actionmcp 0.52.2 → 0.53.0

data/lib/action_mcp/omniauth/mcp_strategy.rb

@@ -0,0 +1,176 @@
+# frozen_string_literal: true
+
+require "omniauth-oauth2"
+
+module ActionMCP
+  module Omniauth
+    # MCP-specific Omniauth strategy for OAuth 2.1 authentication
+    # This strategy integrates with ActionMCP's configuration system and provider interface
+    class MCPStrategy < ::OmniAuth::Strategies::OAuth2
+      # Strategy name used in configuration
+      option :name, "mcp"
+
+      # Default OAuth options with MCP-specific settings
+      option :client_options, {
+        authorize_url: "/oauth/authorize",
+        token_url: "/oauth/token",
+        auth_scheme: :request_body
+      }
+
+      # OAuth 2.1 compliance - PKCE is required
+      option :pkce, true
+
+      # Default scopes for MCP access
+      option :scope, "mcp:tools mcp:resources mcp:prompts"
+
+      # Use authorization code grant flow
+      option :response_type, "code"
+
+      # OAuth server metadata discovery
+      option :discovery, true
+
+      def initialize(app, *args, &block)
+        super
+
+        # Load configuration from ActionMCP if available
+        configure_from_mcp_config if defined?(ActionMCP)
+      end
+
+      # User info from OAuth token response or userinfo endpoint
+      def raw_info
+        @raw_info ||= begin
+          if options.userinfo_url
+            access_token.get(options.userinfo_url).parsed
+          else
+            # Extract user info from token response or use minimal info
+            token_response = access_token.token
+            {
+              "sub" => access_token.params["user_id"] || access_token.token,
+              "scope" => access_token.params["scope"] || options.scope
+            }
+          end
+        end
+      rescue ::OAuth2::Error => e
+        log(:error, "Failed to fetch user info: #{e.message}")
+        {}
+      end
+
+      # User ID for Omniauth
+      uid { raw_info["sub"] || raw_info["user_id"] }
+
+      # User info hash
+      info do
+        {
+          name: raw_info["name"],
+          email: raw_info["email"],
+          username: raw_info["username"] || raw_info["preferred_username"]
+        }
+      end
+
+      # Extra credentials and token info
+      extra do
+        {
+          "raw_info" => raw_info,
+          "scope" => access_token.params["scope"],
+          "token_type" => access_token.params["token_type"] || "Bearer"
+        }
+      end
+
+      # OAuth server metadata discovery
+      def discovery_info
+        @discovery_info ||= begin
+          if options.discovery && options.client_options.site
+            discovery_url = "#{options.client_options.site}/.well-known/oauth-authorization-server"
+            response = client.request(:get, discovery_url)
+            JSON.parse(response.body)
+          end
+        rescue StandardError => e
+          log(:warn, "OAuth discovery failed: #{e.message}")
+          {}
+        end
+      end
+
+      # Override client to use discovered endpoints if available
+      def client
+        @client ||= begin
+          if discovery_info.any?
+            options.client_options.merge!(
+              authorize_url: discovery_info["authorization_endpoint"],
+              token_url: discovery_info["token_endpoint"]
+            ) if discovery_info["authorization_endpoint"] && discovery_info["token_endpoint"]
+          end
+          super
+        end
+      end
+
+      # Token validation for API requests (not callback flow)
+      def self.validate_token(token, options = {})
+        strategy = new(nil, options)
+        strategy.validate_token(token)
+      end
+
+      def validate_token(token)
+        # Validate access token with OAuth server
+        return nil unless token
+
+        begin
+          response = client.request(:post, options.introspection_url || "/oauth/introspect", {
+            body: { token: token },
+            headers: { "Content-Type" => "application/x-www-form-urlencoded" }
+          })
+
+          token_info = JSON.parse(response.body)
+          return nil unless token_info["active"]
+
+          token_info
+        rescue StandardError => e
+          log(:error, "Token validation failed: #{e.message}")
+          nil
+        end
+      end
+
+      private
+
+      # Configure strategy from ActionMCP configuration
+      def configure_from_mcp_config
+        oauth_config = ActionMCP.configuration.oauth_config
+        return unless oauth_config.is_a?(Hash)
+
+        # Set client options from MCP config
+        if oauth_config["issuer_url"]
+          options.client_options[:site] = oauth_config["issuer_url"]
+        end
+
+        if oauth_config["client_id"]
+          options.client_id = oauth_config["client_id"]
+        end
+
+        if oauth_config["client_secret"]
+          options.client_secret = oauth_config["client_secret"]
+        end
+
+        if oauth_config["scopes_supported"]
+          options.scope = Array(oauth_config["scopes_supported"]).join(" ")
+        end
+
+        # Enable PKCE if required (OAuth 2.1 compliance)
+        if oauth_config["pkce_required"]
+          options.pkce = true
+        end
+
+        # Set userinfo endpoint if provided
+        if oauth_config["userinfo_endpoint"]
+          options.userinfo_url = oauth_config["userinfo_endpoint"]
+        end
+
+        # Set token introspection endpoint
+        if oauth_config["introspection_endpoint"]
+          options.introspection_url = oauth_config["introspection_endpoint"]
+        end
+      end
+    end
+  end
+end
+
+# Register the strategy with Omniauth
+OmniAuth.config.add_camelization "mcp", "MCP"

