Skip to content

mcp-data-platform-v0.13.2

Choose a tag to compare

View all tags
@github-actions github-actions released this 06 Feb 09:03
· 395 commits to main since this release
v0.13.2
7617459
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Fix HTTP-Level OAuth Discovery for MCP Clients

  • Added /.well-known/oauth-protected-resource endpoint (RFC 9728) so MCP clients can discover the authorization server
  • Added MCPAuthGateway HTTP middleware on the Streamable HTTP endpoint (/) that returns HTTP 401 with WWW-Authenticate: Bearer resource_metadata="<url>" when no credentials are present
  • Enhanced SSE endpoint with RequireAuthWithOAuth middleware that includes the same WWW-Authenticate header in 401 responses

Root Cause

The Streamable HTTP endpoint had no HTTP-level auth middleware. It never returned HTTP 401, so Claude.ai had no trigger to start the OAuth flow. The server accepted the connection (tools/list bypasses auth), but every tool call failed with authentication failed: no API key found in context because the token was never acquired.

Auth Flow (Before)

  1. Claude.ai POSTs to / — server accepts (no HTTP-level auth check)
  2. tools/list succeeds (MCP auth middleware skips non-tool-call methods)
  3. tools/call fails — no Bearer token in request, all authenticators fail

Auth Flow (After)

  1. Claude.ai POSTs to / — gets HTTP 401 + WWW-Authenticate: Bearer resource_metadata="<issuer>/.well-known/oauth-protected-resource"
  2. Claude.ai fetches protected resource metadata — discovers authorization server
  3. Claude.ai fetches /.well-known/oauth-authorization-server — gets authorization/token endpoints
  4. Claude.ai completes OAuth flow (authorize → Keycloak login → callback → token exchange)
  5. Claude.ai retries with Authorization: Bearer <jwt> — tool calls succeed

Compatibility

  • Both Bearer token (OAuth) and API key (X-API-Key) auth work simultaneously
  • API key clients are unaffected — MCPAuthGateway passes through requests with X-API-Key header
  • SSE transport also updated with OAuth discovery support

Pull Requests

  • #56 Fix HTTP-level OAuth discovery for MCP clients

Changelog

Others

Installation

Homebrew (macOS)

brew install txn2/tap/mcp-data-platform

Claude Code CLI

claude mcp add mcp-data-platform -- mcp-data-platform

Docker

docker pull ghcr.io/txn2/mcp-data-platform:v0.13.2

Verification

All release artifacts are signed with Cosign. Verify with:

cosign verify-blob --bundle mcp-data-platform_0.13.2_linux_amd64.tar.gz.sigstore.json \
  mcp-data-platform_0.13.2_linux_amd64.tar.gz

Contributors

cjimti
Assets 25
Loading