modelcontextprotocol
diff --git a/‎examples/servers/proxy_oauth/server.py
Lines changed: 175 additions & 0 deletions b/‎examples/servers/proxy_oauth/server.py
Lines changed: 175 additions & 0 deletions
diff --git a/‎examples/servers/proxy_oauth/test_logging.py
Lines changed: 106 additions & 0 deletions b/‎examples/servers/proxy_oauth/test_logging.py
Lines changed: 106 additions & 0 deletions
diff --git a/‎src/mcp/server/auth/__init__.py
Lines changed: 42 additions & 0 deletions b/‎src/mcp/server/auth/__init__.py
Lines changed: 42 additions & 0 deletions
@@ -0,0 +1,175 @@
+# pyright: reportMissingImports=false
+import os
+from urllib.parse import urljoin
+from dotenv import load_dotenv  # type: ignore
+from typing import Any, cast
+import base64, json, time
+from starlette.requests import Request  # type: ignore
+
+from mcp.server.fastmcp.server import Context
+from mcp.server.auth.proxy.server import build_proxy_server  # noqa: E402
+
+# Load environment variables from .env if present
+load_dotenv()
+
+# ----------------------------------------------------------------------------
+# Environment configuration
+# ----------------------------------------------------------------------------
+_upstream_base = os.getenv("PROXY_UPSTREAM_BASE", "https://auth.example.com/")
+# Sanitize trailing slash
+if _upstream_base.endswith("/"):
+    _upstream_base = _upstream_base[:-1]
+UPSTREAM_BASE: str = _upstream_base
+
+print("[Proxy Config] UPSTREAM_BASE:", UPSTREAM_BASE)
+print("[Proxy Config] CLIENT_ID:", os.getenv("PROXY_CLIENT_ID") or os.getenv("UPSTREAM_CLIENT_ID"))
+
+CLIENT_ID = os.getenv("PROXY_CLIENT_ID") or os.getenv("UPSTREAM_CLIENT_ID") or "demo-client-id"
+CLIENT_SECRET = os.getenv("PROXY_CLIENT_SECRET") or os.getenv("UPSTREAM_CLIENT_SECRET")  # may be None
+DEFAULT_SCOPE = os.getenv("PROXY_DEFAULT_SCOPE", "openid profile email")
+AUDIENCE = os.getenv("PROXY_AUDIENCE")  # optional
+
+# ---------------------------------------------------------------------------
+# Resolve upstream endpoints – prefer explicit *_ENDPOINT variables (matches
+# naming used in fastmcp example) and fall back to BASE + path.
+# ---------------------------------------------------------------------------
+
+UPSTREAM_AUTHORIZE = os.getenv("UPSTREAM_AUTHORIZATION_ENDPOINT") or f"{UPSTREAM_BASE}/authorize"
+UPSTREAM_TOKEN = os.getenv("UPSTREAM_TOKEN_ENDPOINT") or f"{UPSTREAM_BASE}/token"
+UPSTREAM_JWKS_URI = os.getenv("UPSTREAM_JWKS_URI")
+UPSTREAM_REVOCATION = os.getenv("UPSTREAM_REVOCATION_ENDPOINT") or f"{UPSTREAM_BASE}/revoke"
+
+# Metadata URL (only used if we need to fetch from upstream)
+UPSTREAM_METADATA = f"{UPSTREAM_BASE}/.well-known/oauth-authorization-server"
+
+print("[Proxy Config] UPSTREAM_AUTHORIZE:", UPSTREAM_AUTHORIZE)
+print("[Proxy Config] UPSTREAM_TOKEN:", UPSTREAM_TOKEN)
+
+# Server host/port
+PROXY_PORT = int(os.getenv("PROXY_PORT", "8000"))
+
+# ----------------------------------------------------------------------------
+# FastMCP server (now created via library helper)
+# ----------------------------------------------------------------------------
+
+ISSUER_URL = os.getenv("PROXY_ISSUER_URL", "http://localhost:8000")
+
+# Create FastMCP instance using the reusable proxy builder
+mcp = build_proxy_server(port=PROXY_PORT, issuer_url=ISSUER_URL)
+
+# ---------------------------------------------------------------------------
+# Minimal demo tool
+# ---------------------------------------------------------------------------
+
+@mcp.tool()
+def echo(message: str) -> str:
+    return f"Echo: {message}"
+
+
+@mcp.tool()
+async def user_info(ctx: Context[Any, Any, Request]) -> dict[str, Any]:
+    """
+    Get information about the authenticated user.
