feat: Experimental Oauth 2.0 support in gateway #768

shams858 · 2025-08-17T19:16:34Z

🚀 Add OAuth 2.0 Authorization-Code flow to MCP Gateway (Experimental)

This PR introduces OAuth 2.0 support (Authorization-Code & Client-Credentials) across the Gateway, Admin UI and Tool-invocation paths.

✨ What’s new

1 OAuth Manager

Async wrapper around aiohttp that:
- Generates authorization URLs (GET /oauth/authorize/{gateway_id})
- Exchanges authorization codes for tokens
- Refreshes / retries with exponential back-off
Pluggable decryptor for encrypted client_secrets (future KMS integration).

2 Token Storage

oauth_tokens table (Alembic migration add_oauth_tokens_table.py)
Stores access_token, optional refresh_token, expires_at, user_id, gateway_id.

CREATE TABLE oauth_tokens (
    id           TEXT PRIMARY KEY,
    gateway_id   TEXT NOT NULL,
    user_id      TEXT NOT NULL,
    access_token TEXT NOT NULL,
    refresh_token TEXT,
    expires_at   TIMESTAMP,
    created_at   TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);
CREATE INDEX ix_oauth_tokens_gateway_user ON oauth_tokens (gateway_id, user_id);

3 Gateway Service + Routers

New /oauth/callback & /oauth/fetch-tools/{gateway_id} endpoints.
GatewayService.fetch_tools_after_oauth() pulls tools/resources/prompts once the user finishes the consent screen.
Admin UI surface (template / admin.js) to start / monitor OAuth.

4 Tool Service integration

Tools tagged with auth_type="oauth" automatically:

Look up a valid token in TokenStorageService
Refresh (if refresh_token present & near expiry)
Inject Authorization: Bearer <token> header.

5 Unit tests

new tests covering:
- happy-path for both flows
- retry / refresh logic
- DB migration up/down
Existing suites adapted (mocks for async context-managers).

6 Docs

docs/architecture/oauth-authorization-code-ui-design.md – sequence diagram, UI wireframe, curl examples.

🖼️ High-level flow

sequenceDiagram
    participant U as Browser
    participant A as Admin UI
    participant G as Gateway API
    participant GH as GitHub OAuth

    U->>A: Click "Authorize"
    A->>G: GET /oauth/authorize/{gateway}
    G->>GH: Redirect (client_id, redirect_uri, state)
    GH-->>U: Consent Screen
    U-->>GH: Approve
    GH->>G: 302  /oauth/callback?code&state
    G->>GH: POST /access_token (code,…)
    GH-->>G: access_token
    G->>DB:  INSERT oauth_tokens
    G-->>A: 200 OK (tools fetched)

🔧 Migration / Deployment

Run Alembic
alembic upgrade head

Env vars (optional)

OAUTH_REQUEST_TIMEOUT=30
OAUTH_MAX_RETRIES=3

Configure Gateways (example):

{
  "name": "Github",
  "url": "https://api.githubcopilot.com/mcp/",
  "transport": "STREAMABLEHTTP",
  "auth_type": "oauth",
  "oauth_config": {
    "grant_type": "authorization_code",
    "client_id": "xxxx",
    "client_secret": "Z0FBQUFB...",
    "authorization_url": "https://github.com/login/oauth/authorize",
    "token_url": "https://github.com/login/oauth/access_token",
    "redirect_uri": "http://<gateway>/oauth/callback",
    "scopes": ["repo","user","email"],
    "token_management": { "store_tokens": true, "auto_refresh": true }
  }
}

⚠️ Limitations & Next steps

Refresh-token support is provider-dependent – refresh flow untested.
Multi-user separation is basic (user_id extracted from token response or fallback). Full RBAC still TODO.
Implement PKCE according to OAuth 2.1 standard and other authorization flow standards according to MCP specification.
Only tools are saved, prompts and resources saving implementation is pending.
Admin UI improvement needed.
Health-check for OAuth gateways is skipped until first successful consent.
Linter surfaces many # type: ignore fixes we will address post-merge.
Remove code duplication.
Increase Unit test coverage.
Rigorous testing of the end to end flow.
Gateway status check.

Add Gateway with Oauth

Redirect, User Consent, Authorize and Fetch and Save tools

List Tools

Tool Test/Invoke

---

List Gateway with auth_type == oauth

Initial attempt to address this feature #605.

Thanks for reviewing!

Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com>

…ith Oauth2.0 Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com>

Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com>

* Implement comprehensive fuzz testing automation (IBM#256) - Add property-based testing with Hypothesis for JSON-RPC, JSONPath, and schema validation - Add coverage-guided fuzzing with Atheris for deep code path exploration - Add API endpoint fuzzing with Schemathesis for contract validation - Add security-focused testing for vulnerability discovery (SQL injection, XSS, etc.) - Add complete Makefile automation with fuzz-all, fuzz-quick, fuzz-extended targets - Add optional [fuzz] dependency group in pyproject.toml for clean installation - Add comprehensive reporting with JSON/Markdown outputs and executive summaries - Add complete developer documentation with examples and troubleshooting guides - Exclude fuzz tests from main test suite to prevent auth failures - Found multiple real bugs in JSON-RPC validation during development Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS ADRs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix compose Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update helm chart Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com>

