authentification gateway + profiles issue

[nmaisonneuve]

Hi again @seuros :)

I'm trying to connect to an MCP server via a JWT token with user-based profile switching (admin or basic user) using the MCP Inspector 0.15 development tool.

Current Issues:

1. Without JWT: Can connect (but shouldn't be able to)
2. With JWT (admin user): Can connect but capabilities list is empty (should show admin profile with all tools)

Code Implementation

Gateway Authentication Method

def authenticate!
  # Example using JWT:
  token = extract_bearer_token
  raise ActionMCP::UnauthorizedError, "Missing token" unless token
  payload = ActionMCP::JwtDecoder.decode(token)
  user = resolve_user(payload)
  raise ActionMCP::UnauthorizedError, "Unauthorized" unless user
  
  if user.admin?
    ActionMCP.configuration.use_profile(:admin)
  else
    ActionMCP.configuration.use_profile(:none)
  end
  
  # Return a hash with all identified_by attributes
  { user: user }
rescue ActionMCP::JwtDecoder::DecodeError => e
  raise ActionMCP::UnauthorizedError, e.message
end

MCP Configuration (mcp.yml)

shared:
  # MCP capability profiles
  profiles:
    # admin profile
    admin:
      tools:
        - all
      prompts:
        - all
      resources:
        - all
      options:
        list_changed: false
        logging_enabled: true
        resources_subscribe: false
    # basic user
    none:
      tools: []
      prompts: []
      resources: []
      options:
        list_changed: false
        logging_enabled: true
        logging_level: info
        resources_subscribe: false

# Development environment
development:
  authentication: ['jwt']
  adapter: solid_mcp
  polling_interval: 0.1
  batch_size: 100
  flush_interval: 0.05
  session_store_type: volatile

# Production environment
production:
  authentication: ['jwt']
  adapter: solid_mcp
  polling_interval: 0.5.seconds
  batch_size: 200 # Number of messages to write in a single batch
  flush_interval: 0.05 # Seconds between batch flushes
  session_store_type: active_record
  min_threads: 10 # Minimum number of threads in the pool
  max_threads: 20 # Maximum number of threads in the pool
  max_queue: 500 # Maximum number of tasks that can be queued

Expected Behavior

• Without JWT: Connection should be rejected
• With valid JWT (admin): Connection should succeed with admin profile capabilities visible

Need Help

Looking for assistance to resolve why:

1. Authentication isn't properly blocking unauthenticated connections
2. Profile switching isn't reflecting the correct capabilities in the MCP Inspector

[seuros]

I noticed this morning that i didn't commit the AUTH.md.

Instead of explaining how to implement it , i will just back it into the gem.

I will ping you shortly .

[nmaisonneuve]

Hi @seuros ,

I stiil have error when I try to connect with JWT token even with a dummy gateway

def authenticate!
return {user: User.find_by(id: 1)}
end

gem action_mcp 0.71.0

ActionMCP Configuration (development)

Basic Information:
Name: demo72
Version: 0.0.1
Protocol Version: 2025-03-26
Active Profile: primary

Session Storage:
Session Store Type: volatile
Client Session Store: volatile
Server Session Store: volatile

Transport Configuration:
SSE Heartbeat Interval: 30s
Post Response Preference: json
SSE Event Retention Period: 900
Max Stored SSE Events: 100

Pub/Sub Adapter:
Adapter: solid_mcp
Polling Interval: 0.1

Authentication:
Methods: jwt

Logging:
Logging Enabled: true
Logging Level: debug

Gateway:
Gateway Class: ApplicationGateway

Enabled Capabilities:
tools: {listChanged: false}
logging: {}

Available Profiles:

• admin
• primary

Here is the Action MCP server log
| I, [2025-07-14T14:33:01.083318 #14] INFO -- : Processing by ActionMCP::ApplicationController#create as JSON
mcp-1 | I, [2025-07-14T14:33:01.085745 #14] INFO -- : [ahoy] Visit excluded
mcp-1 | [MCP] [RX] D, [2025-07-14T14:33:01.167102 #14] DEBUG -- : {"jsonrpc":"2.0","id":0,"method":"initialize","params":{"protocolVersion":"2025-06-18","capabilities":{"sampling":{},"roots":{"listChanged":true}},"clientInfo":{"name":"mcp-inspector","version":"0.16.1"}}}
mcp-1 | [MCP] [TX] D, [2025-07-14T14:33:01.210126 #14] DEBUG -- : {"jsonrpc":"2.0","id":0,"result":{"protocolVersion":"2025-06-18","serverInfo":{"name":"Friendly MCP (Master Context Protocol)","version":"1.2.3"},"capabilities":{"tools":{"listChanged":false},"logging":{}}}}
mcp-1 | I, [2025-07-14T14:33:01.211897 #14] INFO -- : Rendered ActiveModel::Serializer::Null with Hash (0.08ms)
mcp-1 | I, [2025-07-14T14:33:01.213295 #14] INFO -- : Completed 200 OK in 130ms (Views: 2.3ms | ActiveRecord: 52.0ms (5 queries, 0 cached) | GC: 0.0ms)
mcp-1 |
mcp-1 |
mcp-1 | I, [2025-07-14T14:33:01.249747 #14] INFO -- : Started POST "/" for 172.18.0.1 at 2025-07-14 14:33:01 +0000
mcp-1 | Error occurred while parsing request parameters.
mcp-1 | Contents:

Error occurred while parsing request parameters.

