mcp-authkit 0.2.2__tar.gz → 0.2.3__tar.gz

{mcp_authkit-0.2.2 → mcp_authkit-0.2.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mcp-authkit
-Version: 0.2.2
+Version: 0.2.3
 Summary: Pluggable OAuth 2.0 + credentials elicitation library for FastMCP servers
 License: MIT
 Project-URL: Homepage, https://github.com/masterela/mcp-authkit

{mcp_authkit-0.2.2 → mcp_authkit-0.2.3}/mcp_authkit.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mcp-authkit
-Version: 0.2.2
+Version: 0.2.3
 Summary: Pluggable OAuth 2.0 + credentials elicitation library for FastMCP servers
 License: MIT
 Project-URL: Homepage, https://github.com/masterela/mcp-authkit

{mcp_authkit-0.2.2 → mcp_authkit-0.2.3}/mcpauthkit/auth_routes.py

@@ -24,6 +24,7 @@ from __future__ import annotations
 
 import logging
 import time
+from urllib.parse import urlencode
 
 import httpx
 from fastapi import APIRouter, Request
@@ -37,6 +38,7 @@ def oauth_meta_router(
     server_base_url: str,
     issuer_url: str,
     client_id: str,
+    extra_authorize_params: dict[str, str] | None = None,
 ) -> APIRouter:
     """
     Return an ``APIRouter`` with well-known OAuth metadata routes and a DCR
@@ -52,6 +54,26 @@ def oauth_meta_router(
         ``"https://login.microsoftonline.com/{tenant}/v2.0"``.
     client_id
         Pre-registered public client ID returned by the DCR façade.
+    extra_authorize_params
+        Optional extra query parameters appended to the
+        ``authorization_endpoint`` in the
+        ``/.well-known/oauth-authorization-server`` response.  MCP clients
+        read that URL and use it verbatim when redirecting the user to the
+        OIDC provider, so any hint placed here is automatically forwarded.
+
+        Use this for provider-specific routing parameters that fall outside
+        the standard OAuth 2.0 / OIDC spec.  For example, Okta's ``idp``
+        parameter bypasses the Okta login page and routes users directly to
+        a configured external Identity Provider::
+
+            app.include_router(oauth_meta_router(
+                server_base_url=settings.server_base_url,
+                issuer_url="https://your-org.okta.com/oauth2/default",
+                client_id=settings.okta_client_id,
+                extra_authorize_params={"idp": "0oaz2r21a8RBmZyOL0h7"},
+            ))
+
+        Default: ``None`` (no extra params — fully retro-compatible).
     """
     router = APIRouter()
     base = server_base_url.rstrip("/")
@@ -85,6 +107,10 @@ def oauth_meta_router(
         except Exception as exc:
             logger.warning("Could not fetch OIDC metadata: %s", exc)
 
+        if extra_authorize_params:
+            sep = "&" if "?" in auth_ep else "?"
+            auth_ep += sep + urlencode(extra_authorize_params)
+
         return JSONResponse(
             {
                 "issuer": base,

{mcp_authkit-0.2.2 → mcp_authkit-0.2.3}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "mcp-authkit"
-version = "0.2.2"
+version = "0.2.3"
 description = "Pluggable OAuth 2.0 + credentials elicitation library for FastMCP servers"
 readme = "README.md"
 requires-python = ">=3.11"

{mcp_authkit-0.2.2 → mcp_authkit-0.2.3}/tests/test_auth_routes.py

@@ -85,6 +85,66 @@ def test_authorization_server_pkce_supported(client):
     assert "S256" in data["code_challenge_methods_supported"]
 
 
+def test_authorization_server_no_extra_params_by_default(client):
+    """Default (extra_authorize_params=None) does not append any extra query params."""
+    data = client.get("/.well-known/oauth-authorization-server").json()
+    assert "idp=" not in data["authorization_endpoint"]
+
+
+def test_authorization_server_extra_params_appended():
+    """extra_authorize_params are appended to authorization_endpoint."""
+    from unittest.mock import AsyncMock, MagicMock, patch
+
+    app = FastAPI()
+    app.include_router(
+        oauth_meta_router(
+            server_base_url=SERVER,
+            issuer_url=ISSUER,
+            client_id=CLIENT_ID,
+            extra_authorize_params={"idp": "0oaz2r21a8RBmZyOL0h7"},
+        )
+    )
+    tc = TestClient(app, raise_server_exceptions=False)
+
+    oidc_doc = {
+        "authorization_endpoint": "https://org.okta.com/oauth2/default/v1/authorize",
+        "token_endpoint": "https://org.okta.com/oauth2/default/v1/token",
+        "jwks_uri": "https://org.okta.com/oauth2/default/v1/keys",
+    }
+    mock_resp = MagicMock()
+    mock_resp.status_code = 200
+    mock_resp.json.return_value = oidc_doc
+    mock_client = MagicMock()
+    mock_client.get = AsyncMock(return_value=mock_resp)
+    mock_client.__aenter__ = AsyncMock(return_value=mock_client)
+    mock_client.__aexit__ = AsyncMock(return_value=None)
+
+    with patch("mcpauthkit.auth_routes.httpx.AsyncClient", return_value=mock_client):
+        data = tc.get("/.well-known/oauth-authorization-server").json()
+
+    assert "idp=0oaz2r21a8RBmZyOL0h7" in data["authorization_endpoint"]
+    # Standard OIDC fields are still present
+    assert data["token_endpoint"] == "https://org.okta.com/oauth2/default/v1/token"
+
+
+def test_authorization_server_extra_params_fallback_no_oidc():
+    """extra_authorize_params appended even when OIDC discovery is unreachable."""
+    app = FastAPI()
+    app.include_router(
+        oauth_meta_router(
+            server_base_url=SERVER,
+            issuer_url=ISSUER,
+            client_id=CLIENT_ID,
+            extra_authorize_params={"idp": "abc123", "prompt": "login"},
+        )
+    )
+    tc = TestClient(app, raise_server_exceptions=False)
+    data = tc.get("/.well-known/oauth-authorization-server").json()
+    auth_ep = data["authorization_endpoint"]
+    assert "idp=abc123" in auth_ep
+    assert "prompt=login" in auth_ep
+
+
 def test_authorization_server_uses_oidc_config(client):
     """When OIDC discovery returns 200, its endpoints override the defaults."""
     from unittest.mock import AsyncMock, MagicMock, patch