data/lib/action_mcp/version.rb

@@ -2,7 +2,7 @@
 
 require_relative "gem_version"
 module ActionMCP
-  VERSION = "0.52.2"
+  VERSION = "0.53.0"
 
   class << self
     alias version gem_version

data/lib/action_mcp.rb

@@ -13,6 +13,10 @@ require "action_mcp/log_subscriber"
 require "action_mcp/engine"
 require "zeitwerk"
 
+# OAuth 2.1 support via Omniauth
+require "omniauth"
+require "omniauth-oauth2"
+
 lib = File.dirname(__FILE__)
 
 Zeitwerk::Loader.for_gem.tap do |loader|
@@ -25,8 +29,9 @@ Zeitwerk::Loader.for_gem.tap do |loader|
 
   loader.inflector.inflect("action_mcp" => "ActionMCP")
   loader.inflector.inflect("sse_client" => "SSEClient")
-  loader.inflector.inflect("sse_server" => "SSEServer")
   loader.inflector.inflect("sse_listener" => "SSEListener")
+  loader.inflector.inflect("oauth" => "OAuth")
+  loader.inflector.inflect("mcp_strategy" => "MCPStrategy")
 end.setup
 
 module ActionMCP

data/lib/generators/action_mcp/config/templates/mcp.yml

@@ -1,9 +1,41 @@
 # ActionMCP Configuration
-# This file contains configuration for the ActionMCP pub/sub system.
-# Different environments can use different adapters.
+# This file contains configuration for the ActionMCP server including
+# authentication, profiles, and pub/sub system settings.
 
 development:
-  # In-memory adapter for development
+  # Authentication configuration - array of methods to try in order
+  authentication: ["none"]  # No authentication required for development
+  
+  # OAuth configuration (if using OAuth authentication)
+  # oauth:
+  #   provider: "demo_oauth_provider"
+  #   scopes_supported: ["mcp:tools", "mcp:resources", "mcp:prompts"]
+  #   enable_dynamic_registration: true
+  #   enable_token_revocation: true
+  #   pkce_required: true
+  
+  # MCP capability profiles
+  profiles:
+    primary:
+      tools: ["all"]
+      prompts: ["all"] 
+      resources: ["all"]
+      options:
+        list_changed: false
+        logging_enabled: true
+        resources_subscribe: false
+        
+    minimal:
+      tools: []
+      prompts: []
+      resources: []
+      options:
+        list_changed: false
+        logging_enabled: false
+        logging_level: :warn
+        resources_subscribe: false
+
+  # Pub/sub adapter configuration
   adapter: simple
   # Thread pool configuration (optional)
   # min_threads: 5     # Minimum number of threads in the pool
@@ -11,10 +43,46 @@ development:
   # max_queue: 100     # Maximum number of tasks that can be queued
 
