mcp-authkit 0.2.1__tar.gz → 0.2.3__tar.gz

{mcp_authkit-0.2.1 → mcp_authkit-0.2.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mcp-authkit
-Version: 0.2.1
+Version: 0.2.3
 Summary: Pluggable OAuth 2.0 + credentials elicitation library for FastMCP servers
 License: MIT
 Project-URL: Homepage, https://github.com/masterela/mcp-authkit

{mcp_authkit-0.2.1 → mcp_authkit-0.2.3}/mcp_authkit.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mcp-authkit
-Version: 0.2.1
+Version: 0.2.3
 Summary: Pluggable OAuth 2.0 + credentials elicitation library for FastMCP servers
 License: MIT
 Project-URL: Homepage, https://github.com/masterela/mcp-authkit

{mcp_authkit-0.2.1 → mcp_authkit-0.2.3}/mcpauthkit/auth_routes.py

@@ -24,6 +24,7 @@ from __future__ import annotations
 
 import logging
 import time
+from urllib.parse import urlencode
 
 import httpx
 from fastapi import APIRouter, Request
@@ -37,6 +38,7 @@ def oauth_meta_router(
     server_base_url: str,
     issuer_url: str,
     client_id: str,
+    extra_authorize_params: dict[str, str] | None = None,
 ) -> APIRouter:
     """
     Return an ``APIRouter`` with well-known OAuth metadata routes and a DCR
@@ -52,6 +54,26 @@ def oauth_meta_router(
         ``"https://login.microsoftonline.com/{tenant}/v2.0"``.
     client_id
         Pre-registered public client ID returned by the DCR façade.
+    extra_authorize_params
+        Optional extra query parameters appended to the
+        ``authorization_endpoint`` in the
+        ``/.well-known/oauth-authorization-server`` response.  MCP clients
+        read that URL and use it verbatim when redirecting the user to the
+        OIDC provider, so any hint placed here is automatically forwarded.
+
+        Use this for provider-specific routing parameters that fall outside
+        the standard OAuth 2.0 / OIDC spec.  For example, Okta's ``idp``
+        parameter bypasses the Okta login page and routes users directly to
+        a configured external Identity Provider::
+
+            app.include_router(oauth_meta_router(
+                server_base_url=settings.server_base_url,
+                issuer_url="https://your-org.okta.com/oauth2/default",
+                client_id=settings.okta_client_id,
+                extra_authorize_params={"idp": "0oaz2r21a8RBmZyOL0h7"},
+            ))
+
+        Default: ``None`` (no extra params — fully retro-compatible).
     """
     router = APIRouter()
     base = server_base_url.rstrip("/")
@@ -85,6 +107,10 @@ def oauth_meta_router(
         except Exception as exc:
             logger.warning("Could not fetch OIDC metadata: %s", exc)
 
+        if extra_authorize_params:
+            sep = "&" if "?" in auth_ep else "?"
+            auth_ep += sep + urlencode(extra_authorize_params)
+
         return JSONResponse(
             {
                 "issuer": base,

{mcp_authkit-0.2.1 → mcp_authkit-0.2.3}/mcpauthkit/providers/oauth_provider.py

@@ -208,10 +208,11 @@ class OAuthProvider:
         refresh_token_fn: Callable[..., Coroutine[Any, Any, ExchangeResult]] | None = None,
         token_timeout: float = 120.0,
         http_verify: bool | ssl.SSLContext | str = True,
+        extra_authorize_params: dict[str, str] | None = None,
     ) -> OAuthProvider:
         """
         Convenience factory for any standard OAuth2 Authorization Code provider
-        (GitHub, Google, Jira, Entra, etc.).
+        (GitHub, Google, Jira, Entra, Okta, etc.).
 
         Builds ``build_auth_url`` and ``exchange_code`` internally from standard
         OAuth2 endpoints so the caller only needs to supply configuration::
@@ -242,6 +243,25 @@ class OAuthProvider:
             Space-separated scope string.
         http_verify
             Passed as ``verify=`` to httpx for the token exchange request.
+        extra_authorize_params
+            Optional extra query parameters appended to every authorization URL.
+            Use this for provider-specific routing hints that are not part of the
+            standard OAuth2 spec.  For example, Okta supports an ``idp`` parameter
+            to bypass its login page and route users directly to a configured
+            external Identity Provider::
+
+                okta = OAuthProvider.from_standard_oauth2(
+                    name="okta",
+                    authorization_url="https://your-org.okta.com/oauth2/default/v1/authorize",
+                    token_url="https://your-org.okta.com/oauth2/default/v1/token",
+                    ...
+                    extra_authorize_params={"idp": "0oaz2r21a8RBmZyOL0h7"},
+                )
+
+            These parameters are merged into the standard ones
+            (``client_id``, ``redirect_uri``, ``scope``, ``state``,
+            ``response_type``).  Standard parameters always take precedence so
+            they cannot be overridden here.  Default: ``None`` (no extra params).
         token_store
             Optional persistent store override.
         pending_store
@@ -251,19 +271,20 @@ class OAuthProvider:
         """
 
