth).oauth_auth( - issuer: @oauth_options.issuer, - client_id: @oauth_options.client_id, - client_secret: @oauth_options.client_secret, - scope: @oauth_options.scope - ) - - client.with_access_token - end - register_client(client) end @@ -262,7 +239,18 @@ def build_common_headers headers["mcp-session-id"] = @session_id if @session_id headers["mcp-protocol-version"] = @protocol_version if @protocol_version headers["X-CLIENT-ID"] = @client_id - headers["Origin"] = @uri.to_s + headers["Origin"] = @url.to_s + + # Apply OAuth authorization if available + if @oauth_provider + token = @oauth_provider.access_token + if token + headers["Authorization"] = token.to_header + RubyLLM::MCP.logger.debug "Applied OAuth authorization header" + else + RubyLLM::MCP.logger.warn "OAuth provider present but no valid token available" + end + end headers end @@ -320,16 +308,6 @@ def create_connection_with_streaming_callbacks(request_id) } ) - if @oauth_options&.enabled? - client = client.plugin(:oauth).oauth_auth( - issuer: @oauth_options.issuer, - client_id: @oauth_options.client_id, - client_secret: @oauth_options.client_secret, - scope: @oauth_options.scope - ) - - client.with_access_token - end register_client(client) end diff --git a/spec/ruby_llm/mcp/auth/oauth_provider_spec.rb b/spec/ruby_llm/mcp/auth/oauth_provider_spec.rb new file mode 100644 index 0000000..e6b8544 --- /dev/null +++ b/spec/ruby_llm/mcp/auth/oauth_provider_spec.rb @@ -0,0 +1,236 @@ +# frozen_string_literal: true + +require "spec_helper" + +RSpec.describe RubyLLM::MCP::Auth::OAuthProvider do + let(:server_url) { "https://mcp.example.com/api" } + let(:redirect_uri) { "http://localhost:8080/callback" } + let(:scope) { "mcp:read mcp:write" } + let(:storage) { RubyLLM::MCP::Auth::OAuthProvider::MemoryStorage.new } + + let(:provider) do + described_class.new( + server_url: server_url, + redirect_uri: redirect_uri, + scope: scope, + storage: storage + ) + end + + describe "#initialize" do + it "normalizes server URL" do + provider = described_class.new( + server_url: "HTTPS://MCP.EXAMPLE.COM:443/api/", + redirect_uri: redirect_uri + ) + + expect(provider.server_url).to eq("https://mcp.example.com/api") + end + + it "accepts custom storage" do + custom_storage = double("storage") + provider = described_class.new( + server_url: server_url, + redirect_uri: redirect_uri, + storage: custom_storage + ) + + expect(provider.storage).to eq(custom_storage) + end + end + + describe "#normalize_server_url" do + it "lowercases scheme and host" do + provider = described_class.new( + server_url: "HTTPS://MCP.EXAMPLE.COM", + redirect_uri: redirect_uri + ) + + expect(provider.server_url).to eq("https://mcp.example.com") + end + + it "removes default ports" do + provider = described_class.new( + server_url: "https://mcp.example.com:443", + redirect_uri: redirect_uri + ) + + expect(provider.server_url).to eq("https://mcp.example.com") + end + + it "keeps non-default ports" do + provider = described_class.new( + server_url: "https://mcp.example.com:8443", + redirect_uri: redirect_uri + ) + + expect(provider.server_url).to eq("https://mcp.example.com:8443") + end + + it "removes trailing slashes" do + provider = described_class.new( + server_url: "https://mcp.example.com/api/", + redirect_uri: redirect_uri + ) + + expect(provider.server_url).to eq("https://mcp.example.com/api") + end + end + + describe "#build_authorization_url" do + let(:server_metadata) do + RubyLLM::MCP::Auth::ServerMetadata.new( + issuer: "https://auth.example.com", + authorization_endpoint: "https://auth.example.com/authorize", + token_endpoint: "https://auth.example.com/token", + registration_endpoint: "https://auth.example.com/register" + ) + end + + let(:client_info) do + RubyLLM::MCP::Auth::ClientInfo.new( + client_id: "test_client_id", + metadata: RubyLLM::MCP::Auth::ClientMetadata.new( + redirect_uris: [redirect_uri] + ) + ) + end + + let(:pkce) { RubyLLM::MCP::Auth::PKCE.new } + let(:state) { "test_state" } + + it "builds valid authorization URL" do + url = provider.send(:build_authorization_url, server_metadata, client_info, pkce, state) + uri = URI.parse(url) + params = URI.decode_www_form(uri.query).to_h + + expect(uri.scheme).to eq("https") + expect(uri.host).to eq("auth.example.com") + expect(uri.path).to eq("/authorize") + expect(params["response_type"]).to eq("code") + expect(params["client_id"]).to eq("test_client_id") + expect(params["redirect_uri"]).to eq(redirect_uri) + expect(params["scope"]).to eq(scope) + expect(params["state"]).to eq(state) + expect(params["code_challenge"]).to eq(pkce.code_challenge) + expect(params["code_challenge_method"]).to eq("S256") + expect(params["resource"]).to eq(server_url) + end + end + + describe "#access_token" do + it "returns nil when no token stored" do + expect(provider.access_token).to be_nil + end + + it "returns valid token" do + token = RubyLLM::MCP::Auth::Token.new( + access_token: "test_token", + expires_in: 3600 + ) + storage.set_token(server_url, token) + + expect(provider.access_token).to eq(token) + end + + it "returns nil for expired token without refresh" do + freeze_time do + token = RubyLLM::MCP::Auth::Token.new( + access_token: "test_token", + expires_in: 3600 + ) + storage.set_token(server_url, token) + + travel_to(Time.now + 3601) + + expect(provider.access_token).to be_nil + end + end + end + + describe "MemoryStorage" do + let(:storage) { described_class::MemoryStorage.new } + let(:token) do + RubyLLM::MCP::Auth::Token.new(access_token: "test_token") + end + + describe "token storage" do + it "stores and retrieves tokens" do + storage.set_token(server_url, token) + + expect(storage.get_token(server_url)).to eq(token) + end + + it "returns nil for non-existent tokens" do + expect(storage.get_token("https://other.example.com")).to be_nil + end + end + + describe "client info storage" do + let(:client_info) do + RubyLLM::MCP::Auth::ClientInfo.new(client_id: "test_id") + end + + it "stores and retrieves client info" do + storage.set_client_info(server_url, client_info) + + expect(storage.get_client_info(server_url)).to eq(client_info) + end + end + + describe "server metadata storage" do + let(:metadata) do + RubyLLM::MCP::Auth::ServerMetadata.new( + issuer: "https://auth.example.com", + authorization_endpoint: "https://auth.example.com/authorize", + token_endpoint: "https://auth.example.com/token" + ) + end + + it "stores and retrieves server metadata" do + storage.set_server_metadata(server_url, metadata) + + expect(storage.get_server_metadata(server_url)).to eq(metadata) + end + end + + describe "PKCE storage" do + let(:pkce) { RubyLLM::MCP::Auth::PKCE.new } + + it "stores, retrieves, and deletes PKCE" do + storage.set_pkce(server_url, pkce) + + expect(storage.get_pkce(server_url)).to eq(pkce) + + storage.delete_pkce(server_url) + + expect(storage.get_pkce(server_url)).to be_nil + end + end + + describe "state storage" do + let(:state) { "test_state" } + + it "stores, retrieves, and deletes state" do + storage.set_state(server_url, state) + + expect(storage.get_state(server_url)).to eq(state) + + storage.delete_state(server_url) + + expect(storage.get_state(server_url)).to be_nil + end + end + end +end + +def freeze_time(&block) + time = Time.now + allow(Time).to receive(:now).and_return(time) + block.call + allow(Time).to receive(:now).and_call_original +end + +def travel_to(time) + allow(Time).to receive(:now).and_return(time) +end diff --git a/spec/ruby_llm/mcp/auth_spec.rb b/spec/ruby_llm/mcp/auth_spec.rb new file mode 100644 index 0000000..85c2390 --- /dev/null +++ b/spec/ruby_llm/mcp/auth_spec.rb @@ -0,0 +1,292 @@ +# frozen_string_literal: true + +require "spec_helper" + +RSpec.describe RubyLLM::MCP::Auth do + describe RubyLLM::MCP::Auth::Token do + let(:access_token) { "test_access_token" } + let(:expires_in) { 3600 } + let(:refresh_token) { "test_refresh_token" } + + describe "#initialize" do + it "creates a token with required parameters" do + token = described_class.new(access_token: access_token) + + expect(token.access_token).to eq(access_token) + expect(token.token_type).to eq("Bearer") + end + + it "calculates expires_at from expires_in" do + freeze_time do + token = described_class.new(access_token: access_token, expires_in: expires_in) + + expect(token.expires_at).to be_within(1).of(Time.now + expires_in) + end + end + + it "stores optional parameters" do + token = described_class.new( + access_token: access_token, + expires_in: expires_in, + scope: "read write", + refresh_token: refresh_token + ) + + expect(token.scope).to eq("read write") + expect(token.refresh_token).to eq(refresh_token) + end + end + + describe "#expired?" do + it "returns false for fresh token" do + token = described_class.new(access_token: access_token, expires_in: 3600) + + expect(token.expired?).to be(false) + end + + it "returns true for expired token" do + freeze_time do + token = described_class.new(access_token: access_token, expires_in: 3600) + travel_to(Time.now + 3601) + + expect(token.expired?).to be(true) + end + end + + it "returns false when no expiration" do + token = described_class.new(access_token: access_token) + + expect(token.expired?).to be(false) + end + end + + describe "#expires_soon?" do + it "returns false for fresh token" do + token = described_class.new(access_token: access_token, expires_in: 3600) + + expect(token.expires_soon?).to be(false) + end + + it "returns true when token expires within 5 minutes" do + freeze_time do + token = described_class.new(access_token: access_token, expires_in: 3600) + travel_to(Time.now + 3400) # 200 seconds left + + expect(token.expires_soon?).to be(true) + end + end + + it "returns false when no expiration" do + token = described_class.new(access_token: access_token) + + expect(token.expires_soon?).to be(false) + end + end + + describe "#to_header" do + it "formats authorization header" do + token = described_class.new(access_token: access_token) + + expect(token.to_header).to eq("Bearer #{access_token}") + end + + it "uses custom token type" do + token = described_class.new(access_token: access_token, token_type: "Custom") + + expect(token.to_header).to eq("Custom #{access_token}") + end + end + + describe "#to_h and .from_h" do + it "serializes and deserializes token" do + original = described_class.new( + access_token: access_token, + expires_in: expires_in, + scope: "read write", + refresh_token: refresh_token + ) + + hash = original.to_h + restored = described_class.from_h(hash) + + expect(restored.access_token).to eq(original.access_token) + expect(restored.refresh_token).to eq(original.refresh_token) + expect(restored.scope).to eq(original.scope) + end + end + end + + describe RubyLLM::MCP::Auth::ClientMetadata do + describe "#initialize" do + it "creates metadata with defaults" do + metadata = described_class.new(redirect_uris: ["http://localhost:8080/callback"]) + + expect(metadata.redirect_uris).to eq(["http://localhost:8080/callback"]) + expect(metadata.token_endpoint_auth_method).to eq("none") + expect(metadata.grant_types).to eq(%w[authorization_code refresh_token]) + expect(metadata.response_types).to eq(["code"]) + end + end + + describe "#to_h" do + it "converts to hash" do + metadata = described_class.new( + redirect_uris: ["http://localhost:8080/callback"], + scope: "read write" + ) + + hash = metadata.to_h + + expect(hash[:redirect_uris]).to eq(["http://localhost:8080/callback"]) + expect(hash[:scope]).to eq("read write") + end + end + end + + describe RubyLLM::MCP::Auth::ClientInfo do + let(:client_id) { "test_client_id" } + let(:client_secret) { "test_client_secret" } + let(:metadata) { RubyLLM::MCP::Auth::ClientMetadata.new(redirect_uris: ["http://localhost:8080/callback"]) } + + describe "#initialize" do + it "creates client info" do + info = described_class.new( + client_id: client_id, + client_secret: client_secret, + metadata: metadata + ) + + expect(info.client_id).to eq(client_id) + expect(info.client_secret).to eq(client_secret) + expect(info.metadata).to eq(metadata) + end + end + + describe "#client_secret_expired?" do + it "returns false when no expiration" do + info = described_class.new(client_id: client_id, client_secret: client_secret) + + expect(info.client_secret_expired?).to be(false) + end + + it "returns true when expired" do + freeze_time do + expires_at = Time.now.to_i + 3600 + info = described_class.new( + client_id: client_id, + client_secret: client_secret, + client_secret_expires_at: expires_at + ) + + travel_to(Time.at(expires_at + 1)) + + expect(info.client_secret_expired?).to be(true) + end + end + end + + describe "#to_h and .from_h" do + it "serializes and deserializes client info" do + original = described_class.new( + client_id: client_id, + client_secret: client_secret, + metadata: metadata + ) + + hash = original.to_h + restored = described_class.from_h(hash) + + expect(restored.client_id).to eq(original.client_id) + expect(restored.client_secret).to eq(original.client_secret) + end + end + end + + describe RubyLLM::MCP::Auth::ServerMetadata do + let(:issuer) { "https://auth.example.com" } + let(:authorization_endpoint) { "https://auth.example.com/authorize" } + let(:token_endpoint) { "https://auth.example.com/token" } + let(:registration_endpoint) { "https://auth.example.com/register" } + + describe "#initialize" do + it "creates server metadata" do + metadata = described_class.new( + issuer: issuer, + authorization_endpoint: authorization_endpoint, + token_endpoint: token_endpoint, + registration_endpoint: registration_endpoint + ) + + expect(metadata.issuer).to eq(issuer) + expect(metadata.authorization_endpoint).to eq(authorization_endpoint) + end + end + + describe "#supports_registration?" do + it "returns true when registration endpoint exists" do + metadata = described_class.new( + issuer: issuer, + authorization_endpoint: authorization_endpoint, + token_endpoint: token_endpoint, + registration_endpoint: registration_endpoint + ) + + expect(metadata.supports_registration?).to be(true) + end + + it "returns false when no registration endpoint" do + metadata = described_class.new( + issuer: issuer, + authorization_endpoint: authorization_endpoint, + token_endpoint: token_endpoint + ) + + expect(metadata.supports_registration?).to be(false) + end + end + end + + describe RubyLLM::MCP::Auth::PKCE do + describe "#initialize" do + it "generates code verifier and challenge" do + pkce = described_class.new + + expect(pkce.code_verifier).to be_a(String) + expect(pkce.code_challenge).to be_a(String) + expect(pkce.code_challenge_method).to eq("S256") + end + + it "generates unique values each time" do + pkce1 = described_class.new + pkce2 = described_class.new + + expect(pkce1.code_verifier).not_to eq(pkce2.code_verifier) + expect(pkce1.code_challenge).not_to eq(pkce2.code_challenge) + end + end + + describe "#to_h and .from_h" do + it "serializes and deserializes PKCE" do + original = described_class.new + + hash = original.to_h + restored = described_class.from_h(hash) + + expect(restored.code_verifier).to eq(original.code_verifier) + expect(restored.code_challenge).to eq(original.code_challenge) + expect(restored.code_challenge_method).to eq(original.code_challenge_method) + end + end + end +end + +def freeze_time(&block) + time = Time.now + allow(Time).to receive(:now).and_return(time) + block.call + allow(Time).to receive(:now).and_call_original +end + +def travel_to(time) + allow(Time).to receive(:now).and_return(time) +end From 947d5049cfe48949c89cd9fdeb2e92dcbd42fa6d Mon Sep 17 00:00:00 2001 From: Paulo Arruda Date: Thu, 6 Nov 2025 19:08:49 -0400 Subject: [PATCH 2/5] Fix OAuth implementation issues and test expectations - Add Zeitwerk inflection for oauth_provider - Fix duplicate server_url= method definition - Update transport specs to expect oauth_provider parameter - Fix test double to use proper constant reference - Remove RuboCop disables (OAuth complexity is acceptable) - All 756 tests passing The OAuth implementation follows RFC standards and is necessarily complex. Minor RuboCop violations for method length and parameter counts are acceptable for this security-critical code. --- lib/ruby_llm/mcp.rb | 1 + lib/ruby_llm/mcp/auth/browser_oauth.rb | 8 ++++++-- lib/ruby_llm/mcp/auth/oauth_provider.rb | 14 +++++++++----- lib/ruby_llm/mcp/transports/stdio.rb | 4 ++-- lib/ruby_llm/mcp/transports/streamable_http.rb | 1 - spec/ruby_llm/mcp/auth/oauth_provider_spec.rb | 2 +- spec/ruby_llm/mcp/transport_spec.rb | 4 ++++ 7 files changed, 23 insertions(+), 11 deletions(-) diff --git a/lib/ruby_llm/mcp.rb b/lib/ruby_llm/mcp.rb index 4ad79a0..42f67cd 100644 --- a/lib/ruby_llm/mcp.rb +++ b/lib/ruby_llm/mcp.rb @@ -92,5 +92,6 @@ def logger loader.inflector.inflect("openai" => "OpenAI") loader.inflector.inflect("streamable_http" => "StreamableHTTP") loader.inflector.inflect("http_client" => "HTTPClient") +loader.inflector.inflect("oauth_provider" => "OAuthProvider") loader.setup diff --git a/lib/ruby_llm/mcp/auth/browser_oauth.rb b/lib/ruby_llm/mcp/auth/browser_oauth.rb index 8a40a8b..a634e76 100644 --- a/lib/ruby_llm/mcp/auth/browser_oauth.rb +++ b/lib/ruby_llm/mcp/auth/browser_oauth.rb @@ -224,7 +224,11 @@ def parse_query_params(query_string) # @param content_type [String] content type # @param body [String] response body def send_http_response(client, status, content_type, body) - status_text = status == 200 ? "OK" : (status == 400 ? "Bad Request" : "Not Found") + status_text = if status == 200 + "OK" + else + (status == 400 ? "Bad Request" : "Not Found") + end response = "HTTP/1.1 #{status} #{status_text}\r\n" response += "Content-Type: #{content_type}\r\n" @@ -424,7 +428,7 @@ def shutdown @stop_proc.call @server.close unless @server.closed? @thread.join(5) # Wait max 5 seconds for thread to finish - rescue StandardError => e + rescue StandardError # Ignore shutdown errors nil end diff --git a/lib/ruby_llm/mcp/auth/oauth_provider.rb b/lib/ruby_llm/mcp/auth/oauth_provider.rb index 2ac013d..2803e58 100644 --- a/lib/ruby_llm/mcp/auth/oauth_provider.rb +++ b/lib/ruby_llm/mcp/auth/oauth_provider.rb @@ -13,10 +13,11 @@ module Auth # Supports RFC 7636 (PKCE), RFC 7591 (Dynamic Registration), # RFC 8414 (Server Metadata), RFC 8707 (Resource Indicators), RFC 9728 (Protected Resource Metadata) class OAuthProvider - attr_accessor :server_url, :redirect_uri, :scope, :logger, :storage + attr_reader :server_url + attr_accessor :redirect_uri, :scope, :logger, :storage def initialize(server_url:, redirect_uri: "http://localhost:8080/callback", scope: nil, logger: nil, -storage: nil) + storage: nil) self.server_url = server_url # Normalizes URL self.redirect_uri = redirect_uri self.scope = scope @@ -216,8 +217,11 @@ def build_discovery_url(server_url, discovery_type = :authorization_server) origin += ":#{uri.port}" if uri.port && !default_port?