 test:
+  # JWT authentication for testing
+  authentication: ["jwt"]
+  
+  profiles:
+    primary:
+      tools: ["all"]
+      prompts: ["all"]
+      resources: ["all"]
+      
   # Test adapter for testing
   adapter: test
 
 production:
+  # Multiple authentication methods - try OAuth first, fallback to JWT
+  authentication: ["oauth", "jwt"]
+  
+  # OAuth configuration for production
+  oauth:
+    provider: "application_oauth_provider"  # Your custom provider class
+    scopes_supported: ["mcp:tools", "mcp:resources", "mcp:prompts"]
+    enable_dynamic_registration: true
+    enable_token_revocation: true
+    pkce_required: true
+    # issuer_url: <%= ENV.fetch("OAUTH_ISSUER_URL") { "https://yourapp.com" } %>
+  
+  profiles:
+    primary:
+      tools: ["all"]
+      prompts: ["all"]
+      resources: ["all"]
+      options:
+        list_changed: false
+        logging_enabled: true
+        resources_subscribe: false
+        
+    external_clients:
+      tools: ["WeatherForecastTool"]  # Limited tool access for external clients
+      prompts: []
+      resources: []
+  
   # Choose one of the following adapters:
   
   # 1. Database-backed adapter (recommended)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: actionmcp
 version: !ruby/object:Gem::Version
-  version: 0.52.2
+  version: 0.53.0
 platform: ruby
 authors:
 - Abdelkader Boudih
@@ -107,6 +107,76 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.10'
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+- !ruby/object:Gem::Dependency
+  name: ostruct
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.7'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.7'
+- !ruby/object:Gem::Dependency
+  name: pkce_challenge
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 description: It offers base classes and helpers for creating MCP applications, making
   it easier to integrate your Ruby/Rails application with the MCP standard
 email:
@@ -120,6 +190,8 @@ files:
 - README.md
 - Rakefile
 - app/controllers/action_mcp/application_controller.rb
+- app/controllers/action_mcp/oauth/endpoints_controller.rb
+- app/controllers/action_mcp/oauth/metadata_controller.rb
 - app/models/action_mcp.rb
 - app/models/action_mcp/application_record.rb
 - app/models/action_mcp/session.rb
@@ -131,6 +203,7 @@ files:
 - app/models/concerns/mcp_message_inspect.rb
 - config/routes.rb
 - db/migrate/20250512154359_consolidated_migration.rb
+- db/migrate/20250608112101_add_oauth_to_sessions.rb
 - exe/actionmcp_cli
 - lib/action_mcp.rb
 - lib/action_mcp/base_response.rb
@@ -145,6 +218,8 @@ files:
 - lib/action_mcp/client/json_rpc_handler.rb
 - lib/action_mcp/client/logging.rb
 - lib/action_mcp/client/messaging.rb
+- lib/action_mcp/client/oauth_client_provider.rb
+- lib/action_mcp/client/oauth_client_provider/memory_storage.rb
 - lib/action_mcp/client/prompt_book.rb
 - lib/action_mcp/client/prompts.rb
 - lib/action_mcp/client/request_timeouts.rb
@@ -181,6 +256,11 @@ files:
 - lib/action_mcp/jwt_decoder.rb
 - lib/action_mcp/log_subscriber.rb
 - lib/action_mcp/logging.rb
+- lib/action_mcp/oauth/error.rb
+- lib/action_mcp/oauth/memory_storage.rb
+- lib/action_mcp/oauth/middleware.rb
+- lib/action_mcp/oauth/provider.rb
+- lib/action_mcp/omniauth/mcp_strategy.rb
 - lib/action_mcp/prompt.rb
 - lib/action_mcp/prompt_response.rb
 - lib/action_mcp/prompts_registry.rb