60e0ffc959
Upgrade checks / Notify on failure (push) Has been cancelled
Upgrade checks / Close issue on success (push) Has been cancelled
Schema Crash Test / Real-world schema crash test (232K schemas) (push) Has been cancelled
Run static analysis / static_analysis (push) Has been cancelled
Tests / Tests: Python 3.10 on ubuntu-latest (push) Has been cancelled
Tests / Tests: Python 3.13 on ubuntu-latest (push) Has been cancelled
Tests / Tests: Python 3.10 on windows-latest (push) Has been cancelled
Tests / Tests with lowest-direct dependencies (push) Has been cancelled
Tests / MCP conformance tests (push) Has been cancelled
Tests / Integration tests (push) Has been cancelled
Tests / Package install smoke (push) Has been cancelled
Upgrade checks / Static analysis (push) Has been cancelled
Upgrade checks / Tests: Python 3.10 on ubuntu-latest (push) Has been cancelled
Upgrade checks / Tests: Python 3.13 on ubuntu-latest (push) Has been cancelled
Upgrade checks / Tests: Python 3.10 on windows-latest (push) Has been cancelled
Upgrade checks / Integration tests (push) Has been cancelled
Update MCPServerConfig Schema / update-config-schema (push) Has been cancelled
Update SDK Documentation / update-sdk-docs (push) Has been cancelled
426 lines
16 KiB
Python
426 lines
16 KiB
Python
"""Tests for OIDC Proxy verify_id_token functionality."""
|
|
|
|
from unittest.mock import patch
|
|
|
|
import pytest
|
|
from pydantic import AnyHttpUrl
|
|
|
|
from fastmcp.server.auth.oauth_proxy.models import UpstreamTokenSet
|
|
from fastmcp.server.auth.oidc_proxy import OIDCConfiguration, OIDCProxy
|
|
from fastmcp.server.auth.providers.introspection import IntrospectionTokenVerifier
|
|
from fastmcp.server.auth.providers.jwt import JWTVerifier
|
|
|
|
TEST_ISSUER = "https://example.com"
|
|
TEST_AUTHORIZATION_ENDPOINT = "https://example.com/authorize"
|
|
TEST_TOKEN_ENDPOINT = "https://example.com/oauth/token"
|
|
|
|
TEST_CONFIG_URL = AnyHttpUrl("https://example.com/.well-known/openid-configuration")
|
|
TEST_CLIENT_ID = "test-client-id"
|
|
TEST_CLIENT_SECRET = "test-client-secret"
|
|
TEST_BASE_URL = AnyHttpUrl("https://example.com:8000/")
|
|
|
|
|
|
# =============================================================================
|
|
# Shared Fixtures
|
|
# =============================================================================
|
|
|
|
|
|
@pytest.fixture
|
|
def valid_oidc_configuration_dict():
|
|
"""Create a valid OIDC configuration dict for testing."""
|
|
return {
|
|
"issuer": TEST_ISSUER,
|
|
"authorization_endpoint": TEST_AUTHORIZATION_ENDPOINT,
|
|
"token_endpoint": TEST_TOKEN_ENDPOINT,
|
|
"jwks_uri": "https://example.com/.well-known/jwks.json",
|
|
"response_types_supported": ["code"],
|
|
"subject_types_supported": ["public"],
|
|
"id_token_signing_alg_values_supported": ["RS256"],
|
|
}
|
|
|
|
|
|
# =============================================================================
|
|
# Test Helpers
|
|
# =============================================================================
|
|
|
|
|
|
def _make_upstream_token_set(*, id_token: str | None = None) -> UpstreamTokenSet:
|
|
"""Create an UpstreamTokenSet with optional id_token."""