* feat: Bulk Import Tools modal wiring and backend implementation - Add modal UI in admin.html with bulk import button and dialog - Implement modal open/close/ESC functionality in admin.js - Add POST /admin/tools/import endpoint with rate limiting - Support both JSON textarea and file upload inputs - Validate JSON structure and enforce 200 tool limit - Return detailed success/failure information per tool - Include loading states and comprehensive error handling Refs IBM#737 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate admin_import_tools function and fix HTML formatting - Remove duplicate admin_import_tools function definition - Fix HTML placeholder attribute to use double quotes - Add missing closing div tag - Fix flake8 blank line issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Complete bulk import backend with file upload support and enhanced docs - Add file upload support to admin_import_tools endpoint - Fix response format to match frontend expectations - Add UI usage documentation with modal instructions - Update API docs to show all three input methods - Enhance bulk import guide with UI and API examples Backend improvements: - Support tools_file form field for JSON file uploads - Proper file content parsing with error handling - Response includes imported/failed counts and details - Frontend-compatible response format for UI display Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Bulk import Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove conflicting inline script and fix bulk import functionality - Remove conflicting inline JavaScript that was preventing form submission - Fix indentation in setupBulkImportModal function - Ensure bulk import modal uses proper admin.js implementation - Restore proper form submission handling for bulk import This fixes the issue where bulk import appeared to do nothing. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Integrate bulk import setup with main initialization - Add setupBulkImportModal() to main initialization sequence - Remove duplicate DOMContentLoaded listener - Ensure bulk import doesn't interfere with other tab functionality Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: JavaScript formatting issues in bulk import modal - Fix multiline querySelector formatting - Fix multiline Error constructor formatting - Ensure prettier compliance for web linting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * debug: Temporarily disable bulk import setup to test tabs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate setupFormValidation call and delay bulk import setup - Remove duplicate setupFormValidation() call that could cause conflicts - Use setTimeout to delay bulk import modal setup after other initialization - Add better null safety to form element queries - This should fix tab switching issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Restore proper initialization sequence for tab functionality - Remove setTimeout delay for bulk import setup - Keep bulk import setup in main initialization but with error handling - Ensure tab navigation isn't affected by bulk import modal setup Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Correct HTML structure and restore tab navigation - Move bulk import modal to correct location after tools panel - Remove extra closing div that was breaking HTML structure - Ensure proper page-level modal placement - Restore tab navigation functionality for all tabs This fixes the broken Global Resources, Prompts, Gateways, Roots, and Metrics tabs. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Add configurable bulk import settings Configuration additions: - MCPGATEWAY_BULK_IMPORT_MAX_TOOLS (default: 200) - MCPGATEWAY_BULK_IMPORT_RATE_LIMIT (default: 10) Implementation: - config.py: Add new settings with defaults - admin.py: Use configurable rate limit and batch size - .env.example: Document all bulk import environment variables - admin.html: Use dynamic max tools value in UI text - CLAUDE.md: Document configuration options for developers - docs: Update bulk import guide with configuration details This makes bulk import fully configurable for different deployment scenarios. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com>

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com>

Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com>

crivetimihai · 2025-08-18T23:29:56Z

This is awesome! Will rebase, fix merge conflicts, test and push upstream. Review in progress.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Resolves conflicts by combining: - OAuth 2.0 functionality from oauth branch - Latest main branch features including metadata capture - Maintains all pylint fixes and code quality improvements 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Create merge migration to resolve parallel migration chains: - Main branch migrations (34492f99a0c4) - OAuth branch migrations (add_oauth_tokens_table) This resolves CI/CD test failures caused by Alembic not knowing which migration head to follow during 'alembic upgrade head'. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

- Remove unnecessary merge migration file (813b45a70b53) - Fix OAuth config migration to follow proper chain (f8c9d3e2a1b4 → 34492f99a0c4) - OAuth tokens migration already correctly follows (add_oauth_tokens_table → f8c9d3e2a1b4) - Now single migration head without parallel branches This eliminates the 'Multiple heads are present' error in CI/CD tests by ensuring migrations follow a linear chain instead of creating parallel migration branches that need artificial merge migrations. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

crivetimihai

PR 768 Review: OAuth 2.0 Support in MCP Gateway

✅ Review Summary

APPROVED - This PR successfully implements OAuth 2.0 support addressing the core requirements from Issue #605. The implementation provides a solid foundation for OAuth-based per-user access to remote MCP servers.

Remaining tasks tracked in #782, closes #605

Issue Requirements vs Implementation

Requirement	Status	Implementation
Connect to remote MCP servers without local setup	✅ COMPLETE	SSE/HTTP transport with OAuth authentication
OAuth support for per-user credentials	✅ COMPLETE	Authorization Code + Client Credentials flows
Multiple user credentials (not shared PAT)	✅ COMPLETE	Per-user token storage with encryption
GitHub MCP server compatibility	✅ COMPLETE	OAuth configuration supports GitHub's flow

Architecture Review

✅ Strengths

Clean OAuth abstraction with OAuthManager handling both grant types
Secure token storage with encryption using AUTH_ENCRYPTION_SECRET
Database schema properly designed with foreign keys and indexes
UI integration with Admin UI forms and authorization flows
Error handling with clear user guidance for OAuth setup
Security best practices including CSRF protection via state parameters

✅ Code Quality

Comprehensive testing with unit tests for OAuth flows
Type hints and proper documentation throughout
Database migrations properly structured
Following project conventions for error handling and logging

🔧 Issues Fixed During Review

1. Code Quality & Linting

❌ Pylint issues (9.98/10 → 10.00/10)
- Fixed import-outside-toplevel violations
- Removed unnecessary else clauses after returns
- Added pylint disable comments for unavoidable cases
- Fixed import order (standard before third-party)
- Fixed implicit string concatenation

2. Database Migration Issues

❌ Multiple Alembic heads causing CI/CD failures
- Root cause: OAuth migrations created parallel migration chains
- Fixed: Updated f8c9d3e2a1b4 to follow 34492f99a0c4 instead of eb17fd368f9d
- Removed: Unnecessary merge migration hack (813b45a70b53)
- Result: Clean linear migration chain without parallel branches

3. Branch Integration

❌ Merge conflicts with main branch
- Fixed: Merged latest main branch features including metadata capture
- Preserved: All OAuth functionality during merge
- Combined: OAuth features + export/import + security headers + metadata tracking

📋 Remaining TODOs for Future Enhancements

High Priority

Implement refresh token flow - Currently placeholder in token_storage_service.py:208
Enhance user identification - Better user ID extraction from token responses
Add token management UI - Admin interface for viewing/revoking user tokens
Resource & prompt fetching - OAuth implementation focuses on tools, expand to other entities

Medium Priority

PKCE support - OAuth 2.1 standard for enhanced security
Token cleanup job - Automated cleanup of expired tokens
Multi-user token selection - UI for choosing which user's tokens to use
OAuth provider templates - Pre-configured settings for GitHub, Google, etc.