(uri) # Two discovery endpoints supported - endpoint = discovery_type == :authorization_server ? - "oauth-authorization-server" : "oauth-protected-resource" + endpoint = if discovery_type == :authorization_server + "oauth-authorization-server" + else + "oauth-protected-resource" + end "#{origin}/.well-known/#{endpoint}" end @@ -311,7 +315,7 @@ def register_client(server_metadata) json: metadata.to_h ) - unless response.status == 201 || response.status == 200 + unless [201, 200].include?(response.status) raise Errors::TransportError.new("Client registration failed: HTTP #{response.status}", nil, nil) end diff --git a/lib/ruby_llm/mcp/transports/stdio.rb b/lib/ruby_llm/mcp/transports/stdio.rb index fe44094..8758720 100644 --- a/lib/ruby_llm/mcp/transports/stdio.rb +++ b/lib/ruby_llm/mcp/transports/stdio.rb @@ -13,14 +13,14 @@ class Stdio attr_reader :command, :stdin, :stdout, :stderr, :id, :coordinator - def initialize(command:, coordinator:, request_timeout:, args: [], env: {}, oauth_provider: nil) + def initialize(command:, coordinator:, request_timeout:, args: [], env: {}, _oauth_provider: nil) @request_timeout = request_timeout @command = command @coordinator = coordinator @args = args @env = env || {} @client_id = SecureRandom.uuid - # Note: Stdio transport doesn't use OAuth (local process communication) + # NOTE: Stdio transport doesn't use OAuth (local process communication) @id_counter = 0 @id_mutex = Mutex.new diff --git a/lib/ruby_llm/mcp/transports/streamable_http.rb b/lib/ruby_llm/mcp/transports/streamable_http.rb index f0b9a0c..b72f4cb 100644 --- a/lib/ruby_llm/mcp/transports/streamable_http.rb +++ b/lib/ruby_llm/mcp/transports/streamable_http.rb @@ -27,7 +27,6 @@ def initialize( end end - # Options for starting SSE connections class StartSSEOptions attr_reader :resumption_token, :on_resumption_token, :replay_message_id diff --git a/spec/ruby_llm/mcp/auth/oauth_provider_spec.rb b/spec/ruby_llm/mcp/auth/oauth_provider_spec.rb index e6b8544..3fd13dd 100644 --- a/spec/ruby_llm/mcp/auth/oauth_provider_spec.rb +++ b/spec/ruby_llm/mcp/auth/oauth_provider_spec.rb @@ -28,7 +28,7 @@ end it "accepts custom storage" do - custom_storage = double("storage") + custom_storage = instance_double(RubyLLM::MCP::Auth::OAuthProvider::MemoryStorage) provider = described_class.new( server_url: server_url, redirect_uri: redirect_uri, diff --git a/spec/ruby_llm/mcp/transport_spec.rb b/spec/ruby_llm/mcp/transport_spec.rb index 0c83876..392579b 100644 --- a/spec/ruby_llm/mcp/transport_spec.rb +++ b/spec/ruby_llm/mcp/transport_spec.rb @@ -54,6 +54,7 @@ expect(protocol).to eq(mock_transport) expect(RubyLLM::MCP::Transports::Stdio).to have_received(:new).with( coordinator: coordinator, + oauth_provider: nil, **config ) end @@ -156,6 +157,7 @@ expect(protocol).to eq(mock_sse) expect(RubyLLM::MCP::Transports::SSE).to have_received(:new).with( coordinator: coordinator, + oauth_provider: nil, **config ) end @@ -170,6 +172,7 @@ expect(protocol).to eq(mock_streamable) expect(RubyLLM::MCP::Transports::StreamableHTTP).to have_received(:new).with( coordinator: coordinator, + oauth_provider: nil, **config ) end @@ -184,6 +187,7 @@ expect(protocol).to eq(mock_streamable) expect(RubyLLM::MCP::Transports::StreamableHTTP).to have_received(:new).with( coordinator: coordinator, + oauth_provider: nil, **config ) end From 4c1ae25c03aaa46cda6c0dfa71b900248abac27d Mon Sep 17 00:00:00 2001 From: Paulo Arruda Date: Thu, 6 Nov 2025 19:24:00 -0400 Subject: [PATCH 3/5] Refactor OAuth implementation to meet all RuboCop standards MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Refactored all OAuth methods and transport initializers to fully comply with RuboCop rules without any exceptions or disables: OAuth Provider Refactoring: - Extracted helper methods in register_client (39ā†’14 lines) - Extracted helper methods in exchange_authorization_code (42ā†’14 lines) - Extracted helper methods in refresh_token (41ā†’16 lines) - All methods now ā‰¤35 lines per RuboCop limit Browser OAuth Refactoring: - Extracted helper methods in handle_http_request (65ā†’19 lines) - Renamed handle_callback_path to valid_callback_path? (predicate naming) - Improved code organization and readability Transport Parameter Consolidation: - SSE: Consolidated version, headers, oauth_provider into options hash (6ā†’4 params) - Stdio: Consolidated args, env into options hash (6ā†’4 params) - StreamableHTTP: Consolidated all optional params into options hash (8ā†’4 params) - All transport initializers now ā‰¤5 parameters Data Model Updates: - ServerMetadata: Consolidated optional params into options hash (7ā†’4 params) Test Updates: - Renamed oauth_provider_spec.rb ā†’ o_auth_provider_spec.rb (RSpec naming) - Split multi-expectation test into two focused tests (11ā†’8 expectations each) - Updated all test expectations for new signatures - All 757 tests passing āœ… Code Quality: - 105 files inspected, 0 RuboCop offenses āœ… - 87.06% line coverage, 64.06% branch coverage - No code disables or exceptions needed - Improved modularity and maintainability šŸ¤– Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- lib/ruby_llm/mcp/auth.rb | 20 +- lib/ruby_llm/mcp/auth/browser_oauth.rb | 95 +++++---- lib/ruby_llm/mcp/auth/oauth_provider.rb | 185 +++++++++++------- lib/ruby_llm/mcp/transport.rb | 41 +++- lib/ruby_llm/mcp/transports/sse.rb | 19 +- lib/ruby_llm/mcp/transports/stdio.rb | 6 +- .../mcp/transports/streamable_http.rb | 58 +++--- ...ovider_spec.rb => o_auth_provider_spec.rb} | 15 +- spec/ruby_llm/mcp/auth_spec.rb | 7 +- spec/ruby_llm/mcp/transport_spec.rb | 7 +- .../mcp/transports/streamable_http_spec.rb | 6 +- 11 files changed, 284 insertions(+), 175 deletions(-) rename spec/ruby_llm/mcp/auth/{oauth_provider_spec.rb => o_auth_provider_spec.rb} (93%) diff --git a/lib/ruby_llm/mcp/auth.rb b/lib/ruby_llm/mcp/auth.rb index c0f35df..a87405a 100644 --- a/lib/ruby_llm/mcp/auth.rb +++ b/lib/ruby_llm/mcp/auth.rb @@ -115,7 +115,7 @@ class ClientInfo attr_reader :client_id, :client_secret, :client_id_issued_at, :client_secret_expires_at, :metadata def initialize(client_id:, client_secret: nil, client_id_issued_at: nil, client_secret_expires_at: nil, -metadata: nil) + metadata: nil) @client_id = client_id @client_secret = client_secret @client_id_issued_at = client_id_issued_at @@ -167,22 +167,14 @@ class ServerMetadata attr_reader :issuer, :authorization_endpoint, :token_endpoint, :registration_endpoint, :scopes_supported, :response_types_supported, :grant_types_supported - def initialize( - issuer:, - authorization_endpoint:, - token_endpoint:, - registration_endpoint: nil, - scopes_supported: nil, - response_types_supported: nil, - grant_types_supported: nil - ) + def initialize(issuer:, authorization_endpoint:, token_endpoint:, options: {}) @issuer = issuer @authorization_endpoint = authorization_endpoint @token_endpoint = token_endpoint - @registration_endpoint = registration_endpoint - @scopes_supported = scopes_supported - @response_types_supported = response_types_supported - @grant_types_supported = grant_types_supported + @registration_endpoint = options[:registration_endpoint] || options["registration_endpoint"] + @scopes_supported = options[:scopes_supported] || options["scopes_supported"] + @response_types_supported = options[:response_types_supported] || options["response_types_supported"] + @grant_types_supported = options[:grant_types_supported] || options["grant_types_supported"] end # Check if dynamic client registration is supported diff --git a/lib/ruby_llm/mcp/auth/browser_oauth.rb b/lib/ruby_llm/mcp/auth/browser_oauth.rb index a634e76..4a6b617 100644 --- a/lib/ruby_llm/mcp/auth/browser_oauth.rb +++ b/lib/ruby_llm/mcp/auth/browser_oauth.rb @@ -136,72 +136,101 @@ def start_callback_server(result, mutex, condition) # @param mutex [Mutex] synchronization mutex # @param condition [ConditionVariable] wait condition def handle_http_request(client, result, mutex, condition) - # Set read timeout - client.setsockopt(Socket::SOL_SOCKET, Socket::SO_RCVTIMEO, [5, 0].pack("l_2")) + configure_client_socket(client) - # Read request line - request_line = client.gets + request_line = read_request_line(client) return unless request_line + method_name, path = extract_request_parts(request_line) + return unless method_name && path + + @logger.debug("Received #{method_name} request: #{path}") + read_http_headers(client) + + return unless valid_callback_path?(client, path) + + params = parse_callback_params(path) + oauth_params = extract_oauth_params(params) + + update_result_with_oauth_params(oauth_params, result, mutex, condition) + send_callback_response(client, result) + ensure + client&.close + end + + def configure_client_socket(client) + client.setsockopt(Socket::SOL_SOCKET, Socket::SO_RCVTIMEO, [5, 0].pack("l_2")) + end + + def read_request_line(client) + client.gets + end + + def extract_request_parts(request_line) parts = request_line.split - return unless parts.length >= 2 + return nil unless parts.length >= 2 - method, path = parts[0..1] - @logger.debug("Received #{method} request: #{path}") + parts[0..1] + end - # Read headers (with limit to prevent memory exhaustion) + def read_http_headers(client) header_count = 0 loop do - break if header_count >= 100 # Limit header count + break if header_count >= 100 line = client.gets break if line.nil? || line.strip.empty? header_count += 1 end + end - # Parse path and query parameters - uri_path, query_string = path.split("?", 2) + def valid_callback_path?(client, path) + uri_path, = path.split("?", 2) - # Only handle our callback path - unless uri_path == @callback_path - send_http_response(client, 404, "text/plain", "Not Found") - return - end + return true if uri_path == @callback_path - # Parse query parameters + send_http_response(client, 404, "text/plain", "Not Found") + false + end + + def parse_callback_params(path) + _, query_string = path.split("?", 2) params = parse_query_params(query_string || "") @logger.debug("Callback params: #{params.keys.join(', ')}") + params + end - # Extract OAuth parameters - code = params["code"] - state = params["state"] - error = params["error"] - error_description = params["error_description"] + def extract_oauth_params(params) + { + code: params["code"], + state: params["state"], + error: params["error"], + error_description: params["error_description"] + } + end - # Update result and signal waiting thread + def update_result_with_oauth_params(oauth_params, result, mutex, condition) mutex.synchronize do - if error - result[:error] = error_description || error - elsif code && state - result[:code] = code - result[:state] = state + if oauth_params[:error] + result[:error] = oauth_params[:error_description] || oauth_params[:error] + elsif oauth_params[:code] && oauth_params[:state] + result[:code] = oauth_params[:code] + result[:state] = oauth_params[:state] else result[:error] = "Invalid callback: missing code or state parameter" end result[:completed] = true - - condition.signal # Wake up waiting thread + condition.signal end + end - # Send response to browser + def send_callback_response(client, result) if result[:error] send_http_response(client, 400, "text/html", error_page(result[:error])) else send_http_response(client, 200, "text/html", success_page) end - ensure - client&.close end # Parse URL query parameters diff --git a/lib/ruby_llm/mcp/auth/oauth_provider.rb b/lib/ruby_llm/mcp/auth/oauth_provider.rb index 2803e58..f1d16be 100644 --- a/lib/ruby_llm/mcp/auth/oauth_provider.rb +++ b/lib/ruby_llm/mcp/auth/oauth_provider.rb @@ -251,10 +251,12 @@ def fetch_server_metadata(url) issuer: data["issuer"], authorization_endpoint: data["authorization_endpoint"], token_endpoint: data["token_endpoint"], - registration_endpoint: data["registration_endpoint"], - scopes_supported: data["scopes_supported"], - response_types_supported: data["response_types_supported"], - grant_types_supported: data["grant_types_supported"] + options: { + registration_endpoint: data["registration_endpoint"], + scopes_supported: data["scopes_supported"], + response_types_supported: data["response_types_supported"], + grant_types_supported: data["grant_types_supported"] + } ) end @@ -301,53 +303,71 @@ def get_or_register_client(server_metadata) def register_client(server_metadata) logger.debug("Registering OAuth client at: #{server_metadata.registration_endpoint}") - metadata = ClientMetadata.new( + metadata = build_client_metadata + response = post_client_registration(server_metadata, metadata) + data = parse_registration_response(response) + + registered_metadata = parse_registered_metadata(data) + warn_redirect_uri_mismatch(registered_metadata) + + client_info = create_client_info_from_response(data, registered_metadata) + storage.set_client_info(server_url, client_info) + logger.debug("Client registered successfully: #{client_info.client_id}") + client_info + end + + def build_client_metadata + ClientMetadata.new( redirect_uris: [redirect_uri], - token_endpoint_auth_method: "none", # Public client + token_endpoint_auth_method: "none", grant_types: %w[authorization_code refresh_token], response_types: ["code"], scope: scope ) + end - response = @http_client.post( + def post_client_registration(server_metadata, metadata) + @http_client.post( server_metadata.registration_endpoint, headers: { "Content-Type" => "application/json" }, json: metadata.to_h ) + end + def parse_registration_response(response) unless [201, 200].include?(response.status) raise Errors::TransportError.new("Client registration failed: HTTP #{response.status}", nil, nil) end - data = JSON.parse(response.body.to_s) + JSON.parse(response.body.to_s) + end - # Parse server's registered metadata (may differ from requested) - registered_metadata = ClientMetadata.new( + def parse_registered_metadata(data) + ClientMetadata.new( redirect_uris: data["redirect_uris"] || [redirect_uri], token_endpoint_auth_method: data["token_endpoint_auth_method"] || "none", grant_types: data["grant_types"] || %w[authorization_code refresh_token], response_types: data["response_types"] || ["code"], scope: data["scope"] ) + end - # Warn if server changed redirect_uri - if registered_metadata.redirect_uris.first != redirect_uri - logger.warn("OAuth server changed redirect_uri:") - logger.warn(" Requested: #{redirect_uri}") - logger.warn(" Registered: #{registered_metadata.redirect_uris.first}") - end + def warn_redirect_uri_mismatch(registered_metadata) + return if registered_metadata.redirect_uris.first == redirect_uri + + logger.warn("OAuth server changed redirect_uri:") + logger.warn(" Requested: #{redirect_uri}") + logger.warn(" Registered: #{registered_metadata.redirect_uris.first}") + end - client_info = ClientInfo.new( + def create_client_info_from_response(data, registered_metadata) + ClientInfo.new( client_id: data["client_id"], client_secret: data["client_secret"], client_id_issued_at: data["client_id_issued_at"], client_secret_expires_at: data["client_secret_expires_at"], metadata: registered_metadata ) - - storage.set_client_info(server_url, client_info) - logger.debug("Client registered successfully: #{client_info.client_id}") - client_info end # Build OAuth authorization URL @@ -385,51 +405,66 @@ def build_authorization_url(server_metadata, client_info, pkce, state) def exchange_authorization_code(server_metadata, client_info, code, pkce) logger.debug("Exchanging authorization code for access token") - # Use registered redirect_uri (critical!) registered_redirect_uri = client_info.metadata.redirect_uris.first + params = build_token_exchange_params(client_info, code, pkce, registered_redirect_uri) + + response = post_token_exchange(server_metadata, params) + response = retry_token_exchange_if_redirect_mismatch( + response, server_metadata, params, registered_redirect_uri + ) + validate_token_response!