fastmcp 2.11.2__py3-none-any.whl → 2.12.0__py3-none-any.whl

fastmcp/server/auth/providers/google.py

@@ -0,0 +1,305 @@
+"""Google OAuth provider for FastMCP.
+
+This module provides a complete Google OAuth integration that's ready to use
+with just a client ID and client secret. It handles all the complexity of
+Google's OAuth flow, token validation, and user management.
+
+Example:
+    ```python
+    from fastmcp import FastMCP
+    from fastmcp.server.auth.providers.google import GoogleProvider
+
+    # Simple Google OAuth protection
+    auth = GoogleProvider(
+        client_id="your-google-client-id.apps.googleusercontent.com",
+        client_secret="your-google-client-secret"
+    )
+
+    mcp = FastMCP("My Protected Server", auth=auth)
+    ```
+"""
+
+from __future__ import annotations
+
+import time
+
+import httpx
+from pydantic import AnyHttpUrl, SecretStr, field_validator
+from pydantic_settings import BaseSettings, SettingsConfigDict
+
+from fastmcp.server.auth import TokenVerifier
+from fastmcp.server.auth.auth import AccessToken
+from fastmcp.server.auth.oauth_proxy import OAuthProxy
+from fastmcp.server.auth.registry import register_provider
+from fastmcp.utilities.auth import parse_scopes
+from fastmcp.utilities.logging import get_logger
+from fastmcp.utilities.types import NotSet, NotSetT
+
+logger = get_logger(__name__)
+
+
+class GoogleProviderSettings(BaseSettings):
+    """Settings for Google OAuth provider."""
+
+    model_config = SettingsConfigDict(
+        env_prefix="FASTMCP_SERVER_AUTH_GOOGLE_",
+        env_file=".env",
+        extra="ignore",
+    )
+
+    client_id: str | None = None
+    client_secret: SecretStr | None = None
+    base_url: AnyHttpUrl | str | None = None
+    redirect_path: str | None = None
+    required_scopes: list[str] | None = None
+    timeout_seconds: int | None = None
+    resource_server_url: AnyHttpUrl | str | None = None
+    allowed_client_redirect_uris: list[str] | None = None
+
+    @field_validator("required_scopes", mode="before")
+    @classmethod
+    def _parse_scopes(cls, v):
+        return parse_scopes(v)
+
+
+class GoogleTokenVerifier(TokenVerifier):
+    """Token verifier for Google OAuth tokens.
+
+    Google OAuth tokens are opaque (not JWTs), so we verify them
+    by calling Google's tokeninfo API to check if they're valid and get user info.
+    """
+
+    def __init__(
+        self,
+        *,
+        required_scopes: list[str] | None = None,
+        timeout_seconds: int = 10,
+    ):
+        """Initialize the Google token verifier.
+
+        Args:
+            required_scopes: Required OAuth scopes (e.g., ['openid', 'email'])
+            timeout_seconds: HTTP request timeout
+        """
+        super().__init__(required_scopes=required_scopes)
+        self.timeout_seconds = timeout_seconds
+
+    async def verify_token(self, token: str) -> AccessToken | None:
+        """Verify Google OAuth token by calling Google's tokeninfo API."""
+        try:
+            async with httpx.AsyncClient(timeout=self.timeout_seconds) as client:
+                # Use Google's tokeninfo endpoint to validate the token
+                response = await client.get(
+                    "https://www.googleapis.com/oauth2/v1/tokeninfo",
+                    params={"access_token": token},
+                    headers={"User-Agent": "FastMCP-Google-OAuth"},
+                )
+
+                if response.status_code != 200:
+                    logger.debug(
+                        "Google token verification failed: %d",
+                        response.status_code,
+                    )
+                    return None
+
+                token_info = response.json()
+
+                # Check if token is expired
+                expires_in = token_info.get("expires_in")
+                if expires_in and int(expires_in) <= 0:
+                    logger.debug("Google token has expired")
+                    return None
+
+                # Extract scopes from token info
+                scope_string = token_info.get("scope", "")
+                token_scopes = [
+                    scope.strip() for scope in scope_string.split(" ") if scope.strip()
+                ]
+
+                # Check required scopes