|
|
raw_token_data: dict[str, str] = {"access_token": "opaque-access-token"}
|
|
if id_token is not None:
|
|
raw_token_data["id_token"] = id_token
|
|
return UpstreamTokenSet(
|
|
upstream_token_id="test-id",
|
|
access_token="opaque-access-token",
|
|
refresh_token=None,
|
|
refresh_token_expires_at=None,
|
|
expires_at=9999999999.0,
|
|
token_type="Bearer",
|
|
scope="openid",
|
|
client_id="test-client",
|
|
created_at=1000000000.0,
|
|
raw_token_data=raw_token_data,
|
|
)
|
|
|
|
|
|
# =============================================================================
|
|
# Test Classes
|
|
# =============================================================================
|
|
|
|
|
|
class TestVerifyIdToken:
|
|
"""Tests for verify_id_token functionality."""
|
|
|
|
def test_verify_id_token_disabled_by_default(self, valid_oidc_configuration_dict):
|
|
"""Default behavior: verify the access_token."""
|
|
with patch(
|
|
"fastmcp.server.auth.oidc_proxy.OIDCConfiguration.get_oidc_configuration"
|
|
) as mock_get:
|
|
oidc_config = OIDCConfiguration.model_validate(
|
|
valid_oidc_configuration_dict
|
|
)
|
|
mock_get.return_value = oidc_config
|
|
|
|
proxy = OIDCProxy(
|
|
config_url=TEST_CONFIG_URL,
|
|
client_id=TEST_CLIENT_ID,
|
|
client_secret=TEST_CLIENT_SECRET,
|
|
base_url=TEST_BASE_URL,
|
|
jwt_signing_key="test-secret",
|
|
)
|
|
token_set = _make_upstream_token_set(id_token="jwt-id-token")
|
|
|
|
assert proxy._get_verification_token(token_set) == "opaque-access-token"
|
|
|
|
def test_verify_id_token_returns_id_token(self, valid_oidc_configuration_dict):
|
|
"""When enabled, verify the id_token instead of access_token."""
|
|
with patch(
|
|
"fastmcp.server.auth.oidc_proxy.OIDCConfiguration.get_oidc_configuration"
|
|
) as mock_get:
|
|
oidc_config = OIDCConfiguration.model_validate(
|
|
valid_oidc_configuration_dict
|
|
)
|
|
mock_get.return_value = oidc_config
|
|
|
|
proxy = OIDCProxy(
|
|
config_url=TEST_CONFIG_URL,
|
|
client_id=TEST_CLIENT_ID,
|
|
client_secret=TEST_CLIENT_SECRET,
|
|
base_url=TEST_BASE_URL,
|
|
jwt_signing_key="test-secret",
|
|
verify_id_token=True,
|
|
)
|
|
token_set = _make_upstream_token_set(id_token="jwt-id-token")
|
|
|
|
assert proxy._get_verification_token(token_set) == "jwt-id-token"
|
|
|
|
def test_verify_id_token_returns_none_when_missing(
|
|
self, valid_oidc_configuration_dict
|
|
):
|
|
"""When enabled but id_token is absent, return None."""
|
|
with patch(
|
|
"fastmcp.server.auth.oidc_proxy.OIDCConfiguration.get_oidc_configuration"
|
|
) as mock_get:
|
|
oidc_config = OIDCConfiguration.model_validate(
|
|
valid_oidc_configuration_dict
|
|
)
|
|
mock_get.return_value = oidc_config
|
|
|
|
proxy = OIDCProxy(
|
|
config_url=TEST_CONFIG_URL,
|
|
client_id=TEST_CLIENT_ID,
|
|
client_secret=TEST_CLIENT_SECRET,
|
|
base_url=TEST_BASE_URL,
|
|
jwt_signing_key="test-secret",
|
|
verify_id_token=True,
|
|
)
|
|
token_set = _make_upstream_token_set(id_token=None)
|
|
|
|
assert proxy._get_verification_token(token_set) is None
|
|
|
|
def test_verify_id_token_works_with_custom_verifier(
|
|
self, valid_oidc_configuration_dict
|
|
):
|
|
"""verify_id_token can be combined with a custom token_verifier."""