Low Priority

OAuth token introspection - Validate tokens with OAuth provider
Scope management - Fine-grained permission control
OAuth audit logging - Track OAuth operations for compliance
Performance optimization - Token caching and connection pooling

🧪 Quality Metrics

Test Coverage

Unit Tests: ✅ 2116 passed, 15 skipped
OAuth Manager: ✅ 7 test methods covering happy/error paths
Integration Tests: ✅ All passing
Doctests: ✅ 489 passed, 6 skipped

Code Quality Scores

Pylint: ✅ 10.00/10 (perfect score)
Flake8: ✅ No violations
Bandit: ✅ Security checks passed
Coverage: ✅ 76% overall coverage
Verify: ✅ Package build/distribution checks passed

🎯 Implementation Highlights

Core Components Added

mcpgateway/
├── services/
│   ├── oauth_manager.py          # OAuth 2.0 flow management
│   └── token_storage_service.py  # Encrypted token storage
├── routers/
│   └── oauth_router.py          # OAuth endpoints (/oauth/*)  
├── utils/
│   └── oauth_encryption.py     # Token encryption utilities
├── alembic/versions/
│   ├── f8c9d3e2a1b4_*.py      # OAuth config column
│   └── add_oauth_tokens_table.py # OAuth tokens table
└── db.py                        # OAuthToken ORM model

Key Features

Authorization Code Flow: User consent with redirect to OAuth provider
Client Credentials Flow: Machine-to-machine authentication
Token Encryption: All sensitive tokens encrypted at rest
Admin UI Integration: OAuth configuration in gateway creation
Tool Integration: Automatic OAuth token injection for MCP tool calls

🔄 CI/CD Status

Before Fixes

❌ Multiple Alembic heads error
❌ Pylint violations (9.98/10)
❌ Import/code style issues

After Fixes

✅ Single Alembic migration head
✅ Perfect Pylint score (10.00/10)
✅ All quality checks passing
✅ Clean merge with main branch

📝 Recommendation

APPROVE AND MERGE - This PR provides excellent OAuth 2.0 foundation that fully addresses Issue #605 requirements. The implementation follows security best practices, maintains high code quality, and integrates well with the existing architecture.

The remaining TODOs are enhancements rather than blockers, and can be addressed in future iterations.

crivetimihai · 2025-08-19T00:52:09Z

@shams858 thanks, merging - remaining tasks tracked in #782

@madhav165 please test as well.

madhav165 · 2025-08-19T07:18:58Z

Worked as shown in the PR.

* Oauth 2.1 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * oauth 2.0 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Support for oauth auth type in gateway Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Decrypt client secret Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * authorization code flow, token storage, tool fetching, tool calling with Oauth2.0 Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * test fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * 256 fuzz testing (IBM#760) * Implement comprehensive fuzz testing automation (IBM#256) - Add property-based testing with Hypothesis for JSON-RPC, JSONPath, and schema validation - Add coverage-guided fuzzing with Atheris for deep code path exploration - Add API endpoint fuzzing with Schemathesis for contract validation - Add security-focused testing for vulnerability discovery (SQL injection, XSS, etc.) - Add complete Makefile automation with fuzz-all, fuzz-quick, fuzz-extended targets - Add optional [fuzz] dependency group in pyproject.toml for clean installation - Add comprehensive reporting with JSON/Markdown outputs and executive summaries - Add complete developer documentation with examples and troubleshooting guides - Exclude fuzz tests from main test suite to prevent auth failures - Found multiple real bugs in JSON-RPC validation during development Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 344 cors security headers (IBM#761) * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS ADRs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix compose Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update helm chart Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * feat: Bulk Import Tools modal wiring IBM#737 (IBM#739) * feat: Bulk Import Tools modal wiring and backend implementation - Add modal UI in admin.html with bulk import button and dialog - Implement modal open/close/ESC functionality in admin.js - Add POST /admin/tools/import endpoint with rate limiting - Support both JSON textarea and file upload inputs - Validate JSON structure and enforce 200 tool limit - Return detailed success/failure information per tool - Include loading states and comprehensive error handling Refs IBM#737 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate admin_import_tools function and fix HTML formatting - Remove duplicate admin_import_tools function definition - Fix HTML placeholder attribute to use double quotes - Add missing closing div tag - Fix flake8 blank line issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Complete bulk import backend with file upload support and enhanced docs - Add file upload support to admin_import_tools endpoint - Fix response format to match frontend expectations - Add UI usage documentation with modal instructions - Update API docs to show all three input methods - Enhance bulk import guide with UI and API examples Backend improvements: - Support tools_file form field for JSON file uploads - Proper file content parsing with error handling - Response includes imported/failed counts and details - Frontend-compatible response format for UI display Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Bulk import Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove conflicting inline script and fix bulk import functionality - Remove conflicting inline JavaScript that was preventing form submission - Fix indentation in setupBulkImportModal function - Ensure bulk import modal uses proper admin.js implementation - Restore proper form submission handling for bulk import This fixes the issue where bulk import appeared to do nothing. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Integrate bulk import setup with main initialization - Add setupBulkImportModal() to main initialization sequence - Remove duplicate DOMContentLoaded listener - Ensure bulk import doesn't interfere with other tab functionality Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: JavaScript formatting issues in bulk import modal - Fix multiline querySelector formatting - Fix multiline Error constructor formatting - Ensure prettier compliance for web linting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * debug: Temporarily disable bulk import setup to test tabs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate setupFormValidation call and delay bulk import setup - Remove duplicate setupFormValidation() call that could cause conflicts - Use setTimeout to delay bulk import modal setup after other initialization - Add better null safety to form element queries - This should fix tab switching issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Restore proper initialization sequence for tab functionality - Remove setTimeout delay for bulk import setup - Keep bulk import setup in main initialization but with error handling - Ensure tab navigation isn't affected by bulk import modal setup Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Correct HTML structure and restore tab navigation - Move bulk import modal to correct location after tools panel - Remove extra closing div that was breaking HTML structure - Ensure proper page-level modal placement - Restore tab navigation functionality for all tabs This fixes the broken Global Resources, Prompts, Gateways, Roots, and Metrics tabs. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Add configurable bulk import settings Configuration additions: - MCPGATEWAY_BULK_IMPORT_MAX_TOOLS (default: 200) - MCPGATEWAY_BULK_IMPORT_RATE_LIMIT (default: 10) Implementation: - config.py: Add new settings with defaults - admin.py: Use configurable rate limit and batch size - .env.example: Document all bulk import environment variables - admin.html: Use dynamic max tools value in UI text - CLAUDE.md: Document configuration options for developers - docs: Update bulk import guide with configuration details This makes bulk import fully configurable for different deployment scenarios. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Implemented configuration export (IBM#764) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * ruff fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix flake8 errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix eslint errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * aiohttp added in the main dependencies section of pyproject.toml Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic multiple heads issue Create merge migration to resolve parallel migration chains: - Main branch migrations (34492f99a0c4) - OAuth branch migrations (add_oauth_tokens_table) This resolves CI/CD test failures caused by Alembic not knowing which migration head to follow during 'alembic upgrade head'. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic migration chain - remove merge migration hack - Remove unnecessary merge migration file (813b45a70b53) - Fix OAuth config migration to follow proper chain (f8c9d3e2a1b4 → 34492f99a0c4) - OAuth tokens migration already correctly follows (add_oauth_tokens_table → f8c9d3e2a1b4) - Now single migration head without parallel branches This eliminates the 'Multiple heads are present' error in CI/CD tests by ensuring migrations follow a linear chain instead of creating parallel migration branches that need artificial merge migrations. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: VK <90204593+vk-playground@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com>

