Chris Coutinho
9fab6cb550
Replace two non-compliant token verifiers (NextcloudTokenVerifier and
ProgressiveConsentTokenVerifier) with a single UnifiedTokenVerifier that properly
validates token audiences per MCP Security Best Practices specification.
The previous implementation had a critical security vulnerability where tokens
intended for the MCP server were passed directly to Nextcloud APIs without
proper audience validation (token passthrough anti-pattern). This violates
OAuth 2.0 security principles and the MCP specification.
Changes:
- Add UnifiedTokenVerifier supporting two compliant modes:
* Multi-audience mode (default): Validates tokens contain BOTH MCP and
Nextcloud audiences, enabling direct use without exchange
* Token exchange mode (opt-in): Validates MCP audience only, exchanges
for Nextcloud tokens via RFC 8693 with caching to minimize latency
- Remove token passthrough vulnerability from context.py and context_helper.py
- Implement token exchange caching (5-minute TTL default) to reduce network calls
- Add required environment variables for audience validation:
* NEXTCLOUD_MCP_SERVER_URL - MCP server URL (used as audience)
* NEXTCLOUD_RESOURCE_URI - Nextcloud resource identifier
* TOKEN_EXCHANGE_CACHE_TTL - Cache TTL for exchanged tokens
- Update docker-compose.yml with resource URI configuration for both OAuth modes
- Add comprehensive test suite (29 tests) covering both authentication modes
- Remove legacy NextcloudTokenVerifier and ProgressiveConsentTokenVerifier
Security improvements:
- Eliminates token passthrough anti-pattern
- Enforces proper audience separation between MCP and Nextcloud
- Complies with MCP Security Best Practices and RFC 8707/8693
- Maintains performance with token exchange caching
Test results: 65/65 unit tests passed, 5/5 smoke tests passed
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
35 lines
905 B
Python
35 lines
905 B
Python
"""OAuth authentication components for Nextcloud MCP server."""
|
|
|
|
from .bearer_auth import BearerAuth
|
|
from .client_registration import ensure_oauth_client, register_client
|
|
from .context_helper import get_client_from_context
|
|
from .scope_authorization import (
|
|
InsufficientScopeError,
|
|
ScopeAuthorizationError,
|
|
check_scopes,
|
|
discover_all_scopes,
|
|
get_access_token_scopes,
|
|
get_required_scopes,
|
|
has_required_scopes,
|
|
is_jwt_token,
|
|
require_scopes,
|
|
)
|
|
from .unified_verifier import UnifiedTokenVerifier
|
|
|
|
__all__ = [
|
|
"BearerAuth",
|
|
"UnifiedTokenVerifier",
|
|
"register_client",
|
|
"ensure_oauth_client",
|
|
"get_client_from_context",
|
|
"require_scopes",
|
|
"ScopeAuthorizationError",
|
|
"InsufficientScopeError",
|
|
"check_scopes",
|
|
"discover_all_scopes",
|
|
"get_access_token_scopes",
|
|
"get_required_scopes",
|
|
"has_required_scopes",
|
|
"is_jwt_token",
|
|
]
|