+    
+    This tool demonstrates accessing user information from the OAuth access token.
+    The user must be authenticated via OAuth to access this tool.
+    
+    Returns:
+        Dictionary containing user information from the access token
+    """
+    from mcp.server.auth.middleware.auth_context import get_access_token
+    
+    # Get the access token from the authentication context
+    access_token = get_access_token()
+    
+    if not access_token:
+        return {
+            "error": "No access token found - user not authenticated",
+            "authenticated": False
+        }
+    
+    # Attempt to decode the access token as JWT to extract useful user claims.
+    # Many OAuth providers issue JWT access tokens (or ID tokens) that contain
+    # the user's subject (sub) and preferred username. We parse the token
+    # *without* signature verification – we only need the public claims for
+    # display purposes. If the token is opaque or the decode fails, we simply
+    # skip this step.
+
+    def _try_decode_jwt(token_str: str) -> dict[str, Any] | None:  # noqa: D401
+        """Best-effort JWT decode without verification.
+
+        Returns the payload dictionary if the token *looks* like a JWT and can
+        be base64-decoded. If anything fails we return None.
+        """
+
+        try:
+            parts = token_str.split(".")
+            if len(parts) != 3:
+                return None  # Not a JWT
+
+            # JWT parts are URL-safe base64 without padding
+            def _b64decode(segment: str) -> bytes:
+                padding = "=" * (-len(segment) % 4)
+                return base64.urlsafe_b64decode(segment + padding)
+
+            payload_bytes = _b64decode(parts[1])
+            return json.loads(payload_bytes)
+        except Exception:  # noqa: BLE001
+            return None
+
+    jwt_claims = _try_decode_jwt(access_token.token)
+
+    # Build response with token information plus any extracted claims
+    response: dict[str, Any] = {
+        "authenticated": True,
+        "client_id": access_token.client_id,
+        "scopes": access_token.scopes,
+        "token_type": "Bearer",
+        "expires_at": access_token.expires_at,
+        "resource": access_token.resource,
+    }
+
+    if jwt_claims:
+        # Prefer the `userid` claim used in FastMCP examples; fall back to `sub` if absent.
+        uid = jwt_claims.get("userid") or jwt_claims.get("sub")
+        if uid is not None:
+            response["userid"] = uid  # camelCase variant used in FastMCP reference
+            response["user_id"] = uid  # snake_case variant
+        response["username"] = (
+            jwt_claims.get("preferred_username")
+            or jwt_claims.get("nickname")
+            or jwt_claims.get("name")
+        )
+        response["issuer"] = jwt_claims.get("iss")
+        response["audience"] = jwt_claims.get("aud")
+        response["issued_at"] = jwt_claims.get("iat")
+
+    # Calculate expiration helpers
+    if access_token.expires_at:
+        response["expires_at_iso"] = time.strftime('%Y-%m-%dT%H:%M:%S', time.localtime(access_token.expires_at))
+        response["expires_in_seconds"] = max(0, access_token.expires_at - int(time.time()))
+    
+    return response
+
+
+@mcp.tool()
+async def test_endpoint(message: str = "Hello from proxy server!") -> dict[str, Any]:
+    """
+    Test endpoint for debugging OAuth proxy functionality.
+    
+    Args:
+        message: Optional message to echo back
+        
+    Returns:
+        Test response with server information
+    """
+    return {
+        "message": message,
+        "server": "Transparent OAuth Proxy Server",
+        "status": "active",
+        "oauth_configured": True
+    }
+
+
+if __name__ == "__main__":
+    mcp.run(transport="streamable-http") 
@@ -0,0 +1,106 @@
+#!/usr/bin/env python3
+"""
+Test script to demonstrate the enhanced logging features of the transparent OAuth proxy.
+This script makes requests to various endpoints to show the comprehensive logging.
+"""
+
+import time
+import requests
+import json
+import sys
+from threading import Thread
+import subprocess
+import os
+import signal
+
+def test_endpoints():
+    """Test various endpoints to demonstrate logging."""
+    base_url = "http://localhost:8000"
+    
+    print("\n" + "="*60)
+    print("🧪 TESTING ENHANCED LOGGING FEATURES")
+    print("="*60)
+    
+    # Wait for server to be ready
+    print("⏳ Waiting for server to be ready...")
+    time.sleep(3)
+    
+    try:
+        # Test 1: Metadata discovery
+        print("\n🔍 Testing OAuth metadata discovery...")
