Files

T

Chris Coutinho babd60e08b feat: Implement ADR-004 Hybrid Flow with comprehensive integration tests

Implement the ADR-004 Hybrid Flow OAuth pattern where the MCP server
intercepts the OAuth callback to obtain master refresh tokens while
maintaining PKCE security for clients.

## Implementation

### OAuth Routes (ADR-004 Hybrid Flow)
- Add `/oauth/authorize` endpoint: Intercepts client OAuth initiation
- Add `/oauth/callback` endpoint: Receives IdP callback, stores master token
- Add `/oauth/token` endpoint: Exchanges MCP code for client access token
- Implement PKCE code challenge/verifier validation
- Store OAuth sessions with state/challenge correlation

### MCP Server Integration
- Update `setup_oauth_config()` to return client_id and client_secret
- Initialize OAuth context in Starlette lifespan for login routes
- Add OAuth session storage to RefreshTokenStorage
- Configure authlib dependency for OAuth flow management

### Integration Tests
- Create `test_adr004_hybrid_flow.py` with Playwright automation
- Add `adr004_hybrid_flow_mcp_client` session-scoped fixture
- Test MCP session establishment with hybrid flow token
- Test tool execution using stored refresh tokens (on-behalf-of pattern)
- Test persistent access across multiple operations
- All tests passing: ✅ 3 passed in 8.82s

### Documentation
- Update ADR-004 with comprehensive Testing section
- Add integration test commands and coverage details
- Document test implementation and verification steps
- Create TESTING_INSTRUCTIONS.md for manual and automated testing
- Include manual test scripts for reference/debugging

## What This Enables

✅ PKCE code challenge/verifier flow
✅ MCP server intercepts OAuth callback and stores master refresh token
✅ Client receives MCP access token (not master token)
✅ MCP session establishment with hybrid flow token
✅ Tool execution using stored refresh tokens (on-behalf-of pattern)
✅ Multiple operations without re-authentication
✅ Proper token isolation (client never sees master token)

## Testing

Run ADR-004 integration tests:
```bash
uv run pytest tests/server/oauth/test_adr004_hybrid_flow.py --browser firefox -v
```

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-11-03 02:18:30 +01:00

1.2 KiB

Raw Permalink Blame History

Manual OAuth Flow Testing

This directory contains manual test scripts for OAuth flows that require browser interaction.

ADR-004 OAuth Hybrid Flow Test

The test_adr004_oauth_flow.py script tests the complete OAuth flow described in ADR-004.

Prerequisites

Install Playwright browsers:
```
uv run playwright install firefox
```

Start MCP server with OAuth enabled:

For Nextcloud OIDC:

export ENABLE_OFFLINE_ACCESS=true
export TOKEN_ENCRYPTION_KEY=$(uv run python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())")
docker-compose up --build -d mcp-oauth

For Keycloak:

export ENABLE_OFFLINE_ACCESS=true
export TOKEN_ENCRYPTION_KEY=$(uv run python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())")
docker-compose up --build -d mcp-keycloak

Running the Test

Test with Nextcloud OIDC:

uv run python tests/manual/test_adr004_oauth_flow.py --provider nextcloud

Test with Keycloak:

uv run python tests/manual/test_adr004_oauth_flow.py --provider keycloak

Headless mode:

uv run python tests/manual/test_adr004_oauth_flow.py --provider nextcloud --headless

1.2 KiB Raw Permalink Blame History

Manual OAuth Flow Testing

ADR-004 OAuth Hybrid Flow Test

Prerequisites

Running the Test

1.2 KiB

Raw Permalink Blame History