+                if self.required_scopes:
+                    token_scopes_set = set(token_scopes)
+                    required_scopes_set = set(self.required_scopes)
+                    if not required_scopes_set.issubset(token_scopes_set):
+                        logger.debug(
+                            "Google token missing required scopes. Has %d, needs %d",
+                            len(token_scopes_set),
+                            len(required_scopes_set),
+                        )
+                        return None
+
+                # Get additional user info if we have the right scopes
+                user_data = {}
+                if "openid" in token_scopes or "profile" in token_scopes:
+                    try:
+                        userinfo_response = await client.get(
+                            "https://www.googleapis.com/oauth2/v2/userinfo",
+                            headers={
+                                "Authorization": f"Bearer {token}",
+                                "User-Agent": "FastMCP-Google-OAuth",
+                            },
+                        )
+                        if userinfo_response.status_code == 200:
+                            user_data = userinfo_response.json()
+                    except Exception as e:
+                        logger.debug("Failed to fetch Google user info: %s", e)
+
+                # Calculate expiration time
+                expires_at = None
+                if expires_in:
+                    expires_at = int(time.time() + int(expires_in))
+
+                # Create AccessToken with Google user info
+                access_token = AccessToken(
+                    token=token,
+                    client_id=token_info.get(
+                        "audience", "unknown"
+                    ),  # Use audience as client_id
+                    scopes=token_scopes,
+                    expires_at=expires_at,
+                    claims={
+                        "sub": user_data.get("id")
+                        or token_info.get("user_id", "unknown"),
+                        "email": user_data.get("email"),
+                        "name": user_data.get("name"),
+                        "picture": user_data.get("picture"),
+                        "given_name": user_data.get("given_name"),
+                        "family_name": user_data.get("family_name"),
+                        "locale": user_data.get("locale"),
+                        "google_user_data": user_data,
+                        "google_token_info": token_info,
+                    },
+                )
+                logger.debug("Google token verified successfully")
+                return access_token
+
+        except httpx.RequestError as e:
+            logger.debug("Failed to verify Google token: %s", e)
+            return None
+        except Exception as e:
+            logger.debug("Google token verification error: %s", e)
+            return None
+
+
+@register_provider("Google")
+class GoogleProvider(OAuthProxy):
+    """Complete Google OAuth provider for FastMCP.
+
+    This provider makes it trivial to add Google OAuth protection to any
+    FastMCP server. Just provide your Google OAuth app credentials and
+    a base URL, and you're ready to go.
+
+    Features:
+    - Transparent OAuth proxy to Google
+    - Automatic token validation via Google's tokeninfo API
+    - User information extraction from Google APIs
+    - Minimal configuration required
+
+    Example:
+        ```python
+        from fastmcp import FastMCP
+        from fastmcp.server.auth.providers.google import GoogleProvider
+
+        auth = GoogleProvider(
+            client_id="123456789.apps.googleusercontent.com",
+            client_secret="GOCSPX-abc123...",
+            base_url="https://my-server.com"  # Optional, defaults to http://localhost:8000
+        )
+
+        mcp = FastMCP("My App", auth=auth)
+        ```
+    """
+
+    def __init__(
+        self,
+        *,
+        client_id: str | NotSetT = NotSet,
+        client_secret: str | NotSetT = NotSet,
+        base_url: AnyHttpUrl | str | NotSetT = NotSet,
+        redirect_path: str | NotSetT = NotSet,