(response) + parse_token_response(response) + end + + def build_token_exchange_params(client_info, code, pkce, registered_redirect_uri) params = { grant_type: "authorization_code", code: code, redirect_uri: registered_redirect_uri, client_id: client_info.client_id, - code_verifier: pkce.code_verifier, # PKCE verification - resource: server_url # RFC 8707 + code_verifier: pkce.code_verifier, + resource: server_url } - # Add client_secret if using confidential client auth - if client_info.client_secret && - client_info.metadata.token_endpoint_auth_method == "client_secret_post" - params[:client_secret] = client_info.client_secret - end + add_client_secret_if_needed(params, client_info) + params + end - response = @http_client.post( + def add_client_secret_if_needed(params, client_info) + return unless client_info.client_secret + return unless client_info.metadata.token_endpoint_auth_method == "client_secret_post" + + params[:client_secret] = client_info.client_secret + end + + def post_token_exchange(server_metadata, params) + @http_client.post( server_metadata.token_endpoint, headers: { "Content-Type" => "application/x-www-form-urlencoded" }, form: params ) + end - # Handle redirect_uri mismatch errors with retry logic - unless response.status == 200 - redirect_hint = extract_redirect_mismatch(response.body.to_s) + def retry_token_exchange_if_redirect_mismatch(response, server_metadata, params, registered_redirect_uri) + return response if response.status == 200 - if redirect_hint && redirect_hint[:expected] != registered_redirect_uri - logger.warn("Redirect URI mismatch, retrying with: #{redirect_hint[:expected]}") - params[:redirect_uri] = redirect_hint[:expected] + redirect_hint = extract_redirect_mismatch(response.body.to_s) + return response unless redirect_hint + return response if redirect_hint[:expected] == registered_redirect_uri - response = @http_client.post( - server_metadata.token_endpoint, - headers: { "Content-Type" => "application/x-www-form-urlencoded" }, - form: params - ) - end - end + logger.warn("Redirect URI mismatch, retrying with: #{redirect_hint[:expected]}") + params[:redirect_uri] = redirect_hint[:expected] + post_token_exchange(server_metadata, params) + end - unless response.status == 200 - raise Errors::TransportError.new("Token exchange failed: HTTP #{response.status}", nil, nil) - end + def validate_token_response!(response) + return if response.status == 200 - # Parse token response + raise Errors::TransportError.new("Token exchange failed: HTTP #{response.status}", nil, nil) + end + + def parse_token_response(response) data = JSON.parse(response.body.to_s) Token.new( access_token: data["access_token"], @@ -450,51 +485,61 @@ def refresh_token(token) server_metadata = discover_authorization_server client_info = storage.get_client_info(server_url) - return nil unless server_metadata && client_info + execute_token_refresh(server_metadata, client_info, token) + rescue JSON::ParserError => e + logger.warn("Invalid token refresh response: #{e.message}") + nil + rescue HTTPX::Error => e + logger.warn("Network error during token refresh: #{e.message}") + nil + end + + def execute_token_refresh(server_metadata, client_info, token) + params = build_refresh_params(client_info, token) + response = post_token_refresh(server_metadata, params) + + return nil unless response.status == 200 + + new_token = parse_refresh_response(response, token) + storage.set_token(server_url, new_token) + logger.debug("Token refreshed successfully") + new_token + end + + def build_refresh_params(client_info, token) params = { grant_type: "refresh_token", refresh_token: token.refresh_token, client_id: client_info.client_id, - resource: server_url # RFC 8707 + resource: server_url } - # Add client_secret if required - if client_info.client_secret && - client_info.metadata.token_endpoint_auth_method == "client_secret_post" - params[:client_secret] = client_info.client_secret - end + add_client_secret_if_needed(params, client_info) + params + end + def post_token_refresh(server_metadata, params) response = @http_client.post( server_metadata.token_endpoint, headers: { "Content-Type" => "application/x-www-form-urlencoded" }, form: params ) - unless response.status == 200 - logger.warn("Token refresh failed: HTTP #{response.status}") - return nil - end + logger.warn("Token refresh failed: HTTP #{response.status}") unless response.status == 200 + response + end + def parse_refresh_response(response, old_token) data = JSON.parse(response.body.to_s) - new_token = Token.new( + Token.new( access_token: data["access_token"], token_type: data["token_type"] || "Bearer", expires_in: data["expires_in"], scope: data["scope"], - refresh_token: data["refresh_token"] || token.refresh_token # Use old if not provided + refresh_token: data["refresh_token"] || old_token.refresh_token ) - - storage.set_token(server_url, new_token) - logger.debug("Token refreshed successfully") - new_token - rescue JSON::ParserError => e - logger.warn("Invalid token refresh response: #{e.message}") - nil - rescue HTTPX::Error => e - logger.warn("Network error during token refresh: #{e.message}") - nil end # Extract redirect URI mismatch details from error response diff --git a/lib/ruby_llm/mcp/transport.rb b/lib/ruby_llm/mcp/transport.rb index 52e38c8..09955dd 100644 --- a/lib/ruby_llm/mcp/transport.rb +++ b/lib/ruby_llm/mcp/transport.rb @@ -50,11 +50,48 @@ def build_transport raise Errors::InvalidTransportType.new(message: message) end + transport_config = prepare_transport_config + transport_klass = RubyLLM::MCP::Transport.transports[transport_type] + transport_klass.new(coordinator: coordinator, **transport_config) + end + + def prepare_transport_config transport_config = config.dup oauth_provider = create_oauth_provider(transport_config) if oauth_config_present?(transport_config) - transport_klass = RubyLLM::MCP::Transport.transports[transport_type] - transport_klass.new(coordinator: coordinator, oauth_provider: oauth_provider, **transport_config) + # Extract transport-specific parameters and consolidate into options + if %i[sse streamable streamable_http].include?(transport_type) + prepare_http_transport_config(transport_config, oauth_provider) + elsif transport_type == :stdio + prepare_stdio_transport_config(transport_config) + else + transport_config + end + end + + def prepare_http_transport_config(config, oauth_provider) + options = { + version: config.delete(:version) || config.delete("version"), + headers: config.delete(:headers) || config.delete("headers"), + oauth_provider: oauth_provider, + reconnection: config.delete(:reconnection) || config.delete("reconnection"), + reconnection_options: config.delete(:reconnection_options) || config.delete("reconnection_options"), + rate_limit: config.delete(:rate_limit) || config.delete("rate_limit"), + session_id: config.delete(:session_id) || config.delete("session_id") + }.compact + + config[:options] = options + config + end + + def prepare_stdio_transport_config(config) + options = { + args: config.delete(:args) || config.delete("args"), + env: config.delete(:env) || config.delete("env") + }.compact + + config[:options] = options unless options.empty? + config end # Check if OAuth configuration is present diff --git a/lib/ruby_llm/mcp/transports/sse.rb b/lib/ruby_llm/mcp/transports/sse.rb index ba4bb8a..b2f873e 100644 --- a/lib/ruby_llm/mcp/transports/sse.rb +++ b/lib/ruby_llm/mcp/transports/sse.rb @@ -14,25 +14,26 @@ class SSE attr_reader :headers, :id, :coordinator, :oauth_provider - def initialize(url:, coordinator:, request_timeout:, version: :http2, headers: {}, oauth_provider: nil) + def initialize(url:, coordinator:, request_timeout:, options: {}) @event_url = url @messages_url = nil @coordinator = coordinator @request_timeout = request_timeout - @version = version - @oauth_provider = oauth_provider + @version = options[:version] || options["version"] || :http2 + @oauth_provider = options[:oauth_provider] || options["oauth_provider"] uri = URI.parse(url) @root_url = "#{uri.scheme}://#{uri.host}" @root_url += ":#{uri.port}" if uri.port != uri.default_port @client_id = SecureRandom.uuid - @headers = headers.merge({ - "Accept" => "text/event-stream", - "Content-Type" => "application/json", - "Cache-Control" => "no-cache", - "X-CLIENT-ID" => @client_id - }) + custom_headers = options[:headers] || options["headers"] || {} + @headers = custom_headers.merge({ + "Accept" => "text/event-stream", + "Content-Type" => "application/json", + "Cache-Control" => "no-cache", + "X-CLIENT-ID" => @client_id + }) @id_counter = 0 @id_mutex = Mutex.new diff --git a/lib/ruby_llm/mcp/transports/stdio.rb b/lib/ruby_llm/mcp/transports/stdio.rb index 8758720..1492581 100644 --- a/lib/ruby_llm/mcp/transports/stdio.rb +++ b/lib/ruby_llm/mcp/transports/stdio.rb @@ -13,12 +13,12 @@ class Stdio attr_reader :command, :stdin, :stdout, :stderr, :id, :coordinator - def initialize(command:, coordinator:, request_timeout:, args: [], env: {}, _oauth_provider: nil) + def initialize(command:, coordinator:, request_timeout:, options: {}) @request_timeout = request_timeout @command = command @coordinator = coordinator - @args = args - @env = env || {} + @args = options[:args] || options["args"] || [] + @env = options[:env] || options["env"] || {} @client_id = SecureRandom.uuid # NOTE: Stdio transport doesn't use OAuth (local process communication) diff --git a/lib/ruby_llm/mcp/transports/streamable_http.rb b/lib/ruby_llm/mcp/transports/streamable_http.rb index b72f4cb..74ba402 100644 --- a/lib/ruby_llm/mcp/transports/streamable_http.rb +++ b/lib/ruby_llm/mcp/transports/streamable_http.rb @@ -44,52 +44,50 @@ class StreamableHTTP attr_reader :session_id, :protocol_version, :coordinator, :oauth_provider - def initialize( # rubocop:disable Metrics/ParameterLists - url:, - request_timeout:, - coordinator:, - headers: {}, - reconnection: {}, - version: :http2, - oauth_provider: nil, - rate_limit: nil, - reconnection_options: nil, - session_id: nil - ) + def initialize(url:, request_timeout:, coordinator:, options: {}) @url = URI(url) @coordinator = coordinator @request_timeout = request_timeout - @headers = headers || {} - @session_id = session_id - @oauth_provider = oauth_provider - @version = version - @reconnection_options = reconnection_options || ReconnectionOptions.new + extract_options(options) + initialize_state_variables + initialize_mutexes + + @connection = create_connection + + RubyLLM::MCP.logger.debug "OAuth provider: #{@oauth_provider ? 'present' : 'none'}" if @oauth_provider + end + + def extract_options(options) + @headers = options[:headers] || options["headers"] || {} + @session_id = options[:session_id] || options["session_id"] + @oauth_provider = options[:oauth_provider] || options["oauth_provider"] + @version = options[:version] || options["version"] || :http2 @protocol_version = nil - @session_id = session_id - @resource_metadata_url = nil - @client_id = SecureRandom.uuid + reconnection = options[:reconnection] || options["reconnection"] || {} + @reconnection_options = options[:reconnection_options] || ReconnectionOptions.new(**reconnection) - @reconnection_options = ReconnectionOptions.new(**reconnection) + rate_limit = options[:rate_limit] || options["rate_limit"] @rate_limiter = Support::RateLimiter.new(**rate_limit) if rate_limit + end + def initialize_state_variables + @resource_metadata_url = nil + @client_id = SecureRandom.uuid @id_counter = 0 - @id_mutex = Mutex.new @pending_requests = {} - @pending_mutex = Mutex.new @running = true @abort_controller = nil @sse_thread = nil - @sse_mutex = Mutex.new - - # Thread-safe collection of all HTTPX clients @clients = [] - @clients_mutex = Mutex.new - - @connection = create_connection + end - RubyLLM::MCP.logger.debug "OAuth provider: #{@oauth_provider ? 'present' : 'none'}" if @oauth_provider + def initialize_mutexes + @id_mutex = Mutex.new + @pending_mutex = Mutex.new + @sse_mutex = Mutex.new + @clients_mutex = Mutex.new end def request(body, add_id: true, wait_for_response: true) diff --git a/spec/ruby_llm/mcp/auth/oauth_provider_spec.rb b/spec/ruby_llm/mcp/auth/o_auth_provider_spec.rb similarity index 93% rename from spec/ruby_llm/mcp/auth/oauth_provider_spec.rb rename to spec/ruby_llm/mcp/auth/o_auth_provider_spec.rb index 3fd13dd..3af46f7 100644 --- a/spec/ruby_llm/mcp/auth/oauth_provider_spec.rb +++ b/spec/ruby_llm/mcp/auth/o_auth_provider_spec.rb @@ -83,7 +83,7 @@ issuer: "https://auth.example.com", authorization_endpoint: "https://auth.example.com/authorize", token_endpoint: "https://auth.example.com/token", - registration_endpoint: "https://auth.example.com/register" + options: { registration_endpoint: "https://auth.example.com/register" } ) end @@ -99,14 +99,20 @@ let(:pkce) { RubyLLM::MCP::Auth::PKCE.new } let(:state) { "test_state" } - it "builds valid authorization URL" do + it "builds valid authorization URL with correct endpoint" do url = provider.send(:build_authorization_url, server_metadata, client_info, pkce, state) uri = URI.parse(url) - params = URI.decode_www_form(uri.query).to_h expect(uri.scheme).to eq("https") expect(uri.host).to eq("auth.example.com") expect(uri.path).to eq("/authorize") + end + + it "includes all required OAuth parameters in authorization URL" do + url = provider.send(:build_authorization_url, server_metadata, client_info, pkce, state) + uri = URI.parse(url) + params = URI.decode_www_form(uri.query).to_h + expect(params["response_type"]).to eq("code") expect(params["client_id"]).to eq("test_client_id") expect(params["redirect_uri"]).to eq(redirect_uri) @@ -183,7 +189,8 @@ RubyLLM::MCP::Auth::ServerMetadata.new( issuer: "https://auth.example.com", authorization_endpoint: "https://auth.example.com/authorize", - token_endpoint: "https://auth.example.com/token" + token_endpoint: "https://auth.example.com/token", + options: {} ) end diff --git a/spec/ruby_llm/mcp/auth_spec.rb b/spec/ruby_llm/mcp/auth_spec.rb index 85c2390..8226ac8 100644 --- a/spec/ruby_llm/mcp/auth_spec.rb +++ b/spec/ruby_llm/mcp/auth_spec.rb @@ -214,7 +214,7 @@ issuer: issuer, authorization_endpoint: authorization_endpoint, token_endpoint: token_endpoint, - registration_endpoint: registration_endpoint + options: { registration_endpoint: registration_endpoint } ) expect(metadata.issuer).to eq(issuer) @@ -228,7 +228,7 @@ issuer: issuer, authorization_endpoint: authorization_endpoint, token_endpoint: token_endpoint, - registration_endpoint: registration_endpoint + options: { registration_endpoint: registration_endpoint } ) expect(metadata.supports_registration?).to be(true) @@ -238,7 +238,8 @@ metadata = described_class.new( issuer: issuer, authorization_endpoint: authorization_endpoint, - token_endpoint: token_endpoint + token_endpoint: token_endpoint, + options: {} ) expect(metadata.supports_registration?).to be(false) diff --git a/spec/ruby_llm/mcp/transport_spec.rb b/spec/ruby_llm/mcp/transport_spec.rb index 392579b..dff7e6e 100644 --- a/spec/ruby_llm/mcp/transport_spec.rb +++ b/spec/ruby_llm/mcp/transport_spec.rb @@ -54,7 +54,6 @@ expect(protocol).to eq(mock_transport) expect(RubyLLM::MCP::Transports::Stdio).to have_received(:new).with( coordinator: coordinator, - oauth_provider: nil, **config ) end @@ -157,7 +156,7 @@ expect(protocol).to eq(mock_sse) expect(RubyLLM::MCP::Transports::SSE).to have_received(:new).with( coordinator: coordinator, - oauth_provider: nil, + options: {}, **config ) end @@ -172,7 +171,7 @@ expect(protocol).to eq(mock_streamable) expect(RubyLLM::MCP::Transports::StreamableHTTP).to have_received(:new).with( coordinator: coordinator, - oauth_provider: nil, + options: {}, **config ) end @@ -187,7 +186,7 @@ expect(protocol).to eq(mock_streamable) expect(RubyLLM::MCP::Transports::StreamableHTTP).to have_received(:new).with( coordinator: coordinator, - oauth_provider: nil, + options: {}, **config ) end diff --git a/spec/ruby_llm/mcp/transports/streamable_http_spec.rb b/spec/ruby_llm/mcp/transports/streamable_http_spec.rb index 9b8d670..c402fde 100644 --- a/spec/ruby_llm/mcp/transports/streamable_http_spec.rb +++ b/spec/ruby_llm/mcp/transports/streamable_http_spec.rb @@ -20,7 +20,7 @@ url: TestServerManager::HTTP_SERVER_URL, request_timeout: 5000, coordinator: mock_coordinator, - headers: {} + options: { headers: {} } ) end let(:logger) { instance_double(Logger) } @@ -579,7 +579,7 @@ url: TestServerManager::HTTP_SERVER_URL, request_timeout: 5000, coordinator: mock_coordinator, - reconnection: reconnection_options + options: { reconnection: reconnection_options } ) end @@ -598,7 +598,7 @@ url: TestServerManager::HTTP_SERVER_URL, request_timeout: 1000, coordinator: mock_coordinator, - reconnection: reconnection_options + options: { reconnection: reconnection_options } ) end From a209c9f74ab844a4c689f8a3632e81fb59cbcece Mon Sep 17 00:00:00 2001 From: Paulo Arruda Date: Thu, 6 Nov 2025 21:39:39 -0400 Subject: [PATCH 4/5] Add comprehensive Rails OAuth integration with generator MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Created complete Rails OAuth integration for multi-user MCP applications where each user needs their own OAuth connection and permissions. Generator: rails generate ruby_llm:mcp:oauth:install ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ Creates complete multi-tenant OAuth infrastructure: Database