         def _build_auth_url(state: str, redir: str) -> str:
-            return (
-                authorization_url
-                + "?"
-                + urlencode(
-                    {
-                        "client_id": client_id,
-                        "redirect_uri": redir,
-                        "scope": scope,
-                        "state": state,
-                        "response_type": "code",
-                    }
-                )
+            params: dict[str, str] = {}
+            if extra_authorize_params:
+                params.update(extra_authorize_params)
+            # Standard params always win over any extra ones
+            params.update(
+                {
+                    "client_id": client_id,
+                    "redirect_uri": redir,
+                    "scope": scope,
+                    "state": state,
+                    "response_type": "code",
+                }
             )
+            return authorization_url + "?" + urlencode(params)
 
         async def _exchange_code(code: str, state: str, redir: str) -> ExchangeResult:
             async with httpx.AsyncClient(

{mcp_authkit-0.2.1 → mcp_authkit-0.2.3}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "mcp-authkit"
-version = "0.2.1"
+version = "0.2.3"
 description = "Pluggable OAuth 2.0 + credentials elicitation library for FastMCP servers"
 readme = "README.md"
 requires-python = ">=3.11"

{mcp_authkit-0.2.1 → mcp_authkit-0.2.3}/tests/test_auth_routes.py

@@ -85,6 +85,66 @@ def test_authorization_server_pkce_supported(client):
     assert "S256" in data["code_challenge_methods_supported"]
 
 
+def test_authorization_server_no_extra_params_by_default(client):
+    """Default (extra_authorize_params=None) does not append any extra query params."""
+    data = client.get("/.well-known/oauth-authorization-server").json()
+    assert "idp=" not in data["authorization_endpoint"]
+
+
+def test_authorization_server_extra_params_appended():
+    """extra_authorize_params are appended to authorization_endpoint."""
+    from unittest.mock import AsyncMock, MagicMock, patch
+
+    app = FastAPI()
+    app.include_router(
+        oauth_meta_router(
+            server_base_url=SERVER,
+            issuer_url=ISSUER,
+            client_id=CLIENT_ID,
+            extra_authorize_params={"idp": "0oaz2r21a8RBmZyOL0h7"},
+        )
+    )
+    tc = TestClient(app, raise_server_exceptions=False)
+
+    oidc_doc = {
+        "authorization_endpoint": "https://org.okta.com/oauth2/default/v1/authorize",
+        "token_endpoint": "https://org.okta.com/oauth2/default/v1/token",
+        "jwks_uri": "https://org.okta.com/oauth2/default/v1/keys",
+    }
+    mock_resp = MagicMock()
+    mock_resp.status_code = 200
+    mock_resp.json.return_value = oidc_doc
+    mock_client = MagicMock()
+    mock_client.get = AsyncMock(return_value=mock_resp)
+    mock_client.__aenter__ = AsyncMock(return_value=mock_client)
+    mock_client.__aexit__ = AsyncMock(return_value=None)
+
+    with patch("mcpauthkit.auth_routes.httpx.AsyncClient", return_value=mock_client):
+        data = tc.get("/.well-known/oauth-authorization-server").json()
+
+    assert "idp=0oaz2r21a8RBmZyOL0h7" in data["authorization_endpoint"]
+    # Standard OIDC fields are still present
+    assert data["token_endpoint"] == "https://org.okta.com/oauth2/default/v1/token"
+
+
+def test_authorization_server_extra_params_fallback_no_oidc():
+    """extra_authorize_params appended even when OIDC discovery is unreachable."""
+    app = FastAPI()
+    app.include_router(
+        oauth_meta_router(
+            server_base_url=SERVER,
+            issuer_url=ISSUER,
+            client_id=CLIENT_ID,
+            extra_authorize_params={"idp": "abc123", "prompt": "login"},
+        )
+    )
+    tc = TestClient(app, raise_server_exceptions=False)
+    data = tc.get("/.well-known/oauth-authorization-server").json()
+    auth_ep = data["authorization_endpoint"]
+    assert "idp=abc123" in auth_ep
+    assert "prompt=login" in auth_ep
+
+
 def test_authorization_server_uses_oidc_config(client):
     """When OIDC discovery returns 200, its endpoints override the defaults."""
     from unittest.mock import AsyncMock, MagicMock, patch