brandon/nextcloud-mcp-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
feature/helm-chart-multi-user-basic-support
nextcloud-mcp-server/tests/manual/README.md
T
Chris Coutinho babd60e08b feat: Implement ADR-004 Hybrid Flow with comprehensive integration tests 
Implement the ADR-004 Hybrid Flow OAuth pattern where the MCP server
intercepts the OAuth callback to obtain master refresh tokens while
maintaining PKCE security for clients.

## Implementation

### OAuth Routes (ADR-004 Hybrid Flow)
- Add `/oauth/authorize` endpoint: Intercepts client OAuth initiation
- Add `/oauth/callback` endpoint: Receives IdP callback, stores master token
- Add `/oauth/token` endpoint: Exchanges MCP code for client access token
- Implement PKCE code challenge/verifier validation
- Store OAuth sessions with state/challenge correlation

### MCP Server Integration
- Update `setup_oauth_config()` to return client_id and client_secret
- Initialize OAuth context in Starlette lifespan for login routes
- Add OAuth session storage to RefreshTokenStorage
- Configure authlib dependency for OAuth flow management

### Integration Tests
- Create `test_adr004_hybrid_flow.py` with Playwright automation
- Add `adr004_hybrid_flow_mcp_client` session-scoped fixture
- Test MCP session establishment with hybrid flow token
- Test tool execution using stored refresh tokens (on-behalf-of pattern)
- Test persistent access across multiple operations
- All tests passing:  3 passed in 8.82s

### Documentation
- Update ADR-004 with comprehensive Testing section
- Add integration test commands and coverage details
- Document test implementation and verification steps
- Create TESTING_INSTRUCTIONS.md for manual and automated testing
- Include manual test scripts for reference/debugging

## What This Enables

 PKCE code challenge/verifier flow
 MCP server intercepts OAuth callback and stores master refresh token
 Client receives MCP access token (not master token)
 MCP session establishment with hybrid flow token
 Tool execution using stored refresh tokens (on-behalf-of pattern)
 Multiple operations without re-authentication
 Proper token isolation (client never sees master token)

## Testing

Run ADR-004 integration tests:
```bash
uv run pytest tests/server/oauth/test_adr004_hybrid_flow.py --browser firefox -v
```

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-03 02:18:30 +01:00

48 lines
1.2 KiB
Markdown
Raw Permalink Blame History

# Manual OAuth Flow Testing
This directory contains manual test scripts for OAuth flows that require browser interaction.
## ADR-004 OAuth Hybrid Flow Test
The `test_adr004_oauth_flow.py` script tests the complete OAuth flow described in ADR-004.
### Prerequisites
1. **Install Playwright browsers:**
```bash
uv run playwright install firefox
```
2. **Start MCP server with OAuth enabled:**
For Nextcloud OIDC:
```bash
export ENABLE_OFFLINE_ACCESS=true
export TOKEN_ENCRYPTION_KEY=$(uv run python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())")
docker-compose up --build -d mcp-oauth
```
For Keycloak:
```bash
export ENABLE_OFFLINE_ACCESS=true
export TOKEN_ENCRYPTION_KEY=$(uv run python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())")
docker-compose up --build -d mcp-keycloak
```
### Running the Test
**Test with Nextcloud OIDC:**
```bash
uv run python tests/manual/test_adr004_oauth_flow.py --provider nextcloud
```
**Test with Keycloak:**
```bash
uv run python tests/manual/test_adr004_oauth_flow.py --provider keycloak
```
**Headless mode:**
```bash
uv run python tests/manual/test_adr004_oauth_flow.py --provider nextcloud --headless
```
Reference in New Issue View Git Blame Copy Permalink