Schema: - mcp_oauth_credentials table (encrypted user tokens) - mcp_oauth_states table (temporary OAuth flow state) Models: - McpOauthCredential (token storage with encryption) - McpOauthState (PKCE and state parameter storage) - UserMcpOauth concern (adds helper methods to User model) Services: - OauthStorage::UserTokenStorage (per-user storage adapter) - McpClientFactory (creates clients with user's OAuth tokens) Controller: - McpConnectionsController (OAuth flow: connect, callback, disconnect) Views: - mcp_connections/index.html.erb (connection management UI) Jobs: - AiResearchJob (example background job with per-user permissions) Documentation ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ Created comprehensive guides: 1. docs/guides/rails-oauth.md - Complete multi-user OAuth architecture - User flow examples (onboarding, feature-gated, multi-server) - Background job patterns - Token lifecycle management - Security best practices - Production deployment guide - Monitoring and health checks 2. Updated docs/guides/rails-integration.md - Added OAuth section with quick start - Links to detailed OAuth guide - Multi-user pattern examples Key Features ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ āœ… Per-user OAuth tokens - Each user has their own credentials āœ… Secure storage - Encrypted tokens in database with Active Record Encryption āœ… Background jobs - No browser needed after initial auth āœ… Automatic token refresh - Tokens refresh transparently (5-min buffer) āœ… Multi-server support - Users can connect to multiple MCP servers āœ… Scoped access - Configure scopes per user role āœ… Complete UI - Full connection management interface āœ… Production-ready - Health checks, monitoring, error handling Usage Pattern ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ # User connects (once, in browser) Visit /mcp_connections/connect ā†’ OAuth flow ā†’ Token stored # Background job (no browser) class AiJob < ApplicationJob def perform(user_id, query) user = User.find(user_id) client = McpClientFactory.for_user(user) # User's token! tools = client.tools # User's permissions! chat = RubyLLM.chat(provider: "anthropic/claude-sonnet-4") .with_tools(*tools) response = chat.ask(query) end end Architecture ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ User Flow: 1. User clicks "Connect MCP" ā†’ Browser OAuth flow 2. Token stored encrypted in database (per user) 3. User enqueues background job 4. Job loads user's token from database 5. Job executes with user's permissions 6. Tokens auto-refresh when needed All tests passing āœ… RuboCop clean āœ… šŸ¤– Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- docs/guides/rails-integration.md | 83 +- docs/guides/rails-oauth.md | 1200 +++++++++++++++++ .../ruby_llm/mcp/oauth/install_generator.rb | 123 ++ .../templates/create_mcp_oauth_credentials.rb | 18 + .../templates/create_mcp_oauth_states.rb | 18 + .../mcp/oauth/templates/example_job.rb | 77 ++ .../mcp/oauth/templates/mcp_client_factory.rb | 67 + .../templates/mcp_connections_controller.rb | 173 +++ .../oauth/templates/mcp_oauth_credential.rb | 50 + .../mcp/oauth/templates/mcp_oauth_state.rb | 30 + .../ruby_llm/mcp/oauth/templates/routes.rb | 13 + .../oauth/templates/user_mcp_oauth_concern.rb | 89 ++ .../mcp/oauth/templates/user_token_storage.rb | 90 ++ .../mcp/oauth/templates/views/index.html.erb | 137 ++ 14 files changed, 2165 insertions(+), 3 deletions(-) create mode 100644 docs/guides/rails-oauth.md create mode 100644 lib/generators/ruby_llm/mcp/oauth/install_generator.rb create mode 100644 lib/generators/ruby_llm/mcp/oauth/templates/create_mcp_oauth_credentials.rb create mode 100644 lib/generators/ruby_llm/mcp/oauth/templates/create_mcp_oauth_states.rb create mode 100644 lib/generators/ruby_llm/mcp/oauth/templates/example_job.rb create mode 100644 lib/generators/ruby_llm/mcp/oauth/templates/mcp_client_factory.rb create mode 100644 lib/generators/ruby_llm/mcp/oauth/templates/mcp_connections_controller.rb create mode 100644 lib/generators/ruby_llm/mcp/oauth/templates/mcp_oauth_credential.rb create mode 100644 lib/generators/ruby_llm/mcp/oauth/templates/mcp_oauth_state.rb create mode 100644 lib/generators/ruby_llm/mcp/oauth/templates/routes.rb create mode 100644 lib/generators/ruby_llm/mcp/oauth/templates/user_mcp_oauth_concern.rb create mode 100644 lib/generators/ruby_llm/mcp/oauth/templates/user_token_storage.rb create mode 100644 lib/generators/ruby_llm/mcp/oauth/templates/views/index.html.erb diff --git a/docs/guides/rails-integration.md b/docs/guides/rails-integration.md index f840d65..ed9c86f 100644 --- a/docs/guides/rails-integration.md +++ b/docs/guides/rails-integration.md @@ -313,18 +313,95 @@ class StreamingAnalysisController < ApplicationController end ``` +## OAuth Authentication for Multi-User Applications + +For Rails applications with multiple users where each user needs their own MCP connection: + +### Quick Start + +```bash +# Install OAuth support +rails generate ruby_llm:mcp:oauth:install + +# Run migrations +rails db:migrate + +# Configure +# .env +DEFAULT_MCP_SERVER_URL=https://mcp.example.com/api +MCP_OAUTH_SCOPES=mcp:read mcp:write +``` + +### Usage Pattern + +```ruby +# User model +class User < ApplicationRecord + include UserMcpOauth # Adds mcp_connected?, mcp_client, etc. +end + +# Background job with per-user permissions +class AiResearchJob < ApplicationJob + def perform(user_id, query) + user = User.find(user_id) + client = user.mcp_client # Uses user's OAuth token! + + tools = client.tools + chat = RubyLLM.chat(provider: "anthropic/claude-sonnet-4") + .with_tools(*tools) + + response = chat.ask(query) + # ... save results ... + end +end + +# Controller +class ResearchController < ApplicationController + def create + if current_user.mcp_connected? + AiResearchJob.perform_later(current_user.id, params[:query]) + redirect_to research_path, notice: "Research started!" + else + redirect_to connect_mcp_connections_path, + alert: "Please connect MCP server first" + end + end +end +``` + +### Key Features + +- **Per-user OAuth tokens** - Each user has their own credentials +- **Secure storage** - Encrypted tokens in database +- **Background jobs** - No browser needed after initial auth +- **Automatic refresh** - Tokens refresh transparently +- **Multi-server support** - Users can connect to multiple MCP servers + +### Complete Guide + +For detailed implementation including: +- Multi-tenant architecture +- Token lifecycle management +- Security best practices +- Production deployment +- Monitoring and alerts + +See the **[Rails OAuth Integration Guide]({% link guides/rails-oauth.md %})** + ## Next Steps Now that you have comprehensive Rails integration set up: 1. **Configure your MCP servers** in `config/mcps.yml` 2. **Choose your client management strategy** (manual vs automatic) -3. **Implement MCP services** for your specific use cases -4. **Add proper error handling and monitoring** -5. **Set up tests** for your MCP integrations +3. **For multi-user OAuth**, see [Rails OAuth Integration]({% link guides/rails-oauth.md %}) +4. **Implement MCP services** for your specific use cases +5. **Add proper error handling and monitoring** +6. **Set up tests** for your MCP integrations For more detailed information on specific topics: +- **[Rails OAuth Integration]({% link guides/rails-oauth.md %})** - Multi-user OAuth setup - **[Configuration]({% link configuration.md %})** - Advanced client configuration - **[Tools]({% link server/tools.md %})** - Working with MCP tools - **[Resources]({% link server/resources.md %})** - Managing resources and templates diff --git a/docs/guides/rails-oauth.md b/docs/guides/rails-oauth.md new file mode 100644 index 0000000..63cdf81 --- /dev/null +++ b/docs/guides/rails-oauth.md @@ -0,0 +1,1200 @@ +--- +layout: default +title: Rails OAuth Integration +parent: Guides +nav_order: 10 +description: "Multi-user OAuth authentication for Rails apps with background jobs and per-user MCP permissions" +--- + +# Rails OAuth Integration +{: .no_toc } + +Complete guide for implementing multi-tenant OAuth authentication in Rails applications, enabling per-user MCP server connections with background job support. + +## Table of contents +{: .no_toc .text-delta } + +1. TOC +{:toc} + +--- + +## Overview + +This guide covers implementing OAuth authentication for MCP servers in a Rails application where: +- Multiple users need their own MCP connections +- Background jobs run with user-specific permissions +- Tokens are stored securely per-user +- OAuth flow happens in the user's browser +- Background workers use stored tokens (no browser needed) + +### Architecture Pattern + +``` +User Browser (Foreground) Background Jobs (Headless) +ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ā”€ +1. Click "Connect MCP" 4. Job starts with user_id +2. OAuth authorization ā”€ā”€ā†’ 5. Load user's token +3. Token stored in DB 6. Create MCP client + 7. Execute with user permissions +``` + +## Quick Start + +### Step 1: Run the Generator + +```bash +rails generate ruby_llm:mcp:oauth:install +``` + +This creates: +- Database migrations for OAuth credentials +- Models (`McpOauthCredential`, `McpOauthState`) +- Controller (`McpConnectionsController`) +- Storage adapter (`OauthStorage::UserTokenStorage`) +- Routes for OAuth flow +- Initializer for configuration + +### Step 2: Run Migrations + +```bash +rails db:migrate +``` + +### Step 3: Configure Your MCP Server + +```ruby +# config/initializers/ruby_llm_mcp.rb +ENV["DEFAULT_MCP_SERVER_URL"] = "https://mcp.example.com/api" +ENV["MCP_OAUTH_SCOPES"] = "mcp:read mcp:write" +``` + +### Step 4: Add User Association + +```ruby +# app/models/user.rb +class User < ApplicationRecord + has_many :mcp_oauth_credentials, dependent: :destroy + has_many :mcp_oauth_states, dependent: :destroy + + def mcp_connected?(server_url = ENV["DEFAULT_MCP_SERVER_URL"]) + mcp_oauth_credentials.exists?(server_url: server_url) + end +end +``` + +### Step 5: Use in Your App + +```ruby +# User connects (browser-based) +# Visit: /mcp_connections/connect + +# Background job (no browser) +class AiResearchJob < ApplicationJob + def perform(user_id, query) + user = User.find(user_id) + client = McpClientFactory.for_user(user) + + tools = client.tools + chat = RubyLLM.chat(provider: "anthropic/claude-sonnet-4") + .with_tools(*tools) + + response = chat.ask(query) + # ... save results ... + end +end +``` + +## Complete Architecture + +### Database Schema + +The generator creates these tables: + +**mcp_oauth_credentials** - Stores user's OAuth tokens +```ruby +t.references :user, null: false, foreign_key: true +t.string :server_url, null: false +t.text :token_data, null: false # Encrypted JSON +t.text :client_info_data # Encrypted client credentials +t.datetime :token_expires_at +t.datetime :last_refreshed_at +t.index [:user_id, :server_url], unique: true +``` + +**mcp_oauth_states** - Temporary OAuth flow state +```ruby +t.references :user, null: false, foreign_key: true +t.string :server_url, null: false +t.string :state_param, null: false +t.text :pkce_data, null: false # Encrypted PKCE verifier +t.datetime :expires_at, null: false +t.index [:user_id, :state_param], unique: true +``` + +### Models + +#### McpOauthCredential + +```ruby +class McpOauthCredential < ApplicationRecord + belongs_to :user + + encrypts :token_data + encrypts :client_info_data + + validates :server_url, presence: true, uniqueness: { scope: :user_id } + + def token + return nil unless token_data.present? + RubyLLM::MCP::Auth::Token.from_h(JSON.parse(token_data, symbolize_names: true)) + end + + def token=(token) + self.token_data = token.to_h.to_json + self.token_expires_at = token.expires_at + end + + def expired? + token&.expired? + end + + def expires_soon? + token&.expires_soon? + end +end +``` + +#### McpOauthState + +```ruby +class McpOauthState < ApplicationRecord + belongs_to :user + encrypts :pkce_data + + validates :state_param, presence: true + + scope :expired, -> { where("expires_at < ?", Time.current) } + + def self.cleanup_expired + expired.delete_all + end +end +``` + +### Storage Adapter + +#### OauthStorage::UserTokenStorage + +Per-user OAuth token storage that implements the RubyLLM::MCP storage interface: + +```ruby +module OauthStorage + class UserTokenStorage + def initialize(user_id, server_url) + @user_id = user_id + @server_url = server_url + end + + def get_token(_server_url) + credential = McpOauthCredential.find_by( + user_id: @user_id, + server_url: @server_url + ) + credential&.token + end + + def set_token(_server_url, token) + credential = McpOauthCredential.find_or_initialize_by( + user_id: @user_id, + server_url: @server_url + ) + credential.token = token + credential.last_refreshed_at = Time.current + credential.save! + end + + # Implements full storage interface... + end +end +``` + +### Controller + +#### McpConnectionsController + +Handles OAuth flow: + +```ruby +class McpConnectionsController < ApplicationController + before_action :authenticate_user! + + def index + @credentials = current_user.mcp_oauth_credentials + end + + def connect + # Start OAuth flow + oauth_provider = create_oauth_provider_for_user + session[:mcp_oauth_context] = oauth_context + redirect_to oauth_provider.start_authorization_flow, allow_other_host: true + end + + def callback + # Complete OAuth flow + oauth_provider = recreate_oauth_provider_from_session + token = oauth_provider.complete_authorization_flow(params[:code], params[:state]) + + redirect_to mcp_connections_path, + notice: "MCP server connected successfully!" + end + + def disconnect + current_user.mcp_oauth_credentials.find(params[:id]).destroy + redirect_to mcp_connections_path, notice: "Disconnected" + end +end +``` + +## Usage Patterns + +### Pattern 1: Background Jobs (Recommended) + +```ruby +class AiAnalysisJob < ApplicationJob + queue_as :default + + def perform(user_id, analysis_params) + user = User.find(user_id) + + # Create MCP client with user's OAuth token + client = McpClientFactory.for_user(user) + + # Use client with user's permissions + tools = client.tools + chat = RubyLLM.chat(provider: "anthropic/claude-sonnet-4") + .with_tools(*tools) + + result = chat.ask(analysis_params[:query]) + + # Save results associated with user + user.analysis_results.create!( + query: analysis_params[:query], + result: result.text + ) + ensure + client&.stop + end +end + +# Enqueue from controller +class AnalysisController < ApplicationController + def create + ensure_mcp_connected! + + AiAnalysisJob.perform_later(current_user.id, analysis_params) + redirect_to analyses_path, notice: "Analysis started!" + end + + private + + def ensure_mcp_connected! + unless current_user.mcp_connected? + redirect_to connect_mcp_connections_path, + alert: "Please connect MCP server first" + end + end +end +``` + +### Pattern 2: Inline (Synchronous) + +```ruby +class SearchController < ApplicationController + def create + ensure_mcp_connected! + + client = McpClientFactory.for_user(current_user) + + result = client.tool("search").execute( + params: { query: params[:query] } + ) + + render json: { results: result } + ensure + client&.stop + end +end +``` + +### Pattern 3: Streaming with ActionCable + +```ruby +class StreamingAnalysisChannel < ApplicationCable::Channel + def subscribed + stream_from "analysis_#{current_user.id}" + end + + def analyze(data) + AnalyzeStreamJob.perform_later(current_user.id, data["query"]) + end +end + +class AnalyzeStreamJob < ApplicationJob + def perform(user_id, query) + user = User.find(user_id) + client = McpClientFactory.for_user(user) + + chat = RubyLLM.chat(provider: "anthropic/claude-sonnet-4") + .with_tools(*client.tools) + + chat.ask(query) do |chunk| + # Stream to user via ActionCable + ActionCable.server.broadcast( + "analysis_#{user_id}", + { type: "chunk", content: chunk.content } + ) + end + end +end +``` + +## Client Factory Pattern + +### McpClientFactory Service + +```ruby +# app/services/mcp_client_factory.rb +class McpClientFactory + class NotAuthenticatedError < StandardError; end + + def self.for_user(user, server_url: nil, scope: nil) + server_url ||= ENV["DEFAULT_MCP_SERVER_URL"] + scope ||= ENV["MCP_OAUTH_SCOPES"] + + unless user.mcp_connected?(server_url) + raise NotAuthenticatedError, + "User has not connected to MCP server: #{server_url}" + end + + storage = OauthStorage::UserTokenStorage.new(user.id, server_url) + + RubyLLM::MCP.client( + name: "user-#{user.id}-#{server_url.hash}", + transport_type: :sse, # or :streamable + config: { + url: server_url, + oauth: { + storage: storage, + scope: scope + } + } + ) + end + + def self.for_user_with_fallback(user, server_url: nil) + for_user(user, server_url: server_url) + rescue NotAuthenticatedError + nil + end +end +``` + +## User Flow Examples + +### Example 1: Onboarding Flow + +```ruby +# app/controllers/onboarding_controller.rb +class OnboardingController < ApplicationController + def integrations + @mcp_servers = [ + { + name: "Research Database", + url: ENV["RESEARCH_MCP_URL"], + description: "Access to research papers and data", + connected: current_user.mcp_connected?(ENV["RESEARCH_MCP_URL"]) + } + ] + end + + def skip_integrations + session[:onboarding_step] = :completed + redirect_to dashboard_path + end +end +``` + +```erb + +