sbweeden · 2025-08-20T07:39:51Z

I know this PR is merged and closed, but how should I correctly report/suggest additional remaining TODO's?

In particular I noticed that in the admin UI when I edit an existing MCP server configuration, none of the existing OAuth configuration is visible or editable.

* Oauth 2.1 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * oauth 2.0 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Support for oauth auth type in gateway Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Decrypt client secret Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * authorization code flow, token storage, tool fetching, tool calling with Oauth2.0 Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * test fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * 256 fuzz testing (#760) * Implement comprehensive fuzz testing automation (#256) - Add property-based testing with Hypothesis for JSON-RPC, JSONPath, and schema validation - Add coverage-guided fuzzing with Atheris for deep code path exploration - Add API endpoint fuzzing with Schemathesis for contract validation - Add security-focused testing for vulnerability discovery (SQL injection, XSS, etc.) - Add complete Makefile automation with fuzz-all, fuzz-quick, fuzz-extended targets - Add optional [fuzz] dependency group in pyproject.toml for clean installation - Add comprehensive reporting with JSON/Markdown outputs and executive summaries - Add complete developer documentation with examples and troubleshooting guides - Exclude fuzz tests from main test suite to prevent auth failures - Found multiple real bugs in JSON-RPC validation during development Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 344 cors security headers (#761) * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS ADRs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix compose Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update helm chart Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * feat: Bulk Import Tools modal wiring #737 (#739) * feat: Bulk Import Tools modal wiring and backend implementation - Add modal UI in admin.html with bulk import button and dialog - Implement modal open/close/ESC functionality in admin.js - Add POST /admin/tools/import endpoint with rate limiting - Support both JSON textarea and file upload inputs - Validate JSON structure and enforce 200 tool limit - Return detailed success/failure information per tool - Include loading states and comprehensive error handling Refs #737 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate admin_import_tools function and fix HTML formatting - Remove duplicate admin_import_tools function definition - Fix HTML placeholder attribute to use double quotes - Add missing closing div tag - Fix flake8 blank line issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Complete bulk import backend with file upload support and enhanced docs - Add file upload support to admin_import_tools endpoint - Fix response format to match frontend expectations - Add UI usage documentation with modal instructions - Update API docs to show all three input methods - Enhance bulk import guide with UI and API examples Backend improvements: - Support tools_file form field for JSON file uploads - Proper file content parsing with error handling - Response includes imported/failed counts and details - Frontend-compatible response format for UI display Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Bulk import Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove conflicting inline script and fix bulk import functionality - Remove conflicting inline JavaScript that was preventing form submission - Fix indentation in setupBulkImportModal function - Ensure bulk import modal uses proper admin.js implementation - Restore proper form submission handling for bulk import This fixes the issue where bulk import appeared to do nothing. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Integrate bulk import setup with main initialization - Add setupBulkImportModal() to main initialization sequence - Remove duplicate DOMContentLoaded listener - Ensure bulk import doesn't interfere with other tab functionality Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: JavaScript formatting issues in bulk import modal - Fix multiline querySelector formatting - Fix multiline Error constructor formatting - Ensure prettier compliance for web linting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * debug: Temporarily disable bulk import setup to test tabs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate setupFormValidation call and delay bulk import setup - Remove duplicate setupFormValidation() call that could cause conflicts - Use setTimeout to delay bulk import modal setup after other initialization - Add better null safety to form element queries - This should fix tab switching issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Restore proper initialization sequence for tab functionality - Remove setTimeout delay for bulk import setup - Keep bulk import setup in main initialization but with error handling - Ensure tab navigation isn't affected by bulk import modal setup Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Correct HTML structure and restore tab navigation - Move bulk import modal to correct location after tools panel - Remove extra closing div that was breaking HTML structure - Ensure proper page-level modal placement - Restore tab navigation functionality for all tabs This fixes the broken Global Resources, Prompts, Gateways, Roots, and Metrics tabs. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Add configurable bulk import settings Configuration additions: - MCPGATEWAY_BULK_IMPORT_MAX_TOOLS (default: 200) - MCPGATEWAY_BULK_IMPORT_RATE_LIMIT (default: 10) Implementation: - config.py: Add new settings with defaults - admin.py: Use configurable rate limit and batch size - .env.example: Document all bulk import environment variables - admin.html: Use dynamic max tools value in UI text - CLAUDE.md: Document configuration options for developers - docs: Update bulk import guide with configuration details This makes bulk import fully configurable for different deployment scenarios. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Implemented configuration export (#764) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * ruff fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix flake8 errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix eslint errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * aiohttp added in the main dependencies section of pyproject.toml Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic multiple heads issue Create merge migration to resolve parallel migration chains: - Main branch migrations (34492f99a0c4) - OAuth branch migrations (add_oauth_tokens_table) This resolves CI/CD test failures caused by Alembic not knowing which migration head to follow during 'alembic upgrade head'. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic migration chain - remove merge migration hack - Remove unnecessary merge migration file (813b45a70b53) - Fix OAuth config migration to follow proper chain (f8c9d3e2a1b4 → 34492f99a0c4) - OAuth tokens migration already correctly follows (add_oauth_tokens_table → f8c9d3e2a1b4) - Now single migration head without parallel branches This eliminates the 'Multiple heads are present' error in CI/CD tests by ensuring migrations follow a linear chain instead of creating parallel migration branches that need artificial merge migrations. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: VK <90204593+vk-playground@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com>