+        required_scopes: list[str] | NotSetT = NotSet,
+        timeout_seconds: int | NotSetT = NotSet,
+        resource_server_url: AnyHttpUrl | str | NotSetT = NotSet,
+        allowed_client_redirect_uris: list[str] | NotSetT = NotSet,
+    ):
+        """Initialize Google OAuth provider.
+
+        Args:
+            client_id: Google OAuth client ID (e.g., "123456789.apps.googleusercontent.com")
+            client_secret: Google OAuth client secret (e.g., "GOCSPX-abc123...")
+            base_url: Public URL of your FastMCP server (for OAuth callbacks)
+            redirect_path: Redirect path configured in Google OAuth app (defaults to "/auth/callback")
+            required_scopes: Required Google scopes (defaults to ["openid"]). Common scopes include:
+                - "openid" for OpenID Connect (default)
+                - "https://www.googleapis.com/auth/userinfo.email" for email access
+                - "https://www.googleapis.com/auth/userinfo.profile" for profile info
+            timeout_seconds: HTTP request timeout for Google API calls
+            allowed_client_redirect_uris: List of allowed redirect URI patterns for MCP clients.
+                If None (default), all URIs are allowed. If empty list, no URIs are allowed.
+        """
+        settings = GoogleProviderSettings.model_validate(
+            {
+                k: v
+                for k, v in {
+                    "client_id": client_id,
+                    "client_secret": client_secret,
+                    "base_url": base_url,
+                    "redirect_path": redirect_path,
+                    "required_scopes": required_scopes,
+                    "timeout_seconds": timeout_seconds,
+                    "resource_server_url": resource_server_url,
+                    "allowed_client_redirect_uris": allowed_client_redirect_uris,
+                }.items()
+                if v is not NotSet
+            }
+        )
+
+        # Validate required settings
+        if not settings.client_id:
+            raise ValueError(
+                "client_id is required - set via parameter or FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_ID"
+            )
+        if not settings.client_secret:
+            raise ValueError(
+                "client_secret is required - set via parameter or FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_SECRET"
+            )
+
+        # Apply defaults
+        base_url_final = settings.base_url or "http://localhost:8000"
+        redirect_path_final = settings.redirect_path or "/auth/callback"
+        timeout_seconds_final = settings.timeout_seconds or 10
+        # Google requires at least one scope - openid is the minimal OIDC scope
+        required_scopes_final = settings.required_scopes or ["openid"]
+        resource_server_url_final = settings.resource_server_url or base_url_final
+        allowed_client_redirect_uris_final = settings.allowed_client_redirect_uris
+
+        # Create Google token verifier
+        token_verifier = GoogleTokenVerifier(
+            required_scopes=required_scopes_final,
+            timeout_seconds=timeout_seconds_final,
+        )
+
+        # Extract secret string from SecretStr
+        client_secret_str = (
+            settings.client_secret.get_secret_value() if settings.client_secret else ""
+        )
+
+        # Initialize OAuth proxy with Google endpoints
+        super().__init__(
+            upstream_authorization_endpoint="https://accounts.google.com/o/oauth2/v2/auth",
+            upstream_token_endpoint="https://oauth2.googleapis.com/token",
+            upstream_client_id=settings.client_id,
+            upstream_client_secret=client_secret_str,
+            token_verifier=token_verifier,
+            base_url=base_url_final,
+            redirect_path=redirect_path_final,
+            issuer_url=base_url_final,  # We act as the issuer for client registration
+            allowed_client_redirect_uris=allowed_client_redirect_uris_final,
+            resource_server_url=resource_server_url_final,
+        )
+
+        logger.info(
+            "Initialized Google OAuth provider for client %s with scopes: %s",
+            settings.client_id,
+            required_scopes_final,
+        )