(we already saw this error previously )

here is the MCP inspector log
🌐 Opening browser...
New StreamableHttp connection request
Query parameters: {"url":"http://localhost:62770/","transportType":"streamable-http"}
Created StreamableHttp server transport
Created StreamableHttp client transport
Client <-> Proxy sessionId: ea1ef165-0b9b-4258-bcc3-70689d8e1733
Proxy <-> Server sessionId: 8cb4eb138742
Received POST message for sessionId ea1ef165-0b9b-4258-bcc3-70689d8e1733
Received GET message for sessionId ea1ef165-0b9b-4258-bcc3-70689d8e1733
Error from MCP server: StreamableHTTPError: Streamable HTTP error: Failed to open SSE stream: Unauthorized
at StreamableHTTPClientTransport._startOrAuthSse (file:///Users/nico/.npm/_npx/5a9d879542beca3a/node_modules/@modelcontextprotocol/sdk/dist/esm/client/streamableHttp.js:99:23)
at process.processTicksAndRejections (node:internal/process/task_queues:105:5) {
code: 401
}
Error from MCP server: StreamableHTTPError: Streamable HTTP error: Failed to open SSE stream: Unauthorized
at StreamableHTTPClientTransport._startOrAuthSse (file:///Users/nico/.npm/_npx/5a9d879542beca3a/node_modules/@modelcontextprotocol/sdk/dist/esm/client/streamableHttp.js:99:23)
at process.processTicksAndRejections (node:internal/process/task_queues:105:5) {
code: 401
}
Received POST message for sessionId ea1ef165-0b9b-4258-bcc3-70689d8e1733
Error from MCP server: Error: Error POSTing to endpoint (HTTP 401): {"jsonrpc":"2.0","id":1,"error":{"code":-32000,"message":"No authentication methods available"}}
at StreamableHTTPClientTransport.send (file:///Users/nico/.npm/_npx/5a9d879542beca3a/node_modules/@modelcontextprotocol/sdk/dist/esm/client/streamableHttp.js:284:23)
at process.processTicksAndRejections (node:internal/process/task_queues:105:5)

No authentication methods available

[seuros]

Can you update that demo app with your implementation ? will check it.

[nmaisonneuve]

@seuros
repo updated
https://github.com/nmaisonneuve/test_action_mcp

[nmaisonneuve]

@seuros

INFO -- : Started POST "/" for 172.18.0.1 at 2025-07-15 22:27:40 +0000
mcp-1 | Error occurred while parsing request parameters.
mcp-1 | Contents:
mcp-1 |
mcp-1 |
mcp-1 | I, [2025-07-15T22:27:40.439108 #25] INFO -- : Processing by ActionMCP::ApplicationController#create as JSON
mcp-1 | I, [2025-07-15T22:27:40.984300 #25] INFO -- : [ahoy] Visit excluded
mcp-1 | E, [2025-07-15T22:27:41.143272 #25] ERROR -- : Unified POST Error: NameError - undefined local variable or method 'consents' for an instance of ActionMCP::Session
mcp-1 | /bundle/ruby/3.4.0/gems/activemodel-8.0.2/lib/active_model/attribute_methods.rb:512:in 'ActiveModel::AttributeMethods#method_missing'

[seuros]

Did you add the new migration ?

[seuros]

I'm currently removing jwt and omniauth that i backed in the gem, i will leverage Warden and Omniauth. wdyt ?

[nmaisonneuve]

Did you add the new migration ?

no, will test on https://github.com/nmaisonneuve/test_action_mcp tomorrow

this should also correct the error ?
" Error occurred while parsing request parameters. "

[nmaisonneuve]

i will leverage Warden and Omniauth. wdyt ?

hmm I dont know well these gems. but right now, for my use case, a basic JWT token authentification mecanism is clearly enough, while quite simple to setup.

[nmaisonneuve]

(you never sleep :)

[seuros]

(you never sleep :)

I'm always sleeping, i just figured out how to get online in the dream.

[seuros]

Did you add the new migration ?

no, will test on https://github.com/nmaisonneuve/test_action_mcp tomorrow

this should also correct the error ? " Error occurred while parsing request parameters. "

ing request parameters. is something with falcon, i will check it .

[nmaisonneuve]

@seuros
Sorry the error is till there on https://github.com/nmaisonneuve/test_action_mcp

• I updated the gem with the latest gem
• created a db:seed task that create 2 users (one admin , the other one)
• the db:seed display also their related jwt token for the 2 users to be use with the MCP inspector.
  Can you check ?

[seuros]

Ok