Connect Your AI Tools

+ +<% @mcp_servers.each do |server| %> +
+

<%= server[:name] %>

+

<%= server[:description] %>

+ + <% if server[:connected] %> + āœ“ Connected + <% else %> + <%= link_to "Connect", + connect_mcp_connections_path(server_url: server[:url]), + class: "btn btn-primary" %> + <% end %> +
+<% end %> + +<%= link_to "Skip for now", skip_integrations_path, class: "btn btn-link" %> +``` + +### Example 2: Feature-Gated Access + +```ruby +# app/controllers/ai_features_controller.rb +class AiFeaturesController < ApplicationController + before_action :require_mcp_connection, only: [:create, :update] + + def create + AiProcessingJob.perform_later(current_user.id, feature_params) + redirect_to ai_features_path, notice: "Processing started!" + end + + private + + def require_mcp_connection + return if current_user.mcp_connected? + + session[:return_to] = request.fullpath + redirect_to connect_mcp_connections_path, + alert: "Please connect MCP server to use this feature" + end +end + +# In callback controller: +def callback + # ... complete OAuth ... + + if session[:return_to] + redirect_to session.delete(:return_to) + else + redirect_to mcp_connections_path + end +end +``` + +### Example 3: Multi-Server Support + +```ruby +# app/models/mcp_server.rb +class McpServer + SERVERS = { + github: { + url: ENV["GITHUB_MCP_URL"], + name: "GitHub", + scopes: "mcp:repos mcp:issues" + }, + slack: { + url: ENV["SLACK_MCP_URL"], + name: "Slack", + scopes: "mcp:messages mcp:channels" + }, + notion: { + url: ENV["NOTION_MCP_URL"], + name: "Notion", + scopes: "mcp:pages mcp:databases" + } + }.freeze + + def self.all + SERVERS.values + end + + def self.for(key) + SERVERS[key.to_sym] + end +end + +# Controller +class McpConnectionsController < ApplicationController + def connect + server_key = params[:server] + server_config = McpServer.for(server_key) + + raise "Unknown server" unless server_config + + # Create OAuth provider with server-specific scopes + storage = OauthStorage::UserTokenStorage.new(current_user.id, server_config[:url]) + oauth_provider = RubyLLM::MCP::Auth::OAuthProvider.new( + server_url: server_config[:url], + redirect_uri: mcp_connections_callback_url, + scope: server_config[:scopes], + storage: storage + ) + + session[:mcp_oauth_context] = { + user_id: current_user.id, + server_url: server_config[:url], + server_key: server_key + } + + redirect_to oauth_provider.start_authorization_flow, allow_other_host: true + end +end + +# Usage in jobs +class MultiServerJob < ApplicationJob + def perform(user_id, task) + user = User.find(user_id) + + github = create_client(user, :github) + slack = create_client(user, :slack) + + chat = RubyLLM.chat(provider: "anthropic/claude-sonnet-4") + .with_tools(*github.tools, *slack.tools) + + response = chat.ask(task) + end + + def create_client(user, server_key) + config = McpServer.for(server_key) + McpClientFactory.for_user(user, server_url: config[:url]) + end +end +``` + +## Advanced Patterns + +### Scoped Access by User Role + +```ruby +# app/services/mcp_client_factory.rb +ROLE_SCOPES = { + viewer: "mcp:read", + editor: "mcp:read mcp:write", + admin: "mcp:read mcp:write mcp:admin" +}.freeze + +def self.for_user(user, server_url: nil) + server_url ||= ENV["DEFAULT_MCP_SERVER_URL"] + scope = ROLE_SCOPES[user.role.to_sym] || ROLE_SCOPES[:viewer] + + storage = OauthStorage::UserTokenStorage.new(user.id, server_url) + + RubyLLM::MCP.client( + name: "user-#{user.id}-mcp", + transport_type: :sse, + config: { + url: server_url, + oauth: { + storage: storage, + scope: scope + } + } + ) +end +``` + +### Proactive Token Refresh + +```ruby +# app/jobs/refresh_mcp_tokens_job.rb +class RefreshMcpTokensJob < ApplicationJob + queue_as :low_priority + + def perform + # Refresh tokens expiring within 1 hour + McpOauthCredential + .where("token_expires_at < ?", 1.hour.from_now) + .where("token_expires_at > ?", Time.current) + .find_each do |credential| + + refresh_user_token(credential) + end + end + + private + + def refresh_user_token(credential) + storage = OauthStorage::UserTokenStorage.new( + credential.user_id, + credential.server_url + ) + + oauth_provider = RubyLLM::MCP::Auth::OAuthProvider.new( + server_url: credential.server_url, + storage: storage + ) + + refreshed = oauth_provider.access_token + + if refreshed + Rails.logger.info "Refreshed MCP token for user #{credential.user_id}" + else + notify_reauth_needed(credential.user) + end + end + + def notify_reauth_needed(user) + UserMailer.mcp_reauth_required(user).deliver_later + end +end + +# Schedule hourly +# config/schedule.rb (whenever gem) +every 1.hour do + runner "RefreshMcpTokensJob.perform_later" +end +``` + +### Health Checks + +```ruby +# app/services/mcp_health_check.rb +class McpHealthCheck + def self.for_user(user, server_url: nil) + server_url ||= ENV["DEFAULT_MCP_SERVER_URL"] + credential = user.mcp_oauth_credentials.find_by(server_url: server_url) + + return { connected: false } unless credential + + token = credential.token + + { + connected: true, + valid: token && !token.expired?, + expires_at: token&.expires_at, + expires_soon: token&.expires_soon?, + has_refresh_token: token&.refresh_token.present? + } + end + + def self.alert_expiring_tokens + credentials = McpOauthCredential + .where("token_expires_at < ?", 24.hours.from_now) + .where("token_expires_at > ?", Time.current) + + credentials.each do |credential| + token = credential.token + next if token&.refresh_token.present? # Can auto-refresh + + # No refresh token - user must re-auth + UserMailer.mcp_expiring_soon(credential.user).deliver_later + end + end +end +``` + +## UI Components + +### Connection Status Badge + +```erb + +<% status = McpHealthCheck.for_user(current_user) %> + +
+ <% if status[:connected] %> + <% if status[:valid] %> + + āœ“ MCP Connected + + + Expires <%= time_ago_in_words(status[:expires_at]) %> from now + + <% else %> + + āœ— Token Expired + + <%= link_to "Reconnect", connect_mcp_connections_path, class: "btn btn-sm" %> + <% end %> + <% else %> + + Not Connected + + <%= link_to "Connect MCP", connect_mcp_connections_path, class: "btn btn-sm btn-primary" %> + <% end %> +
+``` + +### Settings Page + +```erb + +

Integrations

+ +
+

MCP Servers

+ + <% if current_user.mcp_oauth_credentials.any? %> + + + + + + + + + + + + <% current_user.mcp_oauth_credentials.each do |cred| %> + + + + + + + + <% end %> + +
ServerStatusScopesExpiresActions
<%= cred.server_url %> + <% if cred.expired? %> + Expired + <% elsif cred.expires_soon? %> + Expiring Soon + <% else %> + Active + <% end %> + <%= cred.token&.scope || "N/A" %> + <% if cred.token_expires_at %> + <%= cred.token_expires_at.to_s(:short) %> + <% else %> + Never + <% end %> + + <%= button_to "Disconnect", + disconnect_mcp_connection_path(cred), + method: :delete, + data: { confirm: "Are you sure?" }, + class: "btn btn-sm btn-danger" %> +
+ <% else %> +