fastmcp/server/auth/providers/jwt.py

@@ -11,13 +11,13 @@ from authlib.jose import JsonWebKey, JsonWebToken
 from authlib.jose.errors import JoseError
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
-from mcp.server.auth.provider import AccessToken
-from pydantic import AnyHttpUrl, SecretStr
+from pydantic import AnyHttpUrl, SecretStr, field_validator
 from pydantic_settings import BaseSettings, SettingsConfigDict
 from typing_extensions import TypedDict
 
-from fastmcp.server.auth import TokenVerifier
+from fastmcp.server.auth import AccessToken, TokenVerifier
 from fastmcp.server.auth.registry import register_provider
+from fastmcp.utilities.auth import parse_scopes
 from fastmcp.utilities.logging import get_logger
 from fastmcp.utilities.types import NotSet, NotSetT
 
@@ -108,8 +108,6 @@ class RSAKeyPair:
             additional_claims: Any additional claims to include
             kid: Key ID to include in header
         """
-        import time
-
         # Create header
         header = {"alg": "RS256"}
         if kid:
@@ -158,21 +156,29 @@ class JWTVerifierSettings(BaseSettings):
     required_scopes: list[str] | None = None
     resource_server_url: AnyHttpUrl | str | None = None
 
+    @field_validator("required_scopes", mode="before")
+    @classmethod
+    def _parse_scopes(cls, v):
+        return parse_scopes(v)
+
 
 @register_provider("JWT")
 class JWTVerifier(TokenVerifier):
     """
-    JWT token verifier using public key or JWKS.
+    JWT token verifier supporting both asymmetric (RSA/ECDSA) and symmetric (HMAC) algorithms.
 
-    This verifier validates JWT tokens signed by an external issuer. It's ideal for
-    scenarios where you have a centralized identity provider (like Auth0, Okta, or
-    your own OAuth server) that issues JWTs, and your FastMCP server acts as a
-    resource server validating those tokens.
+    This verifier validates JWT tokens using various signing algorithms:
+    - **Asymmetric algorithms** (RS256/384/512, ES256/384/512, PS256/384/512):
+      Uses public/private key pairs. Ideal for external clients and services where
+      only the authorization server has the private key.
+    - **Symmetric algorithms** (HS256/384/512): Uses a shared secret for both
+      signing and verification. Perfect for internal microservices and trusted
+      environments where the secret can be securely shared.
 
     Use this when:
-    - You have JWT tokens issued by an external service
-    - You want asymmetric key verification (public/private key pairs)
-    - You need JWKS support for automatic key rotation
+    - You have JWT tokens issued by an external service (asymmetric)
+    - You need JWKS support for automatic key rotation (asymmetric)
+    - You have internal microservices sharing a secret key (symmetric)
     - Your tokens contain standard OAuth scopes and claims
     """
 
@@ -191,11 +197,14 @@ class JWTVerifier(TokenVerifier):
         Initialize the JWT token verifier.
 
         Args:
-            public_key: PEM-encoded public key for verification
-            jwks_uri: URI to fetch JSON Web Key Set
+            public_key: For asymmetric algorithms (RS256, ES256, etc.): PEM-encoded public key.
+                       For symmetric algorithms (HS256, HS384, HS512): The shared secret string.
+            jwks_uri: URI to fetch JSON Web Key Set (only for asymmetric algorithms)
             issuer: Expected issuer claim
             audience: Expected audience claim(s)
-            algorithm: JWT signing algorithm (default: RS256)
+            algorithm: JWT signing algorithm. Supported algorithms:
+                      - Asymmetric: RS256/384/512, ES256/384/512, PS256/384/512 (default: RS256)
+                      - Symmetric: HS256, HS384, HS512
             required_scopes: Required scopes for all tokens
             resource_server_url: Resource server URL for TokenVerifier protocol
         """
@@ -448,6 +457,7 @@ class JWTVerifier(TokenVerifier):
                 client_id=str(client_id),
                 scopes=scopes,
                 expires_at=int(exp) if exp else None,
+                claims=claims,
             )
 
