fix: Actually initialize the automated oauth clients

clareliguori · clareliguori · commit 21e76cce398e · 2025-07-03T21:08:58.000-07:00
diff --git a/e2e_tests/setup/integ-test-authentication.yaml b/e2e_tests/setup/integ-test-authentication.yaml
@@ -89,17 +89,23 @@ Resources:
               - "s3:GetEncryptionConfiguration"
             Resource:
               - "arn:aws:s3:::cdk*"
-          # Allow integration tests to invoke Lambda functions and Bedrock models
+          # Allow integration tests to invoke Lambda functions, Bedrock models, and retrieve the OAuth client secret
           - Effect: Allow
             Action:
               - "lambda:InvokeFunction"
+              - "lambda:InvokeFunctionUrl"
             Resource:
               - !Sub "arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:mcp-server-*"
           - Effect: Allow
             Action:
               - "bedrock:InvokeModel"
             Resource:
               - "arn:aws:bedrock:us-west-2::foundation-model/anthropic.claude-3-5-sonnet-20241022-v2:0"
+          - Effect: Allow
+            Action:
+              - "secretsmanager:GetSecretValue"
+            Resource:
+              - !Sub "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:mcp-lambda-examples-user-creds-*"
       Roles:
         - !Ref IntegrationTestRole
 
diff --git a/e2e_tests/typescript/src/main.ts b/e2e_tests/typescript/src/main.ts
@@ -3,6 +3,10 @@ import { ChatSession } from "./chat_session.js";
 import { LLMClient } from "./llm_client.js";
 import { StdioServer } from "./server_clients/stdio_server.js";
 import { LambdaFunctionClient } from "./server_clients/lambda_function.js";
+import {
+  AutomatedOAuthClient,
+  AutomatedOAuthConfig,
+} from "./server_clients/automated_oauth.js";
 import { Server } from "./server_clients/server.js";
 import logger from "./logger.js";
 
@@ -29,6 +33,15 @@ async function main(): Promise<void> {
     );
   }
 
+  // Initialize automated OAuth servers
+  for (const [name, srvConfig] of Object.entries(
+    serverConfig.oAuthServers || {}
+  )) {
+    servers.push(
+      new AutomatedOAuthClient(name, srvConfig as AutomatedOAuthConfig)
+    );
+  }
+
   const userUtterances = [
     "Hello!",
     "What is the current time in Seattle?",
diff --git a/e2e_tests/typescript/src/server_clients/automated_oauth.ts b/e2e_tests/typescript/src/server_clients/automated_oauth.ts
@@ -22,7 +22,7 @@ import { Server } from "./server.js";
 import logger from "../logger.js";
 
 /**
- * Configuration interface for AutomatedOAuth
+ * Configuration interface for AutomatedOAuthClient
  */
 export interface AutomatedOAuthConfig {
   // Lookup server URL from a CloudFormation stack
@@ -42,7 +42,7 @@ export interface AutomatedOAuthConfig {
  * - Client ID: CloudFormation stack output 'AutomatedOAuthClientId' from 'LambdaMcpServer-Auth' stack
  * - Client Secret: AWS Secrets Manager secret (ARN from CloudFormation stack output 'OAuthClientSecretArn')
  */
-export class AutomatedOAuth extends Server {
+export class AutomatedOAuthClient extends Server {
   private oauthProvider?: AutomatedOAuthClientProvider;
 
   // Lookup server URL from a CloudFormation stack
@@ -104,7 +104,9 @@ export class AutomatedOAuth extends Server {
       logger.debug("Starting automated OAuth flow...");
       await this.attemptConnection();
     } catch (error) {
-      logger.error(`Error initializing automated OAuth server ${this.name}: ${error}`);
+      logger.error(
+        `Error initializing automated OAuth server ${this.name}: ${error}`
+      );
       throw error;
     }
   }
@@ -187,7 +189,7 @@ export class AutomatedOAuth extends Server {
     try {
       // First get the secret ARN from CloudFormation
       logger.debug("Retrieving client secret ARN from CloudFormation...");
-      
+
       const cloudFormationClient = new CloudFormationClient({
         region: this.authStackRegion,
       });
@@ -226,7 +228,7 @@ export class AutomatedOAuth extends Server {
 
       // Now get the secret value from Secrets Manager
       logger.debug("Retrieving client secret from Secrets Manager...");
-      
+
       const secretsManagerClient = new SecretsManagerClient({
         region: this.authStackRegion,
       });
@@ -443,16 +445,22 @@ class AutomatedOAuthClientProvider implements OAuthClientProvider {
 
   redirectToAuthorization(authorizationUrl: URL): void {
     // Not used in client credentials flow - no user interaction
-    throw new Error("redirectToAuthorization should not be called in automated OAuth flow");
+    throw new Error(
+      "redirectToAuthorization should not be called in automated OAuth flow"
+    );
   }
 
   saveCodeVerifier(codeVerifier: string): void {
     // Not used in client credentials flow
-    throw new Error("saveCodeVerifier should not be called in automated OAuth flow");
+    throw new Error(
+      "saveCodeVerifier should not be called in automated OAuth flow"
+    );
   }
 
   codeVerifier(): string {
     // Not used in client credentials flow
-    throw new Error("codeVerifier should not be called in automated OAuth flow");
+    throw new Error(
+      "codeVerifier should not be called in automated OAuth flow"
+    );
   }
 }