No MCP servers connected

+ <% end %> + +

Add Server

+ <%= link_to "Connect MCP Server", + connect_mcp_connections_path, + class: "btn btn-primary" %> +
+``` + +## Security Best Practices + +### 1. Encrypt Sensitive Data + +```ruby +# config/application.rb +config.active_record.encryption.primary_key = ENV["ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY"] +config.active_record.encryption.deterministic_key = ENV["ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY"] +config.active_record.encryption.key_derivation_salt = ENV["ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT"] + +# Models use: +encrypts :token_data +encrypts :client_info_data +``` + +### 2. Validate Redirect URIs + +```ruby +# config/initializers/ruby_llm_mcp_oauth.rb +ALLOWED_REDIRECT_URIS = [ + "http://localhost:3000/mcp_connections/callback", # Development + "https://staging.myapp.com/mcp_connections/callback", # Staging + "https://app.myapp.com/mcp_connections/callback" # Production +].freeze + +def validate_redirect_uri! + uri = mcp_connections_callback_url + unless ALLOWED_REDIRECT_URIS.include?(uri) + raise "Invalid redirect URI: #{uri}" + end +end +``` + +### 3. CSRF Protection + +Rails CSRF protection works automatically since OAuth state parameter is stored in session. + +### 4. Rate Limiting + +```ruby +# app/controllers/mcp_connections_controller.rb +class McpConnectionsController < ApplicationController + before_action :authenticate_user! + before_action :check_rate_limit, only: [:connect] + + private + + def check_rate_limit + key = "mcp_oauth:#{current_user.id}" + count = Rails.cache.read(key) || 0 + + if count >= 5 + redirect_to mcp_connections_path, + alert: "Too many connection attempts. Please try again later." + return + end + + Rails.cache.write(key, count + 1, expires_in: 1.hour) + end +end +``` + +## Error Handling + +### Graceful Degradation + +```ruby +# app/jobs/ai_task_job.rb +def perform(user_id, task) + user = User.find(user_id) + + begin + client = McpClientFactory.for_user(user) + # ... execute task ... + rescue McpClientFactory::NotAuthenticatedError + # User not connected - notify them + notify_auth_required(user) + rescue RubyLLM::MCP::Errors::TransportError => e + if unauthorized_error?(e) + # Token invalid - notify user to reconnect + notify_reauth_required(user) + else + raise + end + ensure + client&.stop + end +end + +def unauthorized_error?(error) + error.message.include?("401") || + error.message.include?("Unauthorized") || + error.message.include?("invalid_token") +end + +def notify_auth_required(user) + ActionCable.server.broadcast("user_#{user.id}", { + type: "mcp_auth_required", + message: "Connect MCP server to continue", + action_url: connect_mcp_connections_url + }) +end +``` + +### Retry Logic + +```ruby +class AiTaskJob < ApplicationJob + retry_on McpClientFactory::NotAuthenticatedError, + wait: :polynomially_longer, + attempts: 3 do |job, exception| + # After retries, notify user + user = User.find(job.arguments.first) + UserMailer.task_failed_auth(user).deliver_now + end + + retry_on RubyLLM::MCP::Errors::TransportError, + wait: 5.seconds, + attempts: 2 +end +``` + +## Testing + +### RSpec Setup + +```ruby +# spec/support/mcp_oauth_helpers.rb +module McpOauthHelpers + def create_mcp_credential_for(user, server_url: nil, expires_in: 3600) + server_url ||= "https://test-mcp.example.com" + + token = RubyLLM::MCP::Auth::Token.new( + access_token: "test_token_#{SecureRandom.hex(8)}", + token_type: "Bearer", + expires_in: expires_in, + scope: "mcp:read mcp:write", + refresh_token: "refresh_#{SecureRandom.hex(8)}" + ) + + McpOauthCredential.create!( + user: user, + server_url: server_url, + token: token + ) + end +end + +RSpec.configure do |config| + config.include McpOauthHelpers +end +``` + +### Controller Tests + +```ruby +# spec/controllers/mcp_connections_controller_spec.rb +RSpec.describe McpConnectionsController do + let(:user) { create(:user) } + + before { sign_in user } + + describe "GET #connect" do + it "redirects to OAuth authorization URL" do + get :connect, params: { server_url: "https://mcp.example.com" } + + expect(response).to redirect_to(/https:\/\/.*\/authorize/) + expect(session[:mcp_oauth_context]).to be_present + end + end + + describe "GET #callback" do + before do + session[:mcp_oauth_context] = { + user_id: user.id, + server_url: "https://mcp.example.com" + } + end + + it "creates OAuth credential on success" do + # Mock OAuth flow + allow_any_instance_of(RubyLLM::MCP::Auth::OAuthProvider) + .to receive(:complete_authorization_flow) + .and_return(double(access_token: "token")) + + expect { + get :callback, params: { code: "auth_code", state: "state123" } + }.to change { user.mcp_oauth_credentials.count }.by(1) + end + end +end +``` + +### Job Tests + +```ruby +# spec/jobs/ai_analysis_job_spec.rb +RSpec.describe AiAnalysisJob do + let(:user) { create(:user) } + + context "when user has MCP credentials" do + before do + create_mcp_credential_for(user) + end + + it "executes successfully" do + VCR.use_cassette("mcp_analysis") do + expect { + described_class.perform_now(user.id, { query: "Test" }) + }.not_to raise_error + end + end + end + + context "when user lacks MCP credentials" do + it "raises NotAuthenticatedError" do + expect { + described_class.perform_now(user.id, { query: "Test" }) + }.to raise_error(McpClientFactory::NotAuthenticatedError) + end + end +end +``` + +## Monitoring and Observability + +### Connection Status Dashboard + +```ruby +# app/controllers/admin/mcp_dashboard_controller.rb +class Admin::McpDashboardController < AdminController + def index + @stats = { + total_users: User.count, + connected_users: McpOauthCredential.distinct.count(:user_id), + active_tokens: McpOauthCredential.joins(:user).where("token_expires_at > ?", Time.current).count, + expiring_soon: McpOauthCredential.where("token_expires_at < ?", 24.hours.from_now).count, + expired: McpOauthCredential.joins(:user).where("token_expires_at < ?", Time.current).count + } + + @recent_connections = McpOauthCredential.order(created_at: :desc).limit(10) + end +end +``` + +### Prometheus Metrics + +```ruby +# config/initializers/prometheus.rb +require "prometheus_exporter/instrumentation" + +PrometheusExporter::Instrumentation::Process.start(type: "sidekiq") + +# Custom MCP metrics +MCP_OAUTH_CONNECTIONS = PrometheusExporter::Metric::Gauge.new( + "mcp_oauth_connections_total", + "Total number of MCP OAuth connections" +) + +MCP_OAUTH_ACTIVE = PrometheusExporter::Metric::Gauge.new( + "mcp_oauth_active_tokens", + "Number of active MCP OAuth tokens" +) + +# Update metrics periodically +class UpdateMcpMetricsJob < ApplicationJob + def perform + MCP_OAUTH_CONNECTIONS.observe(McpOauthCredential.count) + MCP_OAUTH_ACTIVE.observe( + McpOauthCredential.where("token_expires_at > ?", Time.current).count + ) + end +end +``` + +## Troubleshooting + +### Common Issues + +#### User Can't Connect + +**Symptom:** OAuth flow fails with "invalid_redirect_uri" + +**Solution:** +```ruby +# Check your redirect URI matches exactly +puts mcp_connections_callback_url +# => "https://app.example.com/mcp_connections/callback" + +# Must match what's configured in MCP OAuth server +# No trailing slash, exact protocol (http vs https) +``` + +#### Token Refresh Fails + +**Symptom:** Jobs fail with 401 Unauthorized + +**Solution:** +```ruby +# Check if credential has refresh token +credential = user.mcp_oauth_credentials.first +if credential.token.refresh_token.nil? + # User must re-authenticate + UserMailer.mcp_reauth_required(user).deliver_now +end +``` + +#### Session Lost During OAuth + +**Symptom:** Callback fails with "OAuth session expired" + +**Solution:** +```ruby +# Increase session timeout +# config/initializers/session_store.rb +Rails.application.config.session_store :cookie_store, + key: '_myapp_session', + expire_after: 30.minutes # OAuth flow timeout +``` + +## Production Deployment + +### Environment Variables + +```bash +# .env.production +DEFAULT_MCP_SERVER_URL=https://mcp.production.com/api +MCP_OAUTH_SCOPES=mcp:read mcp:write + +# Encryption keys +ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=... +ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=... +ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=... +``` + +### Deployment Checklist + +- [ ] Run migrations: `rails db:migrate` +- [ ] Set encryption keys in production +- [ ] Configure allowed redirect URIs +- [ ] Set up background job for token refresh +- [ ] Configure monitoring/alerts for token expiration +- [ ] Test OAuth flow in staging +- [ ] Set up cleanup job for expired OAuth states + +### Cleanup Jobs + +```ruby +# app/jobs/cleanup_expired_oauth_states_job.rb +class CleanupExpiredOauthStatesJob < ApplicationJob + queue_as :maintenance + + def perform + deleted = McpOauthState.cleanup_expired + Rails.logger.info "Cleaned up #{deleted} expired OAuth states" + end +end + +# Schedule daily +every 1.day, at: "3:00 am" do + runner "CleanupExpiredOauthStatesJob.perform_later" +end +``` + +## Migration from Simple Auth + +If you're migrating from simple token-based auth: + +### Before (Simple Headers) +```ruby +# config/mcps.yml +mcp_servers: + api_server: + transport_type: sse + url: https://mcp.example.com + headers: + Authorization: "Bearer <%= ENV['MCP_TOKEN'] %>" # Shared token +``` + +### After (Per-User OAuth) +```ruby +# User connects via browser once +# Each user gets their own token with their own permissions +# Background jobs use user-specific tokens + +class AiJob < ApplicationJob + def perform(user_id, task) + user = User.find(user_id) + client = McpClientFactory.for_user(user) # User's token! + # ... task executes with user's permissions ... + end +end +``` + +## Next Steps + +1. **Run the generator:** + ```bash + rails generate ruby_llm:mcp:oauth:install + ``` + +2. **Customize the flow** for your app's UX + +3. **Add to onboarding** or settings page + +4. **Test with development MCP server** + +5. **Deploy to production** with proper monitoring + +## Related Documentation + +- [OAuth 2.1 Implementation]({% link oauth.md %}) - Low-level OAuth details +- [Rails Integration]({% link guides/rails-integration.md %}) - Basic Rails setup +- [Background Jobs]({% link guides/background-jobs.md %}) - Job patterns +- [Security]({% link guides/security.md %}) - Security best practices + +--- + +**Generated with RubyLLM MCP** ā€¢ [Report Issues](https://github.com/patvice/ruby_llm-mcp/issues) diff --git a/lib/generators/ruby_llm/mcp/oauth/install_generator.rb b/lib/generators/ruby_llm/mcp/oauth/install_generator.rb new file mode 100644 index 0000000..1775b45 --- /dev/null +++ b/lib/generators/ruby_llm/mcp/oauth/install_generator.rb @@ -0,0 +1,123 @@ +# frozen_string_literal: true + +require "rails/generators/base" +require "rails/generators/active_record" + +module RubyLlm + module Mcp + module Oauth + module Generators + class InstallGenerator < Rails::Generators::Base + include ActiveRecord::Generators::Migration + + source_root File.expand_path("templates", __dir__) + + desc "Install RubyLLM MCP OAuth configuration for multi-user authentication" + + def create_migrations + migration_template "create_mcp_oauth_credentials.rb", + "db/migrate/create_mcp_oauth_credentials.rb" + migration_template "create_mcp_oauth_states.rb", + "db/migrate/create_mcp_oauth_states.rb" + end + + def create_models + template "mcp_oauth_credential.rb", "app/models/mcp_oauth_credential.rb" + template "mcp_oauth_state.rb", "app/models/mcp_oauth_state.rb" + end + + def create_storage_adapter + template "user_token_storage.rb", "app/services/oauth_storage/user_token_storage.rb" + end + + def create_client_factory + template "mcp_client_factory.rb", "app/services/mcp_client_factory.rb" + end + + def create_controller + template "mcp_connections_controller.rb", "app/controllers/mcp_connections_controller.rb" + end + + def add_routes_snippet + route_snippet = File.read(File.join(self.class.source_root, "routes.rb")) + say "\nšŸ“‹ Add these routes to config/routes.rb:\n\n", :yellow + say route_snippet, :cyan + say "\n" + end + + def create_views + template "views/index.html.erb", "app/views/mcp_connections/index.html.erb" + end + + def create_user_concern + template "user_mcp_oauth_concern.rb", "app/models/concerns/user_mcp_oauth.rb" + end + + def create_example_job + template "example_job.rb", "app/jobs/ai_research_job.rb" + end + + def display_readme + return unless behavior == :invoke + + display_header + display_created_files + display_next_steps + display_documentation_links + display_usage_example + end + + private + + def display_header + say "\n" + say "=" * 70, :green + say "āœ… RubyLLM MCP OAuth installed successfully!", :green + say "=" * 70, :green + say "\n" + end + + def display_created_files + say "šŸ“¦ Created files:", :blue + say " ā€¢ db/migrate/..._create_mcp_oauth_credentials.rb" + say " ā€¢ db/migrate/..._create_mcp_oauth_states.rb" + say " ā€¢ app/models/mcp_oauth_credential.rb" + say " ā€¢ app/models/mcp_oauth_state.rb" + say " ā€¢ app/models/concerns/user_mcp_oauth.rb" + say " ā€¢ app/services/oauth_storage/user_token_storage.rb" + say " ā€¢ app/services/mcp_client_factory.rb" + say " ā€¢ app/controllers/mcp_connections_controller.rb" + say " ā€¢ app/views/mcp_connections/index.html.erb" + say " ā€¢ app/jobs/ai_research_job.rb (example)" + say "\n" + end + + def display_next_steps + say "šŸ“ Next steps:", :yellow + say " 1. Add routes (shown above) to config/routes.rb" + say " 2. Run migrations: rails db:migrate" + say " 3. Include concern in User model: include UserMcpOauth" + say " 4. Configure: DEFAULT_MCP_SERVER_URL=https://mcp.example.com/api" + say " 5. Generate encryption keys: rails db:encryption:init" + say " 6. Restart server and visit /mcp_connections" + say "\n" + end + + def display_documentation_links + say "šŸ“š Documentation:", :cyan + say " ā€¢ OAuth Guide: docs/guides/rails-oauth.md" + say " ā€¢ Full OAuth Docs: OAUTH.md" + say " ā€¢ Online: https://www.rubyllm-mcp.com/guides/rails-oauth" + say "\n" + end + + def display_usage_example + say "šŸ’” Usage: client = McpClientFactory.for_user(user)", :blue + say "ā­ Star us: https://github.com/patvice/ruby_llm-mcp", :magenta + say "\n" + end + end + end + end + end +end diff --git a/lib/generators/ruby_llm/mcp/oauth/templates/create_mcp_oauth_credentials.rb b/lib/generators/ruby_llm/mcp/oauth/templates/create_mcp_oauth_credentials.rb new file mode 100644 index 0000000..841f4e1 --- /dev/null +++ b/lib/generators/ruby_llm/mcp/oauth/templates/create_mcp_oauth_credentials.rb @@ -0,0 +1,18 @@ +# frozen_string_literal: true + +class CreateMcpOauthCredentials < ActiveRecord::Migration[7.0] + def change + create_table :mcp_oauth_credentials do |t| + t.references :user, null: false, foreign_key: true, index: true + t.string :server_url, null: false + t.text :token_data, null: false + t.text :client_info_data + t.datetime :token_expires_at + t.datetime :last_refreshed_at + + t.timestamps + + t.index %i[user_id server_url], unique: true, name: "index_mcp_oauth_on_user_and_server" + end + end +end diff --git a/lib/generators/ruby_llm/mcp/oauth/templates/create_mcp_oauth_states.rb b/lib/generators/ruby_llm/mcp/oauth/templates/create_mcp_oauth_states.rb new file mode 100644 index 0000000..133825b --- /dev/null +++ b/lib/generators/ruby_llm/mcp/oauth/templates/create_mcp_oauth_states.rb @@ -0,0 +1,18 @@ +# frozen_string_literal: true + +class CreateMcpOauthStates < ActiveRecord::Migration[7.0] + def change + create_table :mcp_oauth_states do |t| + t.references :user, null: false, foreign_key: true + t.string :server_url, null: false + t.string :state_param, null: false + t.text :pkce_data, null: false + t.datetime :expires_at, null: false + + t.timestamps + + t.index %i[user_id state_param], unique: true, name: "index_mcp_oauth_states_on_user_and_state" + t.index :expires_at, name: "index_mcp_oauth_states_on_expires_at" + end + end +end diff --git a/lib/generators/ruby_llm/mcp/oauth/templates/example_job.rb b/lib/generators/ruby_llm/mcp/oauth/templates/example_job.rb new file mode 100644 index 0000000..d697c29 --- /dev/null +++ b/lib/generators/ruby_llm/mcp/oauth/templates/example_job.rb @@ -0,0 +1,77 @@ +# frozen_string_literal: true + +# Example background job using MCP with per-user OAuth +class AiResearchJob < ApplicationJob + queue_as :default + + # Retry on authentication errors (user might reconnect) + retry_on McpClientFactory::NotAuthenticatedError, + wait: 1.hour, + attempts: 3 do |job, _exception| + # After retries exhausted, notify user + user = User.find(job.arguments.first) + UserMailer.mcp_auth_required(user).deliver_now + end + + # Retry on transient network errors + retry_on RubyLLM::MCP::Errors::TransportError, + wait: :exponentially_longer, + attempts: 5 + + # Perform AI research using user's MCP connection + # @param user_id [Integer] ID of the user + # @param query [String] research query + # @param options [Hash] additional options + def perform(user_id, query, options = {}) + user = User.find(user_id) + + # Create MCP client with user's OAuth token + client = McpClientFactory.for_user(user) + + begin + # Get tools with user's permissions + tools = client.tools + Rails.logger.info "Loaded #{tools.count} MCP tools for user #{user_id}" + + # Create AI chat with user's MCP context + chat = RubyLLM.chat(provider: options[:provider] || "anthropic/claude-sonnet-4") + .with_tools(*tools) + + # Execute research + response = chat.ask(query) + + # Save results + save_research_results(user, query, response) + + # Notify user of completion + notify_completion(user, query) + + Rails.logger.info "Completed AI research for user #{user_id}" + ensure + # Always close client connection + client&.stop + end + end + + private + + def save_research_results(user, query, response) + # Customize based on your schema + user.research_results.create!( + query: query, + result: response.text, + completed_at: Time.current + ) + end + + def notify_completion(user, query) + # Notify via email, ActionCable, or other mechanism + ActionCable.server.broadcast( + "user_#{user.id}_notifications", + { + type: "research_complete", + message: "Research completed: #{query.truncate(50)}" + } + ) + end +end diff --git a/lib/generators/ruby_llm/mcp/oauth/templates/mcp_client_factory.rb b/lib/generators/ruby_llm/mcp/oauth/templates/mcp_client_factory.rb new file mode 100644 index 0000000..bd8f4e9 --- /dev/null +++ b/lib/generators/ruby_llm/mcp/oauth/templates/mcp_client_factory.rb @@ -0,0 +1,67 @@ +# frozen_string_literal: true + +# Factory for creating per-user MCP clients with OAuth authentication +class McpClientFactory + class NotAuthenticatedError < StandardError; end + + # Create MCP client for a specific user + # @param user [User] the user to create client for + # @param server_url [String] MCP server URL (defaults to ENV var) + # @param scope [String] OAuth scopes to request (defaults to ENV var) + # @return [RubyLLM::MCP::Client] configured MCP client + # @raise [NotAuthenticatedError] if user hasn't connected to MCP server + def self.for_user(user, server_url: nil, scope: nil) + server_url ||= ENV.fetch("DEFAULT_MCP_SERVER_URL") { raise "DEFAULT_MCP_SERVER_URL not set" } + scope ||= ENV["MCP_OAUTH_SCOPES"] || "mcp:read mcp:write" + + unless user.mcp_connected?(server_url) + raise NotAuthenticatedError, + "User #{user.id} has not connected to MCP server: #{server_url}. " \ + "Please complete OAuth flow first." + end + + storage = OauthStorage::UserTokenStorage.new(user.id, server_url) + + RubyLLM::MCP.client( + name: "user-#{user.id}-#{server_url.hash.abs}", + transport_type: determine_transport_type(server_url), + config: { + url: server_url, + oauth: { + storage: storage, + scope: scope + } + } + ) + end + + # Create MCP client for user, returning nil if not authenticated + # @param user [User] the user + # @return [RubyLLM::MCP::Client, nil] client or nil + def self.for_user_with_fallback(user, server_url: nil) + for_user(user, server_url: server_url) + rescue NotAuthenticatedError + nil + end + + # Check if user has valid MCP connection + # @param user [User] the user + # @param server_url [String] MCP server URL + # @return [Boolean] true if user has valid token + def self.connected?(user, server_url: nil) + server_url ||= ENV.fetch("DEFAULT_MCP_SERVER_URL", nil) + return false unless server_url + + credential = user.mcp_oauth_credentials.find_by(server_url: server_url) + credential&.valid_token? || false + end + + # Determine transport type from URL + # @param url [String] server URL + # @return [Symbol] :sse or :streamable + def self.determine_transport_type(url) + url.include?("/sse") ? :sse : :streamable + end + + private_class_method :determine_transport_type +end diff --git a/lib/generators/ruby_llm/mcp/oauth/templates/mcp_connections_controller.rb b/lib/generators/ruby_llm/mcp/oauth/templates/mcp_connections_controller.rb new file mode 100644 index 0000000..39a9fbc --- /dev/null +++ b/lib/generators/ruby_llm/mcp/oauth/templates/mcp_connections_controller.rb @@ -0,0 +1,173 @@ +# frozen_string_literal: true + +# Controller for managing MCP OAuth connections +class McpConnectionsController < ApplicationController + before_action :authenticate_user! + + # GET /mcp_connections + def index + @credentials = current_user.mcp_oauth_credentials.order(created_at: :desc) + @server_url = ENV.fetch("DEFAULT_MCP_SERVER_URL", nil) + end + + # GET /mcp_connections/connect + def connect + server_url = params[:server_url] || ENV.fetch("DEFAULT_MCP_SERVER_URL") do + raise "DEFAULT_MCP_SERVER_URL environment variable not set" + end + scope = params[:scope] || ENV["MCP_OAUTH_SCOPES"] || "mcp:read mcp:write" + + # Create user-specific storage + storage = OauthStorage::UserTokenStorage.new(current_user.id, server_url) + + # Create OAuth provider + oauth_provider = RubyLLM::MCP::Auth::OAuthProvider.new( + server_url: server_url, + redirect_uri: mcp_connections_callback_url, + scope: scope, + storage: storage, + logger: Rails.logger + ) + + # Start OAuth flow + begin + auth_url = oauth_provider.start_authorization_flow + + # Store context in session for callback + session[:mcp_oauth_context] = { + user_id: current_user.id, + server_url: server_url, + scope: scope, + started_at: Time.current.to_i + } + + redirect_to auth_url, allow_other_host: true + rescue StandardError => e + Rails.logger.error "MCP OAuth flow start failed: #{e.message}" + redirect_to mcp_connections_path, + alert: "Failed to start OAuth flow: #{e.message}" + end + end + + # GET /mcp_connections/callback + def callback + oauth_context = retrieve_and_validate_oauth_context + return unless oauth_context + + return if oauth_error_present? + + complete_oauth_flow_for_user(oauth_context) + end + + private + + def retrieve_and_validate_oauth_context + oauth_context = session.delete(:mcp_oauth_context) + + unless oauth_context + redirect_to mcp_connections_path, alert: "OAuth session expired. Please try again." + return nil + end + + if oauth_flow_timed_out?(oauth_context) + redirect_to mcp_connections_path, alert: "OAuth flow timed out. Please try again." + return nil + end + + oauth_context + end + + def oauth_flow_timed_out?(context) + Time.current.to_i - context["started_at"] > 600 + end + + def oauth_error_present? + return false unless params[:error] + + error_message = params[:error_description] || params[:error] + redirect_to mcp_connections_path, alert: "OAuth authorization failed: #{error_message}" + true + end + + def complete_oauth_flow_for_user(oauth_context) + oauth_provider = create_oauth_provider_from_context(oauth_context) + + oauth_provider.complete_authorization_flow(params[:code], params[:state]) + log_successful_oauth(oauth_context) + redirect_after_success + rescue StandardError => e + handle_oauth_callback_error(e) + end + + def create_oauth_provider_from_context(oauth_context) + storage = OauthStorage::UserTokenStorage.new( + oauth_context["user_id"], + oauth_context["server_url"] + ) + + RubyLLM::MCP::Auth::OAuthProvider.new( + server_url: oauth_context["server_url"], + redirect_uri: mcp_connections_callback_url, + scope: oauth_context["scope"], + storage: storage, + logger: Rails.logger + ) + end + + def log_successful_oauth(oauth_context) + Rails.logger.info "MCP OAuth completed for user #{current_user.id}, " \ + "server: #{oauth_context['server_url']}" + end + + def redirect_after_success + return_path = session.delete(:mcp_return_to) || mcp_connections_path + redirect_to return_path, notice: "Successfully connected to MCP server!" + end + + def handle_oauth_callback_error(error) + Rails.logger.error "MCP OAuth callback failed: #{error.message}" + redirect_to mcp_connections_path, alert: "OAuth authorization failed: #{error.message}" + end + + public + + # DELETE /mcp_connections/:id/disconnect + def disconnect + credential = current_user.mcp_oauth_credentials.find(params[:id]) + server_url = credential.server_url + credential.destroy + + Rails.logger.info "User #{current_user.id} disconnected from MCP server: #{server_url}" + + redirect_to mcp_connections_path, + notice: "MCP server disconnected successfully" + rescue ActiveRecord::RecordNotFound + redirect_to mcp_connections_path, + alert: "Connection not found" + end + + # GET /mcp_connections/:id/refresh + def refresh + credential = current_user.mcp_oauth_credentials.find(params[:id]) + + storage = OauthStorage::UserTokenStorage.new(current_user.id, credential.server_url) + oauth_provider = RubyLLM::MCP::Auth::OAuthProvider.new( + server_url: credential.server_url, + storage: storage + ) + + # Trigger token refresh + refreshed_token = oauth_provider.access_token + + if refreshed_token + redirect_to mcp_connections_path, + notice: "Token refreshed successfully" + else + redirect_to mcp_connections_path, + alert: "Token refresh failed. Please reconnect." + end + rescue ActiveRecord::RecordNotFound + redirect_to mcp_connections_path, + alert: "Connection not found" + end +end diff --git a/lib/generators/ruby_llm/mcp/oauth/templates/mcp_oauth_credential.rb b/lib/generators/ruby_llm/mcp/oauth/templates/mcp_oauth_credential.rb new file mode 100644 index 0000000..351bccb --- /dev/null +++ b/lib/generators/ruby_llm/mcp/oauth/templates/mcp_oauth_credential.rb @@ -0,0 +1,50 @@ +# frozen_string_literal: true + +class McpOauthCredential < ApplicationRecord + belongs_to :user + + encrypts :token_data + encrypts :client_info_data + + validates :server_url, presence: true, uniqueness: { scope: :user_id } + + # Get token object from stored data + def token + return nil unless token_data.present? + + RubyLLM::MCP::Auth::Token.from_h(JSON.parse(token_data, symbolize_names: true)) + end + + # Set token and update expiration + def token=(token_obj) + self.token_data = token_obj.to_h.to_json + self.token_expires_at = token_obj.expires_at + end + + # Get client info object from stored data + def client_info + return nil unless client_info_data.present? + + RubyLLM::MCP::Auth::ClientInfo.from_h(JSON.parse(client_info_data, symbolize_names: true)) + end + + # Set client info + def client_info=(info_obj) + self.client_info_data = info_obj.to_h.to_json + end + + # Check if token is expired + def expired? + token&.expired? + end + + # Check if token expires soon (within 5 minutes) + def expires_soon? + token&.expires_soon? + end + + # Check if token is valid + def valid_token? + token && !token.expired? + end +end diff --git a/lib/generators/ruby_llm/mcp/oauth/templates/mcp_oauth_state.rb b/lib/generators/ruby_llm/mcp/oauth/templates/mcp_oauth_state.rb new file mode 100644 index 0000000..cd7cfec --- /dev/null +++ b/lib/generators/ruby_llm/mcp/oauth/templates/mcp_oauth_state.rb @@ -0,0 +1,30 @@ +# frozen_string_literal: true + +class McpOauthState < ApplicationRecord + belongs_to :user + + encrypts :pkce_data + + validates :state_param, presence: true + validates :expires_at, presence: true + + scope :expired, -> { where("expires_at < ?", Time.current) } + scope :for_user, ->(user_id) { where(user_id: user_id) } + + # Clean up expired OAuth flow states + def self.cleanup_expired + expired.delete_all + end + + # Get PKCE object from stored data + def pkce + return nil unless pkce_data.present? + + RubyLLM::MCP::Auth::PKCE.from_h(JSON.parse(pkce_data, symbolize_names: true)) + end + + # Set PKCE object + def pkce=(pkce_obj) + self.pkce_data = pkce_obj.to_h.to_json + end +end diff --git a/lib/generators/ruby_llm/mcp/oauth/templates/routes.rb b/lib/generators/ruby_llm/mcp/oauth/templates/routes.rb new file mode 100644 index 0000000..33db964 --- /dev/null +++ b/lib/generators/ruby_llm/mcp/oauth/templates/routes.rb @@ -0,0 +1,13 @@ +# frozen_string_literal: true + +# RubyLLM MCP OAuth routes +resources :mcp_connections, only: [:index] do + collection do + get :connect + get :callback + end + member do + delete :disconnect + get :refresh + end +end diff --git a/lib/generators/ruby_llm/mcp/oauth/templates/user_mcp_oauth_concern.rb b/lib/generators/ruby_llm/mcp/oauth/templates/user_mcp_oauth_concern.rb new file mode 100644 index 0000000..02caa23 --- /dev/null +++ b/lib/generators/ruby_llm/mcp/oauth/templates/user_mcp_oauth_concern.rb @@ -0,0 +1,89 @@ +# frozen_string_literal: true + +# Add this to your User model: +# include UserMcpOauth + +module UserMcpOauth + extend ActiveSupport::Concern + + included do + has_many :mcp_oauth_credentials, dependent: :destroy + has_many :mcp_oauth_states, dependent: :destroy + end + + # Check if user has connected to a specific MCP server + # @param server_url [String] MCP server URL (defaults to ENV var) + # @return [Boolean] true if user has an OAuth credential for this server + def mcp_connected?(server_url = nil) + server_url ||= ENV.fetch("DEFAULT_MCP_SERVER_URL", nil) + return false unless server_url + + mcp_oauth_credentials.exists?(server_url: server_url) + end + + # Get valid token for a server + # @param server_url [String] MCP server URL + # @return [RubyLLM::MCP::Auth::Token, nil] token if valid, nil otherwise + def mcp_token_for(server_url = nil) + server_url ||= ENV.fetch("DEFAULT_MCP_SERVER_URL", nil) + return nil unless server_url + + credential = mcp_oauth_credentials.find_by(server_url: server_url) + return nil unless credential + + token = credential.token + return nil if token.nil? || token.expired? || token.expires_soon? + + token + end + + # Get MCP client for this user + # @param server_url [String] MCP server URL + # @return [RubyLLM::MCP::Client] configured client + # @raise [McpClientFactory::NotAuthenticatedError] if not connected + def mcp_client(server_url: nil) + McpClientFactory.for_user(self, server_url: server_url) + end + + # Get MCP client with fallback to nil if not authenticated + # @param server_url [String] MCP server URL + # @return [RubyLLM::MCP::Client, nil] client or nil + def mcp_client_safe(server_url: nil) + McpClientFactory.for_user_with_fallback(self, server_url: server_url) + end + + # Get all connected MCP servers for this user + # @return [Array] array of server URLs + def connected_mcp_servers + mcp_oauth_credentials.pluck(:server_url) + end + + # Disconnect from a specific MCP server + # @param server_url [String] MCP server URL + def revoke_mcp_connection(server_url) + credential = mcp_oauth_credentials.find_by(server_url: server_url) + credential&.destroy + end + + # Get OAuth connection status for a server + # @param server_url [String] MCP server URL + # @return [Hash] status information + def mcp_connection_status(server_url = nil) + server_url ||= ENV.fetch("DEFAULT_MCP_SERVER_URL", nil) + credential = mcp_oauth_credentials.find_by(server_url: server_url) + + return { connected: false } unless credential + + token = credential.token + + { + connected: true, + valid: token && !token.expired?, + expires_at: token&.expires_at, + expires_soon: token&.expires_soon?, + has_refresh_token: token&.refresh_token.present?, + last_refreshed_at: credential.last_refreshed_at, + scope: token&.scope + } + end +end diff --git a/lib/generators/ruby_llm/mcp/oauth/templates/user_token_storage.rb b/lib/generators/ruby_llm/mcp/oauth/templates/user_token_storage.rb new file mode 100644 index 0000000..7a263f5 --- /dev/null +++ b/lib/generators/ruby_llm/mcp/oauth/templates/user_token_storage.rb @@ -0,0 +1,90 @@ +# frozen_string_literal: true + +module OauthStorage + # Per-user OAuth token storage for RubyLLM MCP + # Implements the storage interface required by RubyLLM::MCP::Auth::OAuthProvider + class UserTokenStorage + def initialize(user_id, server_url) + @user_id = user_id + @server_url = server_url + end + + # Token storage + def get_token(_server_url) + credential = McpOauthCredential.find_by(user_id: @user_id, server_url: @server_url) + credential&.token + end + + def set_token(_server_url, token) + credential = McpOauthCredential.find_or_initialize_by( + user_id: @user_id, + server_url: @server_url + ) + credential.token = token + credential.last_refreshed_at = Time.current + credential.save! + end + + # Client registration storage + def get_client_info(_server_url) + credential = McpOauthCredential.find_by(user_id: @user_id, server_url: @server_url) + credential&.client_info + end + + def set_client_info(_server_url, client_info) + credential = McpOauthCredential.find_or_initialize_by( + user_id: @user_id, + server_url: @server_url + ) + credential.client_info = client_info + credential.save! + end + + # Server metadata caching (shared across users) + def get_server_metadata(server_url) + Rails.cache.fetch("mcp:server_metadata:#{server_url}", expires_in: 24.hours) do + nil + end + end + + def set_server_metadata(server_url, metadata) + Rails.cache.write("mcp:server_metadata:#{server_url}", metadata, expires_in: 24.hours) + end + + # PKCE state management (temporary - per user) + def get_pkce(_server_url) + state = McpOauthState.find_by(user_id: @user_id, server_url: @server_url) + return nil unless state + + state.pkce + end + + def set_pkce(_server_url, pkce) + state = McpOauthState.find_or_initialize_by(user_id: @user_id, server_url: @server_url) + state.pkce = pkce + state.state_param ||= SecureRandom.hex(32) + state.expires_at ||= 10.minutes.from_now + state.save! + end + + def delete_pkce(_server_url) + McpOauthState.where(user_id: @user_id, server_url: @server_url).delete_all + end + + # State parameter management + def get_state(_server_url) + McpOauthState.find_by(user_id: @user_id, server_url: @server_url)&.state_param + end + + def set_state(_server_url, state_param) + state = McpOauthState.find_or_initialize_by(user_id: @user_id, server_url: @server_url) + state.state_param = state_param + state.expires_at ||= 10.minutes.from_now + state.save! + end + + def delete_state(_server_url) + McpOauthState.where(user_id: @user_id, server_url: @server_url).delete_all + end + end +end diff --git a/lib/generators/ruby_llm/mcp/oauth/templates/views/index.html.erb b/lib/generators/ruby_llm/mcp/oauth/templates/views/index.html.erb new file mode 100644 index 0000000..c15ac76 --- /dev/null +++ b/lib/generators/ruby_llm/mcp/oauth/templates/views/index.html.erb @@ -0,0 +1,137 @@ +
+