         except JoseError:
@@ -535,4 +545,5 @@ class StaticTokenVerifier(TokenVerifier):
             client_id=token_data["client_id"],
             scopes=scopes,
             expires_at=expires_at,
+            claims=token_data,
         )

fastmcp/server/auth/providers/workos.py

@@ -1,20 +1,269 @@
+"""WorkOS authentication providers for FastMCP.
+
+This module provides two WorkOS authentication strategies:
+
+1. WorkOSProvider - OAuth proxy for WorkOS Connect applications (non-DCR)
+2. AuthKitProvider - DCR-compliant provider for WorkOS AuthKit
+
+Choose based on your WorkOS setup and authentication requirements.
+"""
+
 from __future__ import annotations
 
 import httpx
-from pydantic import AnyHttpUrl
+from pydantic import AnyHttpUrl, SecretStr, field_validator
 from pydantic_settings import BaseSettings, SettingsConfigDict
 from starlette.responses import JSONResponse
 from starlette.routing import Route
 
-from fastmcp.server.auth import RemoteAuthProvider, TokenVerifier
+from fastmcp.server.auth import AccessToken, RemoteAuthProvider, TokenVerifier
+from fastmcp.server.auth.oauth_proxy import OAuthProxy
 from fastmcp.server.auth.providers.jwt import JWTVerifier
 from fastmcp.server.auth.registry import register_provider
+from fastmcp.utilities.auth import parse_scopes
 from fastmcp.utilities.logging import get_logger
 from fastmcp.utilities.types import NotSet, NotSetT
 
 logger = get_logger(__name__)
 
