Add support for remote-oauth-support Fix #686

[ravibits]

This contains fix for the issue: #686

As per the new authorization spec for MCP Servers as outlined here: https://modelcontextprotocol.io/specification/draft/basic/authorization, implementing the remote oauth support for the FastMCP Servers.

• Add support for /.well-known/oauth-protected-resource endpoint when the MCP Server is created with support with auth based off of remote authorization server
• Add support for custom bearer token validation with default JWT based bearer token validation out of the box for MCP servers with remote oauth support.
• Implement middleware to check for the JWT token validity
• (optional) at a per tool level, create indicators for whether auth required and if yes, what scopes are required for that tool.

As part of the spec, the only responsibility of the MCP Server should be to indicate to the client it's oauth protected resource and indicate to the client where to find the authorization server.

This is just the initial version and based on the feedback from @localden, @ihrpr , I intend to keep making changes to complete the test cases and full feature documentation.

Motivation and Context

Implement supoprt for RFC9728, along with other requirements outlined in the spec.

How Has This Been Tested?

• TODO: We will implement a simple MCP Server using an authorization server that supports PKCE, DCR etc and ensure that the MCP Server is receiving the access tokens as presented by the MCP client.

Breaking Changes

May have breaking changes.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

[ochafik]

Hey @ravibits, thanks a lot for sending this out, it's an exciting set of changes!

Suggested a few fixes & tweaks but my main concern is about updating our copy of FastMCP 1.0 (as opposed to updating / upgrading to FastMCP 2.0).

[ochafik]

Needs additional pyjwt dep here

[ochafik]

Probably needs super init:

        super().__init__()

[ochafik]

uv run mcp_simple_remote_auth

[ochafik]

I'd make it more explicit that it starts on http://localhost:8000/sse

[ochafik]

Can we switch the default to streamable http / move sse down? SSE is now deprecated

Also, seems that connecting to the SSE server doesn't trigger authentication the way it does to the Streamable HTTP server.

[ochafik]

Have you found an Inspector workflow that works for you? Even after applying the couple of fixes I suggested, I hit a wall w/ the AS not setting CORS headers that would allow localhost to proceed.

[ochafik]

While these changes make sense, an important consideration is this class comes from FastMCP 1.0.

I reckon we'll probably want to update the SDK to FastMCP 2.0 at some point, so might be better not to diverge our version of FastMCP, if possible.

I'd suggest maybe to evaluate if the same change is needed / applicable to FastMCP 2.0 and send a PR to them, while we figure out if / how we can update to 2.0? (if they accept the patch, we can even backport it to our 1.0 fork if the overall upgrade to 2.0 isn't straightforward, without fearing that said upgrade would be harder down the line).

Does this make sense?

[ochafik]

            self._protected_resource_metadata.model_dump_json(exclude_none=True),

(otherwise fields that are optional but not-nullable, like jwks_uri, fail to be validated if set to None, e.g. by the TS SDK (used by the Inspector)

[ochafik]

We might need to wrap this one with cors_middleware as done elsewhere in the sdk