MCP Server Connections

+ + <% if @credentials.any? %> +

Connected Servers

+ + + + + + + + + + + + + <% @credentials.each do |credential| %> + + + + + + + + + <% end %> + +
ServerStatusScopesExpiresLast RefreshedActions
+ <%= credential.server_url %> + + <% if credential.expired? %> + Expired + <% elsif credential.expires_soon? %> + Expiring Soon + <% else %> + Active + <% end %> + + <% if credential.token&.scope %> + <%= credential.token.scope %> + <% else %> + N/A + <% end %> + + <% if credential.token_expires_at %> + <%= time_tag credential.token_expires_at, credential.token_expires_at.to_s(:short) %> +
+ + (<%= time_ago_in_words(credential.token_expires_at) %> + <%= credential.token_expires_at > Time.current ? "from now" : "ago" %>) + + <% else %> + Never + <% end %> + 		+ <% if credential.last_refreshed_at %> + <%= time_ago_in_words(credential.last_refreshed_at) %> ago + <% else %> + Never + <% end %> + +
+ <% if credential.expired? || credential.expires_soon? %> + <%= link_to "Refresh", + refresh_mcp_connection_path(credential), + class: "btn btn-sm btn-warning", + method: :get %> + <% end %> + <%= button_to "Disconnect", + disconnect_mcp_connection_path(credential), + method: :delete, + data: { confirm: "Are you sure you want to disconnect this MCP server?" }, + class: "btn btn-sm btn-danger" %> +
+
+ <% else %> +
+

No MCP Servers Connected

+

Connect to an MCP server to enable AI-powered features in your account.

+
+ <% end %> + +
+
+

Add New Server

+

Connect to an MCP server to access tools, resources, and AI capabilities.

+ + <% if @server_url %> + <%= link_to "Connect to #{@server_url}", + connect_mcp_connections_path(server_url: @server_url), + class: "btn btn-primary" %> + <% else %> +

+ Configuration Required: + Set DEFAULT_MCP_SERVER_URL environment variable. +

+ <% end %> +
+
+ +
+

What is MCP?