|
|
with patch(
|
|
"fastmcp.server.auth.oidc_proxy.OIDCConfiguration.get_oidc_configuration"
|
|
) as mock_get:
|
|
oidc_config = OIDCConfiguration.model_validate(
|
|
valid_oidc_configuration_dict
|
|
)
|
|
mock_get.return_value = oidc_config
|
|
|
|
custom_verifier = IntrospectionTokenVerifier(
|
|
introspection_url="https://example.com/oauth/introspect",
|
|
client_id="introspection-client",
|
|
client_secret="introspection-secret",
|
|
)
|
|
proxy = OIDCProxy(
|
|
config_url=TEST_CONFIG_URL,
|
|
client_id=TEST_CLIENT_ID,
|
|
client_secret=TEST_CLIENT_SECRET,
|
|
base_url=TEST_BASE_URL,
|
|
jwt_signing_key="test-secret",
|
|
verify_id_token=True,
|
|
token_verifier=custom_verifier,
|
|
)
|
|
token_set = _make_upstream_token_set(id_token="jwt-id-token")
|
|
|
|
assert proxy._get_verification_token(token_set) == "jwt-id-token"
|
|
assert proxy._token_validator is custom_verifier
|
|
|
|
def test_verify_id_token_survives_refresh_without_id_token(
|
|
self, valid_oidc_configuration_dict
|
|
):
|
|
"""id_token from original auth is preserved when refresh omits it."""
|
|
with patch(
|
|
"fastmcp.server.auth.oidc_proxy.OIDCConfiguration.get_oidc_configuration"
|
|
) as mock_get:
|
|
oidc_config = OIDCConfiguration.model_validate(
|
|
valid_oidc_configuration_dict
|
|
)
|
|
mock_get.return_value = oidc_config
|
|
|
|
proxy = OIDCProxy(
|
|
config_url=TEST_CONFIG_URL,
|
|
client_id=TEST_CLIENT_ID,
|
|
client_secret=TEST_CLIENT_SECRET,
|
|
base_url=TEST_BASE_URL,
|
|
jwt_signing_key="test-secret",
|
|
verify_id_token=True,
|
|
)
|
|
|
|
token_set = _make_upstream_token_set(id_token="original-id-token")
|
|
|
|
# Simulate a refresh response that omits id_token —
|
|
# the merge in exchange_refresh_token should preserve it
|
|
refresh_response = {
|
|
"access_token": "new-access-token",
|
|
"token_type": "Bearer",
|
|
}
|
|
token_set.raw_token_data = {**token_set.raw_token_data, **refresh_response}
|
|
token_set.access_token = "new-access-token"
|
|
|
|
assert proxy._get_verification_token(token_set) == "original-id-token"
|
|
|
|
def test_verify_id_token_updated_when_refresh_includes_it(
|
|
self, valid_oidc_configuration_dict
|
|
):
|
|
"""id_token is updated when refresh response includes a new one."""
|
|
with patch(
|
|
"fastmcp.server.auth.oidc_proxy.OIDCConfiguration.get_oidc_configuration"
|
|
) as mock_get:
|
|
oidc_config = OIDCConfiguration.model_validate(
|
|
valid_oidc_configuration_dict
|
|
)
|
|
mock_get.return_value = oidc_config
|
|
|
|
proxy = OIDCProxy(
|
|
config_url=TEST_CONFIG_URL,
|
|
client_id=TEST_CLIENT_ID,
|
|
client_secret=TEST_CLIENT_SECRET,
|
|
base_url=TEST_BASE_URL,
|
|
jwt_signing_key="test-secret",
|
|
verify_id_token=True,
|
|
)
|
|
|
|
token_set = _make_upstream_token_set(id_token="original-id-token")
|
|
|
|
# Simulate a refresh response that includes a new id_token
|
|
refresh_response = {
|
|
"access_token": "new-access-token",
|
|
"id_token": "refreshed-id-token",
|
|
}
|
|
token_set.raw_token_data = {**token_set.raw_token_data, **refresh_response}
|
|
token_set.access_token = "new-access-token"
|
|
|
|
assert proxy._get_verification_token(token_set) == "refreshed-id-token"
|
|
|
|
def test_verify_id_token_uses_client_id_as_verifier_audience(
|
|
self, valid_oidc_configuration_dict
|
|
):
|
|
"""When verify_id_token is enabled, the verifier audience should be
|
|
client_id (matching id_token.aud), not the API audience parameter."""