…g Implementation (#786) * db.py update Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * doc test Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * pytest Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * pytest Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * revert alembic with main version Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * 138 view realtime logs in UI and export logs (CSV, JSON) (#747) * Add logging UI Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Add logging UI Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Add logging UI Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Add logging UI readme Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update logging flake8 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update logging flake8 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * test coverage Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * test coverage Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix download Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 749 reverse proxy (#750) * Fix download Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Reverse proxy Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Reverse proxy Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Reverse proxy Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * doctest improvements Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * (fix) Added missing prompts/get (#748) Signed-off-by: Ian Molloy <molloyim@us.ibm.com> * Adds RPC endpoints and updates RPC response and error handling (#746) * Fix rpc endpoints Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * Remove commented code Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * remove duplicate code in session registry Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * Linting fixes Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * Fix tests Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> --------- Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * 753 fix tool invocation invalid method (#754) * Fix tool invocation 'Invalid method' error with backward compatibility (#753) - Add backward compatibility for direct tool invocation (pre-PR #746 format) - Support both old format (method=tool_name) and new format (method=tools/call) - Add comprehensive test coverage for RPC tool invocation scenarios - Ensure graceful fallback to gateway forwarding when method is not a tool The RPC endpoint now handles tool invocations in both formats: 1. New format: method='tools/call' with name and arguments in params 2. Old format: method='tool_name' with params as arguments (backward compat) This maintains compatibility with existing clients while supporting the new standardized RPC method structure introduced in PR #746. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix flake8 E722: Replace bare except with Exception Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: suppress bandit security warnings with appropriate nosec comments (#755) - Added nosec B105 for ENV_TOKEN as it's an environment variable name, not a hardcoded secret - Added nosec B110 for intentional exception swallowing in cleanup/error handling paths - Both cases are legitimate uses where errors should be silently ignored to prevent cascading failures Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Add agents file Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * pylint (#759) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Remove redundant title in readme. (#757) Signed-off-by: Vinod Muthusamy <770084+vinodmut@users.noreply.github.com> Co-authored-by: Vinod Muthusamy <770084+vinodmut@users.noreply.github.com> * Update documentation with fixed image tag Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 256 fuzz testing (#760) * Implement comprehensive fuzz testing automation (#256) - Add property-based testing with Hypothesis for JSON-RPC, JSONPath, and schema validation - Add coverage-guided fuzzing with Atheris for deep code path exploration - Add API endpoint fuzzing with Schemathesis for contract validation - Add security-focused testing for vulnerability discovery (SQL injection, XSS, etc.) - Add complete Makefile automation with fuzz-all, fuzz-quick, fuzz-extended targets - Add optional [fuzz] dependency group in pyproject.toml for clean installation - Add comprehensive reporting with JSON/Markdown outputs and executive summaries - Add complete developer documentation with examples and troubleshooting guides - Exclude fuzz tests from main test suite to prevent auth failures - Found multiple real bugs in JSON-RPC validation during development Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 344 cors security headers (#761) * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS ADRs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix compose Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update helm chart Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Bulk Import Tools modal wiring #737 (#739) * feat: Bulk Import Tools modal wiring and backend implementation - Add modal UI in admin.html with bulk import button and dialog - Implement modal open/close/ESC functionality in admin.js - Add POST /admin/tools/import endpoint with rate limiting - Support both JSON textarea and file upload inputs - Validate JSON structure and enforce 200 tool limit - Return detailed success/failure information per tool - Include loading states and comprehensive error handling Refs #737 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate admin_import_tools function and fix HTML formatting - Remove duplicate admin_import_tools function definition - Fix HTML placeholder attribute to use double quotes - Add missing closing div tag - Fix flake8 blank line issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Complete bulk import backend with file upload support and enhanced docs - Add file upload support to admin_import_tools endpoint - Fix response format to match frontend expectations - Add UI usage documentation with modal instructions - Update API docs to show all three input methods - Enhance bulk import guide with UI and API examples Backend improvements: - Support tools_file form field for JSON file uploads - Proper file content parsing with error handling - Response includes imported/failed counts and details - Frontend-compatible response format for UI display Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Bulk import Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove conflicting inline script and fix bulk import functionality - Remove conflicting inline JavaScript that was preventing form submission - Fix indentation in setupBulkImportModal function - Ensure bulk import modal uses proper admin.js implementation - Restore proper form submission handling for bulk import This fixes the issue where bulk import appeared to do nothing. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Integrate bulk import setup with main initialization - Add setupBulkImportModal() to main initialization sequence - Remove duplicate DOMContentLoaded listener - Ensure bulk import doesn't interfere with other tab functionality Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: JavaScript formatting issues in bulk import modal - Fix multiline querySelector formatting - Fix multiline Error constructor formatting - Ensure prettier compliance for web linting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * debug: Temporarily disable bulk import setup to test tabs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate setupFormValidation call and delay bulk import setup - Remove duplicate setupFormValidation() call that could cause conflicts - Use setTimeout to delay bulk import modal setup after other initialization - Add better null safety to form element queries - This should fix tab switching issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Restore proper initialization sequence for tab functionality - Remove setTimeout delay for bulk import setup - Keep bulk import setup in main initialization but with error handling - Ensure tab navigation isn't affected by bulk import modal setup Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Correct HTML structure and restore tab navigation - Move bulk import modal to correct location after tools panel - Remove extra closing div that was breaking HTML structure - Ensure proper page-level modal placement - Restore tab navigation functionality for all tabs This fixes the broken Global Resources, Prompts, Gateways, Roots, and Metrics tabs. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Add configurable bulk import settings Configuration additions: - MCPGATEWAY_BULK_IMPORT_MAX_TOOLS (default: 200) - MCPGATEWAY_BULK_IMPORT_RATE_LIMIT (default: 10) Implementation: - config.py: Add new settings with defaults - admin.py: Use configurable rate limit and batch size - .env.example: Document all bulk import environment variables - admin.html: Use dynamic max tools value in UI text - CLAUDE.md: Document configuration options for developers - docs: Update bulk import guide with configuration details This makes bulk import fully configurable for different deployment scenarios. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> * Implemented configuration export (#764) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 185 186 import export (#769) * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Import export testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: local network address translation in discovery module (#767) Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * Well known (#770) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update docs with jsonrpc tutorial (#772) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 137 metadata timestamps (#776) * Metadata / creation dates Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Metadata / creation dates Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Metadata / creation dates Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Security headers CSP Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Display metadata for resources Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> * eslint fix Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Madhav Kandukuri <madhav165@gmail.com> * feat #262: MCP Langchain Agent (#781) * feat: Add bulk import UI modal for tools Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> * feat: Add Langchain agent with OpenAI & A2A endpoints (refs #262) Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> * lint: prettier fix at ~L8090 (insert newline) Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> --------- Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> Co-authored-by: Vicky <vicky.kuo.contact@gmail.com> * Cleanup pr Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Cleanup pr Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Issue 587/rest tool error (#778) * added params extraction from url logic Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com> * added params extraction from url logic Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com> * Rebase and lint / test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> * edit column header (#777) Signed-off-by: Shoumi <shoumimukherjee@gmail.com> * Test case update (#775) * session_registry test case updates Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> * test case update for routers/reverse_proxy Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> * test case update to mcpgateway/reverse_proxy.py Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> * Fix formatting issues from pre-commit hooks Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> * feat: add plugins cli, external plugin support, plugin template (#722) * feat: add support for external plugins Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat(plugins): add external mcp server and associated test cases. Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix(lint): fixed yamllint issues Signed-off-by: Teryl Taylor <terylt@ibm.com> * fix(lint): fixed flake8 issue. Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat: define plugins cli and implement bootstrap command Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: implement install and package CLI commands Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: remote avoid insecure shell=True in subprocess invocation Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add external plugin template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: move copier config to repository root Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update copier template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: get default author from git config Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update copier settings Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: copier config syntax Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add external plugin template modules Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: template syntax Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: template syntax Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: make template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: fix template issue Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: toml template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: plugin mcp server initialization Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: init module for plugin framework Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add chuck runtime and container wrapping Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: makefile template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: plugins config path Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add .env.template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add tools and resources support Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: lint yaml Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: cleanups Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update manifest.in Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: linting Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: plugin config variable Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix(tests): fixed doctests for plugins. Signed-off-by: Teryl Taylor <terylt@ibm.com> * refactor: external plugin server and plugin external API Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs(plugins): removed subpackages from examples Signed-off-by: Teryl Taylor <terylt@ibm.com> * docs: update plugin docs to use public framework API Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix(plugin): added resource payloads to base plugin. Signed-off-by: Teryl Taylor <terylt@ibm.com> * feat: udpate test templates Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update test templates Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update plugin template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update plugin template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: update tempalte makefile Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add template for native plugin Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add readme for native template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: force boostrap to be a subcommnand Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests(plugin): added http streamable and error tests. Signed-off-by: Teryl Taylor <terylt@ibm.com> * tests: add tests for plugins CLI Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: deprecation warning Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: add CLI tests Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: update plugin cli Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests(plugins): added client hook tests for external plugins. Signed-off-by: Teryl Taylor <terylt@ibm.com> * chore: update template readmes Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: lint docstrings in cli Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: fix lint errors in docstrings Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: fix lint errors Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: add external plugin server tests Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: cleanup Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: add missing docstrings Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: add missing docstrings Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: fix cli dryrun test Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * chore: fix lint issues Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: fix teardown of client http tests Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * tests: skipping flaky tests Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs: plugin lifecycle tools Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs: add missing plugin lifecycle doc Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Teryl Taylor <terylt@ibm.com> Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Teryl Taylor <terylt@ibm.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Experimental Oauth 2.0 support in gateway (#768) * Oauth 2.1 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * oauth 2.0 design Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Support for oauth auth type in gateway Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Decrypt client secret Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * authorization code flow, token storage, tool fetching, tool calling with Oauth2.0 Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * test fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * 256 fuzz testing (#760) * Implement comprehensive fuzz testing automation (#256) - Add property-based testing with Hypothesis for JSON-RPC, JSONPath, and schema validation - Add coverage-guided fuzzing with Atheris for deep code path exploration - Add API endpoint fuzzing with Schemathesis for contract validation - Add security-focused testing for vulnerability discovery (SQL injection, XSS, etc.) - Add complete Makefile automation with fuzz-all, fuzz-quick, fuzz-extended targets - Add optional [fuzz] dependency group in pyproject.toml for clean installation - Add comprehensive reporting with JSON/Markdown outputs and executive summaries - Add complete developer documentation with examples and troubleshooting guides - Exclude fuzz tests from main test suite to prevent auth failures - Found multiple real bugs in JSON-RPC validation during development Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update fuzz testing Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 344 cors security headers (#761) * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS ADRs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix compose Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update helm chart Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update CORS docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update test Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * feat: Bulk