ec2b666284
Continuous Integration / Pre-commit Linter (push) Waiting to run
Continuous Integration / Mypy Check (Python 3.10) (push) Waiting to run
Continuous Integration / Mypy Check (Python 3.11) (push) Waiting to run
Continuous Integration / Mypy Check (Python 3.12) (push) Waiting to run
Continuous Integration / Mypy Check (Python 3.13) (push) Waiting to run
Continuous Integration / Unit Tests (Python 3.10) (push) Waiting to run
Continuous Integration / Unit Tests (Python 3.11) (push) Waiting to run
Continuous Integration / Unit Tests (Python 3.12) (push) Waiting to run
Continuous Integration / Unit Tests (Python 3.13) (push) Waiting to run
Continuous Integration / Unit Tests (Python 3.14) (push) Waiting to run
Continuous Integration / A2A v0.3 Tests (Python 3.10) (push) Waiting to run
Continuous Integration / A2A v0.3 Tests (Python 3.11) (push) Waiting to run
Continuous Integration / A2A v0.3 Tests (Python 3.12) (push) Waiting to run
Continuous Integration / A2A v0.3 Tests (Python 3.13) (push) Waiting to run
Continuous Integration / A2A v0.3 Tests (Python 3.14) (push) Waiting to run
Copybara PR Handler / close-imported-pr (push) Waiting to run
121 lines
3.8 KiB
Python
121 lines
3.8 KiB
Python
# Copyright 2026 Google LLC
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
"""MCP Server that requires OAuth Bearer token for both tool listing and calling.
|
|
|
|
This server validates the Authorization header on every request including:
|
|
- Tool listing (list_tools endpoint)
|
|
- Tool calling (call_tool endpoint)
|
|
|
|
This is used to test the toolset authentication feature in ADK.
|
|
"""
|
|
|
|
from __future__ import annotations
|
|
|
|
import logging
|
|
|
|
from fastapi import FastAPI
|
|
from fastapi import HTTPException
|
|
from fastapi import Request
|
|
from mcp.server.fastmcp import Context
|
|
from mcp.server.fastmcp import FastMCP
|
|
import uvicorn
|
|
|
|
logging.basicConfig(level=logging.INFO)
|
|
logger = logging.getLogger('google_adk.' + __name__)
|
|
|
|
# Expected OAuth token for testing
|
|
VALID_TOKEN = 'test_access_token_12345'
|
|
|
|
# Create FastMCP server
|
|
mcp = FastMCP('OAuth Protected MCP Server', host='localhost', port=3001)
|
|
|
|
|
|
def validate_auth_header(request: Request) -> bool:
|
|
"""Validate the Authorization header contains a valid Bearer token."""
|
|
auth_header = request.headers.get('authorization', '')
|
|
if not auth_header.startswith('Bearer '):
|
|
logger.warning('Missing or invalid Authorization header: %s', auth_header)
|
|
return False
|
|
|
|
token = auth_header[7:] # Remove 'Bearer ' prefix
|
|
if token != VALID_TOKEN:
|
|
logger.warning('Invalid token: %s', token)
|
|
return False
|
|
|
|
logger.info('Valid token received')
|
|
return True
|
|
|
|
|
|
@mcp.tool(description='Get user profile information. Requires authentication.')
|
|
def get_user_profile(user_id: str, context: Context) -> dict:
|
|
"""Return user profile data for the given user ID."""
|
|
logger.info('get_user_profile called for user: %s', user_id)
|
|
|
|
if context.request_context and context.request_context.request:
|
|
if not validate_auth_header(context.request_context.request):
|
|
return {'error': 'Unauthorized - invalid or missing token'}
|
|
|
|
# Mock user data
|
|
users = {
|
|
'user1': {'id': 'user1', 'name': 'Alice', 'email': 'alice@example.com'},
|
|
'user2': {'id': 'user2', 'name': 'Bob', 'email': 'bob@example.com'},
|
|
}
|
|
|
|
if user_id in users:
|
|
return users[user_id]
|
|
return {'error': f'User {user_id} not found'}
|
|
|
|
|
|
@mcp.tool(description='List all available users. Requires authentication.')
|
|
def list_users(context: Context) -> dict:
|
|
"""Return a list of all users."""
|
|
logger.info('list_users called')
|
|
|
|
if context.request_context and context.request_context.request:
|
|
if not validate_auth_header(context.request_context.request):
|
|
return {'error': 'Unauthorized - invalid or missing token'}
|
|
|
|
return {
|
|
'users': [
|
|
{'id': 'user1', 'name': 'Alice'},
|
|
{'id': 'user2', 'name': 'Bob'},
|
|
]
|
|
}
|
|
|
|
|
|
# Create custom FastAPI app to add auth middleware for list_tools
|
|
app = FastAPI()
|
|
|
|
|
|
@app.middleware('http')
|
|
async def auth_middleware(request: Request, call_next):
|
|
"""Middleware to validate auth on all MCP endpoints."""
|
|
# Check if this is an MCP request
|
|
if request.url.path.startswith('/mcp'):
|
|
if not validate_auth_header(request):
|
|
raise HTTPException(status_code=401, detail='Unauthorized')
|
|
return await call_next(request)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
print(f'Starting OAuth Protected MCP server on http://localhost:3001')
|
|
print(f'Expected token: Bearer {VALID_TOKEN}')
|
|
print(
|
|
'This server requires authentication for both tool listing and calling.'
|
|
)
|
|
|
|
# Run with streamable-http transport
|
|
mcp.run(transport='streamable-http')
|