|
|
with patch(
|
|
"fastmcp.server.auth.oidc_proxy.OIDCConfiguration.get_oidc_configuration"
|
|
) as mock_get:
|
|
oidc_config = OIDCConfiguration.model_validate(
|
|
valid_oidc_configuration_dict
|
|
)
|
|
mock_get.return_value = oidc_config
|
|
|
|
proxy = OIDCProxy(
|
|
config_url=TEST_CONFIG_URL,
|
|
client_id=TEST_CLIENT_ID,
|
|
client_secret=TEST_CLIENT_SECRET,
|
|
base_url=TEST_BASE_URL,
|
|
jwt_signing_key="test-secret",
|
|
audience="https://api.example.com",
|
|
verify_id_token=True,
|
|
)
|
|
|
|
assert isinstance(proxy._token_validator, JWTVerifier)
|
|
assert proxy._token_validator.audience == TEST_CLIENT_ID
|
|
|
|
# The API audience should still be sent upstream
|
|
assert (
|
|
proxy._extra_authorize_params["audience"] == "https://api.example.com"
|
|
)
|
|
assert proxy._extra_token_params["audience"] == "https://api.example.com"
|
|
|
|
def test_verify_id_token_without_audience_uses_client_id(
|
|
self, valid_oidc_configuration_dict
|
|
):
|
|
"""When verify_id_token is enabled without an audience param,
|
|
the verifier audience should still be client_id."""
|
|
with patch(
|
|
"fastmcp.server.auth.oidc_proxy.OIDCConfiguration.get_oidc_configuration"
|
|
) as mock_get:
|
|
oidc_config = OIDCConfiguration.model_validate(
|
|
valid_oidc_configuration_dict
|
|
)
|
|
mock_get.return_value = oidc_config
|
|
|
|
proxy = OIDCProxy(
|
|
config_url=TEST_CONFIG_URL,
|
|
client_id=TEST_CLIENT_ID,
|
|
client_secret=TEST_CLIENT_SECRET,
|
|
base_url=TEST_BASE_URL,
|
|
jwt_signing_key="test-secret",
|
|
verify_id_token=True,
|
|
)
|
|
|
|
assert isinstance(proxy._token_validator, JWTVerifier)
|
|
assert proxy._token_validator.audience == TEST_CLIENT_ID
|
|
|
|
def test_verify_id_token_does_not_enforce_scopes_on_verifier(
|
|
self, valid_oidc_configuration_dict
|
|
):
|
|
"""When verify_id_token is enabled, required_scopes should not be
|
|
passed to the JWTVerifier since id_tokens don't carry scope claims."""
|
|
with patch(
|
|
"fastmcp.server.auth.oidc_proxy.OIDCConfiguration.get_oidc_configuration"
|
|
) as mock_get:
|
|
oidc_config = OIDCConfiguration.model_validate(
|
|
valid_oidc_configuration_dict
|
|
)
|
|
mock_get.return_value = oidc_config
|
|
|
|
proxy = OIDCProxy(
|
|
config_url=TEST_CONFIG_URL,
|
|
client_id=TEST_CLIENT_ID,
|
|
client_secret=TEST_CLIENT_SECRET,
|
|
base_url=TEST_BASE_URL,
|
|
jwt_signing_key="test-secret",
|
|
required_scopes=["read", "write"],
|
|
verify_id_token=True,
|
|
)
|
|
|
|
assert isinstance(proxy._token_validator, JWTVerifier)
|
|
assert proxy._token_validator.required_scopes == []
|
|
|
|
# Scopes should still be advertised via the proxy's required_scopes
|
|
assert proxy.required_scopes == ["read", "write"]
|
|
|
|
# Derived scope state should also be recomputed
|
|
assert proxy._default_scope_str == "read write"
|
|
assert proxy.client_registration_options is not None
|
|
assert proxy.client_registration_options.valid_scopes == [
|
|
"read",
|
|
"write",
|
|
]
|
|
|
|
|
|
class TestUsesAlternateVerification:
|
|
"""Tests for _uses_alternate_verification intent-based flag."""