Import Tools modal wiring #737 (#739) * feat: Bulk Import Tools modal wiring and backend implementation - Add modal UI in admin.html with bulk import button and dialog - Implement modal open/close/ESC functionality in admin.js - Add POST /admin/tools/import endpoint with rate limiting - Support both JSON textarea and file upload inputs - Validate JSON structure and enforce 200 tool limit - Return detailed success/failure information per tool - Include loading states and comprehensive error handling Refs #737 Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate admin_import_tools function and fix HTML formatting - Remove duplicate admin_import_tools function definition - Fix HTML placeholder attribute to use double quotes - Add missing closing div tag - Fix flake8 blank line issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Complete bulk import backend with file upload support and enhanced docs - Add file upload support to admin_import_tools endpoint - Fix response format to match frontend expectations - Add UI usage documentation with modal instructions - Update API docs to show all three input methods - Enhance bulk import guide with UI and API examples Backend improvements: - Support tools_file form field for JSON file uploads - Proper file content parsing with error handling - Response includes imported/failed counts and details - Frontend-compatible response format for UI display Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Bulk import Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove conflicting inline script and fix bulk import functionality - Remove conflicting inline JavaScript that was preventing form submission - Fix indentation in setupBulkImportModal function - Ensure bulk import modal uses proper admin.js implementation - Restore proper form submission handling for bulk import This fixes the issue where bulk import appeared to do nothing. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Integrate bulk import setup with main initialization - Add setupBulkImportModal() to main initialization sequence - Remove duplicate DOMContentLoaded listener - Ensure bulk import doesn't interfere with other tab functionality Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: JavaScript formatting issues in bulk import modal - Fix multiline querySelector formatting - Fix multiline Error constructor formatting - Ensure prettier compliance for web linting Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * debug: Temporarily disable bulk import setup to test tabs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Remove duplicate setupFormValidation call and delay bulk import setup - Remove duplicate setupFormValidation() call that could cause conflicts - Use setTimeout to delay bulk import modal setup after other initialization - Add better null safety to form element queries - This should fix tab switching issues Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Restore proper initialization sequence for tab functionality - Remove setTimeout delay for bulk import setup - Keep bulk import setup in main initialization but with error handling - Ensure tab navigation isn't affected by bulk import modal setup Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: Correct HTML structure and restore tab navigation - Move bulk import modal to correct location after tools panel - Remove extra closing div that was breaking HTML structure - Ensure proper page-level modal placement - Restore tab navigation functionality for all tabs This fixes the broken Global Resources, Prompts, Gateways, Roots, and Metrics tabs. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * feat: Add configurable bulk import settings Configuration additions: - MCPGATEWAY_BULK_IMPORT_MAX_TOOLS (default: 200) - MCPGATEWAY_BULK_IMPORT_RATE_LIMIT (default: 10) Implementation: - config.py: Add new settings with defaults - admin.py: Use configurable rate limit and batch size - .env.example: Document all bulk import environment variables - admin.html: Use dynamic max tools value in UI text - CLAUDE.md: Document configuration options for developers - docs: Update bulk import guide with configuration details This makes bulk import fully configurable for different deployment scenarios. Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Update docs Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Implemented configuration export (#764) Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * cleanup Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * ruff fixes Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix flake8 errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * fix eslint errors Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * aiohttp added in the main dependencies section of pyproject.toml Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic multiple heads issue Create merge migration to resolve parallel migration chains: - Main branch migrations (34492f99a0c4) - OAuth branch migrations (add_oauth_tokens_table) This resolves CI/CD test failures caused by Alembic not knowing which migration head to follow during 'alembic upgrade head'. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix Alembic migration chain - remove merge migration hack - Remove unnecessary merge migration file (813b45a70b53) - Fix OAuth config migration to follow proper chain (f8c9d3e2a1b4 → 34492f99a0c4) - OAuth tokens migration already correctly follows (add_oauth_tokens_table → f8c9d3e2a1b4) - Now single migration head without parallel branches This eliminates the 'Multiple heads are present' error in CI/CD tests by ensuring migrations follow a linear chain instead of creating parallel migration branches that need artificial merge migrations. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Review, rebase and lint Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: VK <90204593+vk-playground@users.noreply.github.com> Co-authored-by: Claude <noreply@anthropic.com> * Fix pre-commit hooks Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * 744 annotations (#784) * Fix annotations edit Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * Fix annotations edit Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> * fix: plugins template (#783) * feat: update context forge target in template's project dependencies Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: exclude jinja files from reformatting tabs Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: plugins cli defaults Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * fix: revert formatted Makefile template Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * feat: add optional packages Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs: update plugin template docs Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * docs: update template readme Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> --------- Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * doc test Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * edit-tool Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * web lint Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * flake8 fix Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * pytest fix Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * revert with main Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * flake fix Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * revert with main Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * alembic Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * alembic change Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * flake8 fix Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * remove addtional line Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * alembic Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> * Rebase and fix Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> --------- Signed-off-by: RAKHI DUTTA <rakdutta@in.ibm.com> Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Ian Molloy <molloyim@us.ibm.com> Signed-off-by: Madhav Kandukuri <madhav165@gmail.com> Signed-off-by: Vinod Muthusamy <770084+vinodmut@users.noreply.github.com> Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com> Signed-off-by: Vicky <vicky.kuo.contact@gmail.com> Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com> Signed-off-by: Shoumi <shoumimukherjee@gmail.com> Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> Signed-off-by: Teryl Taylor <terylt@ibm.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Co-authored-by: RAKHI DUTTA <rakdutta@in.ibm.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com> Co-authored-by: Ian Molloy <i.m.molloy@gmail.com> Co-authored-by: Madhav Kandukuri <madhav165@users.noreply.github.com> Co-authored-by: Vinod Muthusamy <vinodmut@users.noreply.github.com> Co-authored-by: Vinod Muthusamy <770084+vinodmut@users.noreply.github.com> Co-authored-by: VK <90204593+vk-playground@users.noreply.github.com> Co-authored-by: Frederico Araujo <araujof@users.noreply.github.com> Co-authored-by: Madhav Kandukuri <madhav165@gmail.com> Co-authored-by: Vicky <vicky.kuo.contact@gmail.com> Co-authored-by: Veeresh K <42322782+nmveeresh@users.noreply.github.com> Co-authored-by: Shoumi M <55126549+shoummu1@users.noreply.github.com> Co-authored-by: Mohan Lakshmaiah <mohan.economist@gmail.com> Co-authored-by: Mohan Lakshmaiah <mohalaks@in.ibm.com> Co-authored-by: Teryl Taylor <terylt@ibm.com> Co-authored-by: Shamsul Arefin <shams@rijuk.com> Co-authored-by: Shamsul Arefin <shamsul.arefin@iqvia.com> Co-authored-by: Claude <noreply@anthropic.com>