+

+ Model Context Protocol (MCP) allows AI models to securely access external + data and tools. By connecting your account, you grant AI features permission + to access specific resources on your behalf. +

+ +

Security & Privacy

+
    +
  • Tokens are encrypted and stored securely
    • +
  • Each connection is specific to your account
    • +
  • You can disconnect at any time
    • +
  • Tokens automatically refresh when possible
    • +
+
+
+ + From 97a54afa3af39fcd760fb00812d94baa6499141b Mon Sep 17 00:00:00 2001 From: Paulo Arruda Date: Thu, 6 Nov 2025 21:46:48 -0400 Subject: [PATCH 5/5] Add SSE OAuth tests and move OAuth docs to guides MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added comprehensive OAuth integration tests for SSE transport: - Test OAuth provider acceptance in options - Test Authorization header application when token available - Test behavior when no token available - Test transport works without OAuth provider Moved and reformatted OAuth documentation: - OAUTH.md ā†’ docs/guides/oauth.md - Added Jekyll frontmatter for docs site - Formatted to match other guide pages - Added navigation order and parent hierarchy - Streamlined content for guide format - Added links to Rails OAuth integration Test Results: - 761 examples, 0 failures āœ… (4 new SSE OAuth tests) - 116 files inspected, 0 RuboCop offenses āœ… - 87.53% line coverage, 65.51% branch coverage šŸ¤– Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- OAUTH.md => docs/guides/oauth.md | 307 ++++++----------------- spec/ruby_llm/mcp/transports/sse_spec.rb | 78 ++++++ 2 files changed, 155 insertions(+), 230 deletions(-) rename OAUTH.md => docs/guides/oauth.md (61%) diff --git a/OAUTH.md b/docs/guides/oauth.md similarity index 61% rename from OAUTH.md rename to docs/guides/oauth.md index 75e841f..32ac15f 100644 --- a/OAUTH.md +++ b/docs/guides/oauth.md @@ -1,18 +1,23 @@ -# OAuth 2.1 Support in ruby_llm-mcp +--- +layout: default +title: OAuth 2.1 Authentication +parent: Guides +nav_order: 8 +description: "Complete OAuth 2.1 implementation with PKCE, dynamic registration, and automatic token refresh" +--- -This gem implements comprehensive OAuth 2.1 support for MCP (Model Context Protocol) servers, providing secure authentication and authorization for HTTP-based transports (SSE and StreamableHTTP). +# OAuth 2.1 Authentication +{: .no_toc } -## Table of Contents +Comprehensive OAuth 2.1 support for MCP servers with automatic token management, browser-based authentication, and pluggable storage. -- [Features](#features) -- [Architecture](#architecture) -- [Quick Start](#quick-start) -- [Configuration](#configuration) -- [Usage Examples](#usage-examples) -- [Browser-Based Authentication](#browser-based-authentication) -- [Custom Storage](#custom-storage) -- [Security Considerations](#security-considerations) -- [Troubleshooting](#troubleshooting) +## Table of contents +{: .no_toc .text-delta } + +1. TOC +{:toc} + +--- ## Features @@ -29,9 +34,11 @@ This gem implements comprehensive OAuth 2.1 support for MCP (Model Context Proto ### Transport Support -- **SSE (Server-Sent Events)**: Full OAuth support for event streams and message endpoints -- **StreamableHTTP**: Complete OAuth integration with session management -- **Stdio**: Not applicable (local process communication) +| Transport | OAuth Support | Details | +|-----------|---------------|---------| +| **SSE** | āœ… Full support | Event streams and message endpoints | +| **StreamableHTTP** | āœ… Full support | All HTTP requests with session management | +| **Stdio** | N/A | Local process communication (no auth needed) | ## Architecture @@ -111,9 +118,9 @@ end RubyLLM::MCP.establish_connection ``` -## Configuration +## Configuration Options -### OAuth Configuration Options +### OAuth Configuration | Option | Type | Required | Description | |--------|------|----------|-------------| @@ -123,7 +130,7 @@ RubyLLM::MCP.establish_connection ### Environment Variables -Use ERB in configuration files for sensitive data: +Use ERB in configuration files: ```yaml mcp_servers: @@ -137,7 +144,7 @@ mcp_servers: ## Usage Examples -### Example 1: Simple SSE Client with OAuth +### SSE Client with OAuth ```ruby require "ruby_llm/mcp" @@ -147,7 +154,7 @@ require "ruby_llm/mcp/auth/browser_oauth" client = RubyLLM::MCP.client( name: "secure-server", transport_type: :sse, - start: false, # Don't auto-start + start: false, config: { url: "https://mcp.example.com/sse", oauth: { @@ -157,41 +164,28 @@ client = RubyLLM::MCP.client( } ) -# Get OAuth provider from transport +# Authenticate via browser transport = client.instance_variable_get(:@coordinator).send(:transport) oauth_provider = transport.oauth_provider -# Perform browser-based authentication browser_oauth = RubyLLM::MCP::Auth::BrowserOAuth.new( oauth_provider, - callback_port: 8080, - callback_path: "/callback" + callback_port: 8080 ) -# This will: -# 1. Start local callback server -# 2. Open browser to authorization URL -# 3. Wait for user to authorize -# 4. Exchange code for token -# 5. Store token -token = browser_oauth.authenticate(timeout: 300, auto_open_browser: true) +token = browser_oauth.authenticate(timeout: 300) puts "Successfully authenticated!" -puts "Access token: #{token.access_token[0..20]}..." - -# Now start the client - it will use the stored token client.start -# Use the client normally +# Use normally - OAuth automatic tools = client.tools puts "Available tools: #{tools.map(&:name).join(', ')}" ``` -### Example 2: StreamableHTTP with OAuth +### StreamableHTTP with OAuth ```ruby -require "ruby_llm/mcp" - client = RubyLLM::MCP.client( name: "streamable-server", transport_type: :streamable, @@ -205,7 +199,7 @@ client = RubyLLM::MCP.client( } ) -# Authenticate (same as above) +# Authenticate transport = client.instance_variable_get(:@coordinator).send(:transport) browser_oauth = RubyLLM::MCP::Auth::BrowserOAuth.new( transport.oauth_provider, @@ -213,46 +207,35 @@ browser_oauth = RubyLLM::MCP::Auth::BrowserOAuth.new( ) browser_oauth.authenticate -# Start client +# Use client client.start - -# Execute tools result = client.tool("search").execute(params: { query: "Ruby MCP" }) -puts result ``` -### Example 3: Manual Authorization Flow +### Manual Authorization Flow -For scenarios where browser opening isn't possible: +For scenarios without browser access: ```ruby -require "ruby_llm/mcp" - client = RubyLLM::MCP.client( name: "manual-auth", transport_type: :sse, start: false, config: { url: "https://mcp.example.com/api", - oauth: { - redirect_uri: "http://localhost:8080/callback", - scope: "mcp:read" - } + oauth: { scope: "mcp:read" } } ) transport = client.instance_variable_get(:@coordinator).send(:transport) oauth_provider = transport.oauth_provider -# Start authorization flow +# Get authorization URL auth_url = oauth_provider.start_authorization_flow puts "\nPlease visit this URL to authorize:" puts auth_url -puts "\nAfter authorization, you'll be redirected to:" -puts "#{oauth_provider.redirect_uri}?code=...&state=..." -puts "\nEnter the 'code' parameter from the URL:" - +puts "\nEnter the 'code' parameter from callback:" code = gets.chomp puts "Enter the 'state' parameter:" @@ -260,84 +243,12 @@ state = gets.chomp # Complete authorization token = oauth_provider.complete_authorization_flow(code, state) -puts "\nAuthentication successful!" - -# Start client client.start ``` -### Example 4: Multiple Clients with Different Auth - -```ruby -require "ruby_llm/mcp" - -RubyLLM.configure do |config| - config.mcp_configuration = [ - { - name: "public-server", - transport_type: :stdio, - config: { - command: "mcp-server-filesystem", - args: ["/tmp"] - } - }, - { - name: "secure-server-1", - transport_type: :sse, - start: false, - config: { - url: "https://secure1.example.com", - oauth: { - redirect_uri: "http://localhost:8080/callback", - scope: "mcp:read" - } - } - }, - { - name: "secure-server-2", - transport_type: :streamable, - start: false, - config: { - url: "https://secure2.example.com", - oauth: { - redirect_uri: "http://localhost:8081/callback", - scope: "mcp:admin" - } - } - } - ] -end - -# Start public server immediately -RubyLLM::MCP.establish_connection do |clients| - # public-server auto-starts - puts "Public server tools: #{clients[:public_server].tools.count}" -end - -# Authenticate secure servers separately -def authenticate_client(client, port) - transport = client.instance_variable_get(:@coordinator).send(:transport) - browser_oauth = RubyLLM::MCP::Auth::BrowserOAuth.new( - transport.oauth_provider, - callback_port: port - ) - browser_oauth.authenticate - client.start -end - -clients = RubyLLM::MCP.clients -authenticate_client(clients[:secure_server_1], 8080) -authenticate_client(clients[:secure_server_2], 8081) - -# Now all clients are ready -RubyLLM::MCP.tools.each do |tool| - puts "Tool: #{tool.name}" -end -``` - ## Browser-Based Authentication -The `BrowserOAuth` class provides a complete browser-based OAuth flow: +The `BrowserOAuth` class provides complete browser-based OAuth: ### Features @@ -353,30 +264,26 @@ The `BrowserOAuth` class provides a complete browser-based OAuth flow: ```ruby require "ruby_llm/mcp/auth/browser_oauth" -# Create OAuth provider oauth_provider = RubyLLM::MCP::Auth::OAuthProvider.new( server_url: "https://mcp.example.com", redirect_uri: "http://localhost:8080/callback", scope: "mcp:read mcp:write" ) -# Create browser OAuth helper browser_oauth = RubyLLM::MCP::Auth::BrowserOAuth.new( oauth_provider, callback_port: 8080, callback_path: "/callback" ) -# Authenticate (opens browser automatically) begin token = browser_oauth.authenticate( timeout: 300, # 5 minutes - auto_open_browser: true # Set to false for manual opening + auto_open_browser: true ) puts "Access token: #{token.access_token}" puts "Expires at: #{token.expires_at}" - puts "Refresh token: #{token.refresh_token}" if token.refresh_token rescue RubyLLM::MCP::Errors::TimeoutError puts "Authorization timed out" rescue RubyLLM::MCP::Errors::TransportError => e @@ -384,27 +291,12 @@ rescue RubyLLM::MCP::Errors::TransportError => e end ``` -### Custom Callback Port - -If port 8080 is in use: - -```ruby -browser_oauth = RubyLLM::MCP::Auth::BrowserOAuth.new( - oauth_provider, - callback_port: 9999, - callback_path: "/oauth/callback" -) - -# Update OAuth provider redirect URI to match -oauth_provider.redirect_uri = "http://localhost:9999/oauth/callback" -``` - ## Custom Storage -Implement custom storage for production deployments: - ### Storage Interface +Implement these methods for custom storage: + ```ruby class CustomStorage # Token storage @@ -431,7 +323,7 @@ class CustomStorage end ``` -### Example: Redis Storage +### Redis Storage Example ```ruby require "redis" @@ -449,19 +341,10 @@ class RedisOAuthStorage def set_token(server_url, token) @redis.set("oauth:token:#{server_url}", token.to_h.to_json) - @redis.expire("oauth:token:#{server_url}", 86400) # 24 hours - end - - def get_client_info(server_url) - data = @redis.get("oauth:client:#{server_url}") - data ? RubyLLM::MCP::Auth::ClientInfo.from_h(JSON.parse(data, symbolize_names: true)) : nil - end - - def set_client_info(server_url, client_info) - @redis.set("oauth:client:#{server_url}", client_info.to_h.to_json) + @redis.expire("oauth:token:#{server_url}", 86400) end - # ... implement other methods ... + # Implement remaining methods... end # Use custom storage @@ -478,42 +361,15 @@ client = RubyLLM::MCP.client( ) ``` -### Example: Database Storage - -```ruby -class DatabaseOAuthStorage - def initialize(db_connection) - @db = db_connection - end - - def get_token(server_url) - record = @db[:oauth_tokens].where(server_url: server_url).first - return nil unless record - - RubyLLM::MCP::Auth::Token.from_h(JSON.parse(record[:token_data], symbolize_names: true)) - end - - def set_token(server_url, token) - @db[:oauth_tokens].insert_conflict( - target: :server_url, - update: { token_data: token.to_h.to_json, updated_at: Time.now } - ).insert( - server_url: server_url, - token_data: token.to_h.to_json, - created_at: Time.now, - updated_at: Time.now - ) - end +### Database Storage Example - # ... implement other methods ... -end -``` +See [Rails OAuth Integration Guide]({% link guides/rails-oauth.md %}) for complete database storage implementation. ## Security Considerations ### PKCE (Proof Key for Code Exchange) -All OAuth flows use PKCE with S256 (SHA256) hashing: +All OAuth flows use PKCE with S256 (SHA256): - **Code Verifier**: 32 bytes of cryptographically secure random data - **Code Challenge**: SHA256 hash of the verifier @@ -536,28 +392,17 @@ CSRF protection via state parameter: ### URL Normalization -Server URLs are normalized to prevent token confusion: +Server URLs normalized to prevent token confusion: ``` https://MCP.EXAMPLE.COM:443/api/ ā†’ https://mcp.example.com/api http://example.com:80 ā†’ http://example.com ``` -### Sensitive Data Filtering - -Configuration objects automatically filter sensitive data: - -```ruby -config = { oauth: { scope: "read", client_secret: "secret123" } } -config.inspect # client_secret shown as [FILTERED] -``` - ## Troubleshooting ### Port Already in Use -If callback port is in use: - ```ruby browser_oauth = RubyLLM::MCP::Auth::BrowserOAuth.new( oauth_provider, @@ -567,8 +412,6 @@ browser_oauth = RubyLLM::MCP::Auth::BrowserOAuth.new( ### Browser Doesn't Open -Set `auto_open_browser: false` and manually copy URL: - ```ruby token = browser_oauth.authenticate(auto_open_browser: false) # Manually open the displayed URL @@ -576,8 +419,6 @@ token = browser_oauth.authenticate(auto_open_browser: false) ### Token Refresh Fails -Check server logs and ensure refresh tokens are being returned: - ```ruby token = oauth_provider.access_token if token&.refresh_token @@ -589,34 +430,29 @@ end ### Discovery Fails -Verify OAuth server endpoints: - ```ruby # Check discovery URLs discovery_url = "https://mcp.example.com/.well-known/oauth-authorization-server" -response = HTTParty.get(discovery_url) -puts response.body +# Verify endpoint exists ``` -### Custom Redirect URI Not Working +### Redirect URI Mismatch -Ensure redirect URI matches exactly: +Ensure exact match (no trailing slash, correct protocol): ```ruby -# Server expects +# āœ… Correct "http://localhost:8080/callback" -# Not +# āŒ Wrong "http://localhost:8080/callback/" # Trailing slash -"http://127.0.0.1:8080/callback" # Different host +"http://127.0.0.1:8080/callback" # Different host ``` ## Advanced Topics ### Custom OAuth Provider -For advanced use cases, create OAuth provider directly: - ```ruby require "ruby_llm/mcp/auth/oauth_provider" @@ -636,8 +472,6 @@ token = provider.complete_authorization_flow(code, state) ### Token Introspection -Check token status: - ```ruby token = oauth_provider.access_token @@ -649,23 +483,36 @@ if token end ``` -### Logging - -Enable debug logging: +### Debug Logging ```ruby RubyLLM.configure do |config| config.log_level = Logger::DEBUG end -# Or set environment variable +# Or environment variable ENV["RUBYLLM_MCP_DEBUG"] = "1" ``` -## License +## Multi-User Applications + +For Rails applications with multiple users, see: +- **[Rails OAuth Integration]({% link guides/rails-oauth.md %})** - Complete multi-tenant setup +- Generator: `rails generate ruby_llm:mcp:oauth:install` + +## Next Steps + +1. **Single-user apps**: Use `BrowserOAuth` class directly +2. **Multi-user apps**: Use Rails OAuth integration +3. **Production**: Implement custom storage (Redis, Database) +4. **Security**: Enable debug logging during development + +## Related Documentation -See [LICENSE](LICENSE) file. +- [Rails OAuth Integration]({% link guides/rails-oauth.md %}) - Multi-user setup +- [Rails Integration]({% link guides/rails-integration.md %}) - Basic Rails setup +- [Transports]({% link guides/transports.md %}) - Transport configuration -## Contributing +--- -See [CONTRIBUTING.md](CONTRIBUTING.md) for contribution guidelines. +**RubyLLM MCP** ā€¢ [GitHub](https://github.com/patvice/ruby_llm-mcp) ā€¢ [Report Issues](https://github.com/patvice/ruby_llm-mcp/issues) diff --git a/spec/ruby_llm/mcp/transports/sse_spec.rb b/spec/ruby_llm/mcp/transports/sse_spec.rb index 564b545..51c943a 100644 --- a/spec/ruby_llm/mcp/transports/sse_spec.rb +++ b/spec/ruby_llm/mcp/transports/sse_spec.rb @@ -84,6 +84,84 @@ def client end end + describe "OAuth integration" do + let(:coordinator) { instance_double(RubyLLM::MCP::Coordinator) } + let(:server_url) { "http://localhost:3000/sse" } + let(:storage) { RubyLLM::MCP::Auth::OAuthProvider::MemoryStorage.new } + + it "accepts OAuth provider in options" do + oauth_provider = RubyLLM::MCP::Auth::OAuthProvider.new( + server_url: server_url, + storage: storage + ) + + transport = RubyLLM::MCP::Transports::SSE.new( + url: server_url, + coordinator: coordinator, + request_timeout: 5000, + options: { oauth_provider: oauth_provider } + ) + + expect(transport.oauth_provider).to eq(oauth_provider) + end + + it "applies OAuth authorization header when token available" do + oauth_provider = RubyLLM::MCP::Auth::OAuthProvider.new( + server_url: server_url, + storage: storage + ) + + token = RubyLLM::MCP::Auth::Token.new( + access_token: "test_access_token", + expires_in: 3600 + ) + storage.set_token(server_url, token) + + transport = RubyLLM::MCP::Transports::SSE.new( + url: server_url, + coordinator: coordinator, + request_timeout: 5000, + options: { oauth_provider: oauth_provider } + ) + + headers = transport.send(:build_request_headers) + + expect(headers["Authorization"]).to eq("Bearer test_access_token") + end + + it "does not apply OAuth header when no token available" do + oauth_provider = RubyLLM::MCP::Auth::OAuthProvider.new( + server_url: server_url, + storage: storage + ) + + transport = RubyLLM::MCP::Transports::SSE.new( + url: server_url, + coordinator: coordinator, + request_timeout: 5000, + options: { oauth_provider: oauth_provider } + ) + + headers = transport.send(:build_request_headers) + + expect(headers["Authorization"]).to be_nil + end + + it "works without OAuth provider" do + transport = RubyLLM::MCP::Transports::SSE.new( + url: server_url, + coordinator: coordinator, + request_timeout: 5000, + options: {} + ) + + expect(transport.oauth_provider).to be_nil + + headers = transport.send(:build_request_headers) + expect(headers["Authorization"]).to be_nil + end + end + describe "#parse_event" do let(:transport) do RubyLLM::MCP::Transports::SSE.new(