+        response = requests.get(f"{base_url}/.well-known/oauth-authorization-server", 
+                              headers={"Host": "localhost:8000"})
+        print(f"   Status: {response.status_code}")
+        
+        # Test 2: Client registration (DCR)
+        print("\n📝 Testing Dynamic Client Registration...")
+        registration_data = {
+            "redirect_uris": ["http://localhost:3000/callback"],
+            "grant_types": ["authorization_code"],
+            "response_types": ["code"],
+            "client_name": "Test MCP Client"
+        }
+        response = requests.post(f"{base_url}/register", 
+                               json=registration_data,
+                               headers={"Content-Type": "application/json"})
+        print(f"   Status: {response.status_code}")
+        
+        # Test 3: Authorization endpoint
+        print("\n🔐 Testing authorization endpoint...")
+        auth_params = {
+            "response_type": "code",
+            "client_id": "test-client-id", 
+            "redirect_uri": "http://localhost:3000/callback",
+            "scope": "openid profile email",
+            "state": "test-state-12345",
+            "code_challenge": "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk",
+            "code_challenge_method": "S256"
+        }
+        response = requests.get(f"{base_url}/authorize", 
+                              params=auth_params,
+                              allow_redirects=False)
+        print(f"   Status: {response.status_code}")
+        
+        # Test 4: Token endpoint (this will show the most comprehensive logging)
+        print("\n🎫 Testing token endpoint (will fail but show logging)...")
+        token_data = {
+            "grant_type": "authorization_code",
+            "client_id": "test-client-id",
+            "client_secret": "test-client-secret", 
+            "code": "test_auth_code_abcdef123456",
+            "redirect_uri": "http://localhost:3000/callback",
+            "code_verifier": "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"
+        }
+        response = requests.post(f"{base_url}/token",
+                               data=token_data,
+                               headers={"Content-Type": "application/x-www-form-urlencoded"})
+        print(f"   Status: {response.status_code}")
+        
+        # Test 5: Another token request with different parameters
+        print("\n🎫 Testing token endpoint with different parameters...")
+        token_data2 = {
+            "grant_type": "authorization_code",
+            "client_id": "test-client-id",
+            "code": "different_test_code_xyz789",
+            "redirect_uri": "http://localhost:3000/callback"
+        }
+        response = requests.post(f"{base_url}/token",
+                               data=token_data2,
+                               headers={"Content-Type": "application/x-www-form-urlencoded"})
+        print(f"   Status: {response.status_code}")
+        
+        print("\n✅ Test requests completed!")
+        print("🔍 Check the server logs above to see the enhanced logging with:")
+        print("   • Correlation IDs for request tracing")
+        print("   • Detailed request/response headers and data")
+        print("   • Timing information")
+        print("   • Emoji indicators for easy scanning")
+        print("   • Sensitive data redaction")
+        
+    except requests.exceptions.ConnectionError:
+        print("❌ Could not connect to server. Make sure it's running on port 8000.")
+    except Exception as e:
+        print(f"❌ Error during testing: {e}")
+
+if __name__ == "__main__":
+    test_endpoints() 
@@ -1,3 +1,45 @@
+# pyright: reportGeneralTypeIssues=false
 """
 MCP OAuth server authorization components.
 """
+
+# Convenience re-exports so users can simply::
+#
+#     from mcp.server.auth import build_proxy_server
+#
+# instead of digging into the sub-package path.
+
+from typing import TYPE_CHECKING
+
+from mcp.server.auth.proxy import (
+    configure_colored_logging,
+    create_proxy_routes,
+    fetch_upstream_metadata,
+)
+
+# For *build_proxy_server* we need a lazy import to avoid a circular reference
+# during the initial package import sequence (FastMCP -> auth -> proxy ->
+# FastMCP ...).  PEP 562 allows us to implement module-level `__getattr__` for
+# this purpose.
+
+def __getattr__(name: str):  # noqa: D401
+    if name == "build_proxy_server":
+        from mcp.server.auth.proxy.server import build_proxy_server as _bps  # noqa: WPS433
+
+        globals()["build_proxy_server"] = _bps
+        return _bps
+    raise AttributeError(name)
+
+# ---------------------------------------------------------------------------
+# Public API specification
+# ---------------------------------------------------------------------------
+
+__all__: list[str] = [
+    "configure_colored_logging",
+    "create_proxy_routes",
+    "fetch_upstream_metadata",
+    "build_proxy_server",
+]
+
+if TYPE_CHECKING:  # pragma: no cover – make *build_proxy_server* visible to type checkers
+    from mcp.server.auth.proxy.server import build_proxy_server  # noqa: F401