feat: Implement ADR-004 Hybrid Flow with comprehensive integration tests
Implement the ADR-004 Hybrid Flow OAuth pattern where the MCP server intercepts the OAuth callback to obtain master refresh tokens while maintaining PKCE security for clients. ## Implementation ### OAuth Routes (ADR-004 Hybrid Flow) - Add `/oauth/authorize` endpoint: Intercepts client OAuth initiation - Add `/oauth/callback` endpoint: Receives IdP callback, stores master token - Add `/oauth/token` endpoint: Exchanges MCP code for client access token - Implement PKCE code challenge/verifier validation - Store OAuth sessions with state/challenge correlation ### MCP Server Integration - Update `setup_oauth_config()` to return client_id and client_secret - Initialize OAuth context in Starlette lifespan for login routes - Add OAuth session storage to RefreshTokenStorage - Configure authlib dependency for OAuth flow management ### Integration Tests - Create `test_adr004_hybrid_flow.py` with Playwright automation - Add `adr004_hybrid_flow_mcp_client` session-scoped fixture - Test MCP session establishment with hybrid flow token - Test tool execution using stored refresh tokens (on-behalf-of pattern) - Test persistent access across multiple operations - All tests passing: ✅ 3 passed in 8.82s ### Documentation - Update ADR-004 with comprehensive Testing section - Add integration test commands and coverage details - Document test implementation and verification steps - Create TESTING_INSTRUCTIONS.md for manual and automated testing - Include manual test scripts for reference/debugging ## What This Enables ✅ PKCE code challenge/verifier flow ✅ MCP server intercepts OAuth callback and stores master refresh token ✅ Client receives MCP access token (not master token) ✅ MCP session establishment with hybrid flow token ✅ Tool execution using stored refresh tokens (on-behalf-of pattern) ✅ Multiple operations without re-authentication ✅ Proper token isolation (client never sees master token) ## Testing Run ADR-004 integration tests: ```bash uv run pytest tests/server/oauth/test_adr004_hybrid_flow.py --browser firefox -v ``` 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
@@ -1243,6 +1243,48 @@ The **Hybrid Flow** solves the critical problem of getting the master refresh to
|
||||
|
||||
This architecture follows industry best practices for federated systems and positions the MCP server as a secure token broker in an enterprise identity ecosystem.
|
||||
|
||||
## Testing
|
||||
|
||||
The ADR-004 Hybrid Flow is fully tested via automated integration tests:
|
||||
|
||||
### Integration Tests
|
||||
|
||||
```bash
|
||||
# Run all ADR-004 tests
|
||||
uv run pytest tests/server/oauth/test_adr004_hybrid_flow.py --browser firefox -v
|
||||
|
||||
# Run specific test
|
||||
uv run pytest tests/server/oauth/test_adr004_hybrid_flow.py::test_adr004_hybrid_flow_tool_execution --browser firefox -v
|
||||
```
|
||||
|
||||
**Test Coverage:**
|
||||
- `test_adr004_hybrid_flow_connection`: Verifies MCP session establishment with hybrid flow token
|
||||
- `test_adr004_hybrid_flow_tool_execution`: Tests complete flow including tool execution
|
||||
- `test_adr004_hybrid_flow_multiple_operations`: Validates persistent access without re-authentication
|
||||
|
||||
**What the tests verify:**
|
||||
1. ✅ PKCE code challenge/verifier flow
|
||||
2. ✅ MCP server intercepts OAuth callback and stores master refresh token
|
||||
3. ✅ Client receives MCP access token (not master token)
|
||||
4. ✅ MCP session establishment with hybrid flow token
|
||||
5. ✅ Tool execution using stored refresh tokens (on-behalf-of pattern)
|
||||
6. ✅ Multiple operations without re-authentication
|
||||
|
||||
### Test Implementation
|
||||
|
||||
The tests use Playwright automation to complete the OAuth flow:
|
||||
1. Generate PKCE challenge/verifier
|
||||
2. Navigate to MCP server `/oauth/authorize` endpoint
|
||||
3. MCP server redirects to IdP
|
||||
4. Playwright fills login form and consents
|
||||
5. IdP redirects to MCP server `/oauth/callback`
|
||||
6. MCP server stores master refresh token
|
||||
7. MCP server redirects client with MCP authorization code
|
||||
8. Client exchanges MCP code for access token using PKCE verifier
|
||||
9. Create MCP session and execute tools
|
||||
|
||||
See `tests/server/oauth/test_adr004_hybrid_flow.py` for complete implementation.
|
||||
|
||||
## References
|
||||
|
||||
- [RFC 6749: OAuth 2.0](https://datatracker.ietf.org/doc/html/rfc6749)
|
||||
|
||||
Reference in New Issue
Block a user