Skip to content

Adding authorization at http layer on streamable_http via httpx auth parameter #715

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Adding authorization at http layer on streamable_http via httpx auth parameter #715

wants to merge 1 commit into from

Conversation

didier-durand
Copy link

…param

We add the use of param auth= to httpx_streamable.py in order to allow access to remote MCP server from local MCP clients when tcp/http level signature is in place.

Motivation and Context

We work on use cases where MCP servers are hosted on cloud while MCP clients can be anywhere

In some environments like AWS, many applications are protected at http layer (API Gateway, Load Balancers, etc.) and require their request to be authenticated via tcp various headers.

In our case we use the tcp signatures supported by httpx_auth (see https://pypi.org/project/httpx-auth/) which works for multiple forms of authentication (incl Oauth2, AWS). See repo doc for all possible signature mechanisms.

How Has This Been Tested?

We have run tests in AWS cloud environments with security gateways imposing signature at TCP level.

Without the TCP signature, the requests to TCP server fail with http code 403. With the signature provided by httpx_auth, they go through the authentication gate.

Breaking Changes

We took precautions in our code to avoid breaking changes:

  • we only include auth in the httpx param when it is not None
  • we did not type it as a param in the class constructor to avoid pulling additional mandatory dependencies in the project. Otherwise, it would have pulled a dependency on AWS4Auth when httpx_auth is used (or on equivalent classes of other signing libs)

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • [X ] I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • [X ] New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

We did not add tests here for such signatures as the validation of the signature can only happen when access to a live authorization gateway is in place (signature is time-dependent, account-dependent and validation algorithm of AWS is unknown)

@didier-durand
Copy link
Author

I'll check the various issues raised above and come back with a new PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@didier-durand