 
+class WorkOSProviderSettings(BaseSettings):
+    """Settings for WorkOS OAuth provider."""
+
+    model_config = SettingsConfigDict(
+        env_prefix="FASTMCP_SERVER_AUTH_WORKOS_",
+        env_file=".env",
+        extra="ignore",
+    )
+
+    client_id: str | None = None
+    client_secret: SecretStr | None = None
+    authkit_domain: str | None = None  # e.g., "https://your-app.authkit.app"
+    base_url: AnyHttpUrl | str | None = None
+    redirect_path: str | None = None
+    required_scopes: list[str] | None = None
+    timeout_seconds: int | None = None
+    resource_server_url: AnyHttpUrl | str | None = None
+    allowed_client_redirect_uris: list[str] | None = None
+
+    @field_validator("required_scopes", mode="before")
+    @classmethod
+    def _parse_scopes(cls, v):
+        return parse_scopes(v)
+
+
+class WorkOSTokenVerifier(TokenVerifier):
+    """Token verifier for WorkOS OAuth tokens.
+
+    WorkOS AuthKit tokens are opaque, so we verify them by calling
+    the /oauth2/userinfo endpoint to check validity and get user info.
+    """
+
+    def __init__(
+        self,
+        *,
+        authkit_domain: str,
+        required_scopes: list[str] | None = None,
+        timeout_seconds: int = 10,
+    ):
+        """Initialize the WorkOS token verifier.
+
+        Args:
+            authkit_domain: WorkOS AuthKit domain (e.g., "https://your-app.authkit.app")
+            required_scopes: Required OAuth scopes
+            timeout_seconds: HTTP request timeout
+        """
+        super().__init__(required_scopes=required_scopes)
+        self.authkit_domain = authkit_domain.rstrip("/")
+        self.timeout_seconds = timeout_seconds
+
+    async def verify_token(self, token: str) -> AccessToken | None:
+        """Verify WorkOS OAuth token by calling userinfo endpoint."""
+        try:
+            async with httpx.AsyncClient(timeout=self.timeout_seconds) as client:
+                # Use WorkOS AuthKit userinfo endpoint to validate token
+                response = await client.get(
+                    f"{self.authkit_domain}/oauth2/userinfo",
+                    headers={
+                        "Authorization": f"Bearer {token}",
+                        "User-Agent": "FastMCP-WorkOS-OAuth",
+                    },
+                )
+
+                if response.status_code != 200:
+                    logger.debug(
+                        "WorkOS token verification failed: %d - %s",
+                        response.status_code,
+                        response.text[:200],
+                    )
+                    return None
+
+                user_data = response.json()
+
+                # Create AccessToken with WorkOS user info
+                return AccessToken(
+                    token=token,
+                    client_id=str(user_data.get("sub", "unknown")),
+                    scopes=self.required_scopes or [],
+                    expires_at=None,  # Will be set from token introspection if needed
+                    claims={
+                        "sub": user_data.get("sub"),
+                        "email": user_data.get("email"),
+                        "email_verified": user_data.get("email_verified"),
+                        "name": user_data.get("name"),
+                        "given_name": user_data.get("given_name"),
+                        "family_name": user_data.get("family_name"),
+                    },
+                )
+
+        except httpx.RequestError as e:
+            logger.debug("Failed to verify WorkOS token: %s", e)
+            return None
+        except Exception as e:
+            logger.debug("WorkOS token verification error: %s", e)
+            return None
+
+
+@register_provider("WORKOS")
+class WorkOSProvider(OAuthProxy):
+    """Complete WorkOS OAuth provider for FastMCP.
+
+    This provider implements WorkOS AuthKit OAuth using the OAuth Proxy pattern.
+    It provides OAuth2 authentication for users through WorkOS Connect applications.
+
+    Features:
+    - Transparent OAuth proxy to WorkOS AuthKit
+    - Automatic token validation via userinfo endpoint
+    - User information extraction from ID tokens
+    - Support for standard OAuth scopes (openid, profile, email)
+
+    Setup Requirements:
+    1. Create a WorkOS Connect application in your dashboard
+    2. Note your AuthKit domain (e.g., "https://your-app.authkit.app")
+    3. Configure redirect URI as: http://localhost:8000/auth/callback
+    4. Note your Client ID and Client Secret
+
+    Example:
+        ```python
+        from fastmcp import FastMCP
+        from fastmcp.server.auth.providers.workos import WorkOSProvider
+
+        auth = WorkOSProvider(
+            client_id="client_123",
+            client_secret="sk_test_456",
+            authkit_domain="https://your-app.authkit.app",
+            base_url="http://localhost:8000"
+        )
+
+        mcp = FastMCP("My App", auth=auth)
+        ```
+    """
+
+    def __init__(
+        self,
+        *,
+        client_id: str | NotSetT = NotSet,
+        client_secret: str | NotSetT = NotSet,
+        authkit_domain: str | NotSetT = NotSet,
+        base_url: AnyHttpUrl | str | NotSetT = NotSet,