shams858 requested review from crivetimihai, kevalmahajan and madhav165 as code owners August 17, 2025 19:16

shams858 force-pushed the oauth-2-1-support-in-gateway branch from 521a1e9 to e3c6924 Compare August 18, 2025 11:42

Shamsul Arefin and others added 17 commits August 18, 2025 16:52

Oauth 2.1 design

34572cb

Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com>

oauth 2.0 design

a8fd95c

Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com>

Support for oauth auth type in gateway

1a00765

Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com>

Decrypt client secret

719a161

Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com>

authorization code flow, token storage, tool fetching, tool calling w…

979c2d4

…ith Oauth2.0 Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com>

test fixes

5421a94

Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com>

Implemented configuration export (IBM#764)

0bc198c

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com> Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com>

cleanup

a434106

Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com>

cleanup

852927e

Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com>

fixes

3904783

Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com>

ruff fixes

9b70631

Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com>

fix flake8 errors

526401e

Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com>

fix eslint errors

8df2aa8

Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com>

aiohttp added in the main dependencies section of pyproject.toml

3695fe6

Signed-off-by: Shamsul Arefin <shamsul.arefin@iqvia.com>

shams858 force-pushed the oauth-2-1-support-in-gateway branch from e3c6924 to 3695fe6 Compare August 18, 2025 11:56

Merge branch 'main' into oauth-2-1-support-in-gateway

c04147a

crivetimihai and others added 5 commits August 19, 2025 01:15

Review, rebase and lint

8e0c597

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

Review, rebase and lint

693644b

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

crivetimihai approved these changes Aug 19, 2025

View reviewed changes

crivetimihai mentioned this pull request Aug 19, 2025

[Feature Request]: OAuth Enhancement following PR 768 #782

Open

53 tasks

crivetimihai merged commit b83c7fa into IBM:main Aug 19, 2025
35 of 36 checks passed

crivetimihai mentioned this pull request Aug 19, 2025

[Feature Request]: Access to remote MCP Servers/Tools via OAuth on behalf of Users #605

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: Experimental Oauth 2.0 support in gateway #768

feat: Experimental Oauth 2.0 support in gateway #768

Uh oh!

shams858 commented Aug 17, 2025

Uh oh!

crivetimihai commented Aug 18, 2025

Uh oh!

crivetimihai left a comment •

edited

Loading

Uh oh!

Uh oh!

crivetimihai commented Aug 19, 2025

Uh oh!

madhav165 commented Aug 19, 2025

Uh oh!

sbweeden commented Aug 20, 2025

Uh oh!

Uh oh!

feat: Experimental Oauth 2.0 support in gateway #768

feat: Experimental Oauth 2.0 support in gateway #768

Uh oh!

Conversation

shams858 commented Aug 17, 2025

🚀 Add OAuth 2.0 Authorization-Code flow to MCP Gateway (Experimental)

✨ What’s new

1 OAuth Manager

2 Token Storage

3 Gateway Service + Routers

4 Tool Service integration

5 Unit tests

6 Docs

🖼️ High-level flow

🔧 Migration / Deployment

⚠️ Limitations & Next steps

Add Gateway with Oauth

Redirect, User Consent, Authorize and Fetch and Save tools

List Tools

Tool Test/Invoke

List Gateway with auth_type == oauth

Uh oh!

crivetimihai commented Aug 18, 2025

Uh oh!

crivetimihai left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

PR 768 Review: OAuth 2.0 Support in MCP Gateway

✅ Review Summary

Issue Requirements vs Implementation

Architecture Review

✅ Strengths

✅ Code Quality

🔧 Issues Fixed During Review

1. Code Quality & Linting

2. Database Migration Issues

3. Branch Integration

📋 Remaining TODOs for Future Enhancements

High Priority

Medium Priority

Low Priority

🧪 Quality Metrics

Test Coverage

Code Quality Scores

🎯 Implementation Highlights

Core Components Added

Key Features

🔄 CI/CD Status

Before Fixes

After Fixes

📝 Recommendation

Uh oh!

Uh oh!

crivetimihai commented Aug 19, 2025

Uh oh!

madhav165 commented Aug 19, 2025

Uh oh!

sbweeden commented Aug 20, 2025

Uh oh!

Uh oh!

crivetimihai left a comment •

edited

Loading