|
|
|
|
def test_disabled_by_default(self, valid_oidc_configuration_dict):
|
|
"""OIDCProxy without verify_id_token returns False."""
|
|
with patch(
|
|
"fastmcp.server.auth.oidc_proxy.OIDCConfiguration.get_oidc_configuration"
|
|
) as mock_get:
|
|
oidc_config = OIDCConfiguration.model_validate(
|
|
valid_oidc_configuration_dict
|
|
)
|
|
mock_get.return_value = oidc_config
|
|
|
|
proxy = OIDCProxy(
|
|
config_url=TEST_CONFIG_URL,
|
|
client_id=TEST_CLIENT_ID,
|
|
client_secret=TEST_CLIENT_SECRET,
|
|
base_url=TEST_BASE_URL,
|
|
jwt_signing_key="test-secret",
|
|
)
|
|
|
|
assert proxy._uses_alternate_verification() is False
|
|
|
|
def test_enabled_with_verify_id_token(self, valid_oidc_configuration_dict):
|
|
"""OIDCProxy with verify_id_token=True returns True."""
|
|
with patch(
|
|
"fastmcp.server.auth.oidc_proxy.OIDCConfiguration.get_oidc_configuration"
|
|
) as mock_get:
|
|
oidc_config = OIDCConfiguration.model_validate(
|
|
valid_oidc_configuration_dict
|
|
)
|
|
mock_get.return_value = oidc_config
|
|
|
|
proxy = OIDCProxy(
|
|
config_url=TEST_CONFIG_URL,
|
|
client_id=TEST_CLIENT_ID,
|
|
client_secret=TEST_CLIENT_SECRET,
|
|
base_url=TEST_BASE_URL,
|
|
jwt_signing_key="test-secret",
|
|
verify_id_token=True,
|
|
)
|
|
|
|
assert proxy._uses_alternate_verification() is True
|
|
|
|
def test_scope_patch_applied_when_tokens_identical(
|
|
self, valid_oidc_configuration_dict
|
|
):
|
|
"""Regression test: scopes must be patched even when id_token and
|
|
access_token carry the same JWT value (fixes #3461)."""
|
|
with patch(
|
|
"fastmcp.server.auth.oidc_proxy.OIDCConfiguration.get_oidc_configuration"
|
|
) as mock_get:
|
|
oidc_config = OIDCConfiguration.model_validate(
|
|
valid_oidc_configuration_dict
|
|
)
|
|
mock_get.return_value = oidc_config
|
|
|
|
proxy = OIDCProxy(
|
|
config_url=TEST_CONFIG_URL,
|
|
client_id=TEST_CLIENT_ID,
|
|
client_secret=TEST_CLIENT_SECRET,
|
|
base_url=TEST_BASE_URL,
|
|
jwt_signing_key="test-secret",
|
|
verify_id_token=True,
|
|
)
|
|
|
|
# Same JWT for both access_token and id_token — the scenario
|
|
# that triggered the bug.
|
|
same_jwt = "eyJhbGciOiJSUzI1NiJ9.identical-token"
|
|
token_set = UpstreamTokenSet(
|
|
upstream_token_id="test-id",
|
|
access_token=same_jwt,
|
|
refresh_token=None,
|
|
refresh_token_expires_at=None,
|
|
expires_at=9999999999.0,
|
|
token_type="Bearer",
|
|
scope="openid offline_access",
|
|
client_id="test-client",
|
|
created_at=1000000000.0,
|
|
raw_token_data={
|
|
"access_token": same_jwt,
|
|
"id_token": same_jwt,
|
|
},
|
|
)
|
|
|
|
# _uses_alternate_verification should be True regardless of
|
|
# token value equality
|
|
assert proxy._uses_alternate_verification() is True
|
|
# _get_verification_token returns the id_token (same value)
|
|
assert proxy._get_verification_token(token_set) == same_jwt
|
|
# The key point: even though the tokens are equal, the intent
|
|
# flag ensures load_access_token will patch scopes
|