+        redirect_path: str | NotSetT = NotSet,
+        required_scopes: list[str] | None | NotSetT = NotSet,
+        timeout_seconds: int | NotSetT = NotSet,
+        resource_server_url: AnyHttpUrl | str | NotSetT = NotSet,
+        allowed_client_redirect_uris: list[str] | NotSetT = NotSet,
+    ):
+        """Initialize WorkOS OAuth provider.
+
+        Args:
+            client_id: WorkOS client ID
+            client_secret: WorkOS client secret
+            authkit_domain: Your WorkOS AuthKit domain (e.g., "https://your-app.authkit.app")
+            base_url: Public URL of your FastMCP server (for OAuth callbacks)
+            redirect_path: Redirect path configured in WorkOS (defaults to "/auth/callback")
+            required_scopes: Required OAuth scopes (no default)
+            timeout_seconds: HTTP request timeout for WorkOS API calls
+            resource_server_url: Path of the FastMCP server (defaults to base_url). If your MCP endpoint is at
+                a different path like {base_url}/mcp, specify it here for RFC 8707 compliance.
+            allowed_client_redirect_uris: List of allowed redirect URI patterns for MCP clients.
+                If None (default), all URIs are allowed. If empty list, no URIs are allowed.
+        """
+        settings = WorkOSProviderSettings.model_validate(
+            {
+                k: v
+                for k, v in {
+                    "client_id": client_id,
+                    "client_secret": client_secret,
+                    "authkit_domain": authkit_domain,
+                    "base_url": base_url,
+                    "redirect_path": redirect_path,
+                    "required_scopes": required_scopes,
+                    "timeout_seconds": timeout_seconds,
+                    "resource_server_url": resource_server_url,
+                    "allowed_client_redirect_uris": allowed_client_redirect_uris,
+                }.items()
+                if v is not NotSet
+            }
+        )
+
+        # Validate required settings
+        if not settings.client_id:
+            raise ValueError(
+                "client_id is required - set via parameter or FASTMCP_SERVER_AUTH_WORKOS_CLIENT_ID"
+            )
+        if not settings.client_secret:
+            raise ValueError(
+                "client_secret is required - set via parameter or FASTMCP_SERVER_AUTH_WORKOS_CLIENT_SECRET"
+            )
+        if not settings.authkit_domain:
+            raise ValueError(
+                "authkit_domain is required - set via parameter or FASTMCP_SERVER_AUTH_WORKOS_AUTHKIT_DOMAIN"
+            )
+
+        # Apply defaults and ensure authkit_domain is a full URL
+        authkit_domain_str = settings.authkit_domain
+        if not authkit_domain_str.startswith(("http://", "https://")):
+            authkit_domain_str = f"https://{authkit_domain_str}"
+        authkit_domain_final = authkit_domain_str.rstrip("/")
+        base_url_final = settings.base_url or "http://localhost:8000"
+        redirect_path_final = settings.redirect_path or "/auth/callback"
+        timeout_seconds_final = settings.timeout_seconds or 10
+        scopes_final = settings.required_scopes or []
+        resource_server_url_final = settings.resource_server_url or base_url_final
+        allowed_client_redirect_uris_final = settings.allowed_client_redirect_uris
+
+        # Extract secret string from SecretStr
+        client_secret_str = (
+            settings.client_secret.get_secret_value() if settings.client_secret else ""
+        )
+
+        # Create WorkOS token verifier
+        token_verifier = WorkOSTokenVerifier(
+            authkit_domain=authkit_domain_final,
+            required_scopes=scopes_final,
+            timeout_seconds=timeout_seconds_final,
+        )
+
+        # Initialize OAuth proxy with WorkOS AuthKit endpoints
+        super().__init__(
+            upstream_authorization_endpoint=f"{authkit_domain_final}/oauth2/authorize",
+            upstream_token_endpoint=f"{authkit_domain_final}/oauth2/token",
+            upstream_client_id=settings.client_id,
+            upstream_client_secret=client_secret_str,
+            token_verifier=token_verifier,
+            base_url=base_url_final,
+            redirect_path=redirect_path_final,
+            issuer_url=base_url_final,
+            allowed_client_redirect_uris=allowed_client_redirect_uris_final,
+            resource_server_url=resource_server_url_final,
+        )
+
+        logger.info(
+            "Initialized WorkOS OAuth provider for client %s with AuthKit domain %s",
+            settings.client_id,
+            authkit_domain_final,
+        )
+
+
 class AuthKitProviderSettings(BaseSettings):
     model_config = SettingsConfigDict(
         env_prefix="FASTMCP_SERVER_AUTH_AUTHKITPROVIDER_",
@@ -26,6 +275,11 @@ class AuthKitProviderSettings(BaseSettings):
     base_url: AnyHttpUrl
     required_scopes: list[str] | None = None
 
+    @field_validator("required_scopes", mode="before")
+    @classmethod
+    def _parse_scopes(cls, v):
+        return parse_scopes(v)
+
 
 @register_provider("AUTHKIT")
 class AuthKitProvider(RemoteAuthProvider):