feat(mcp): multi-tenant Entra ID validation#2629
Open
fahreddinozcan wants to merge 2 commits into
Open
Conversation
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
3 tasks
Detect inbound Entra v2 tokens by issuer pattern, fetch per-teamspace configuration (tenantId, audience, requiredScope) from the Context7 app, and verify the token against the matching tenant's JWKS. The MCP server only validates — user resolution happens in the app middleware against the entra_user_mappings table. Per-tenant JWKS cache and a 5-minute in-memory config cache keyed by JWT audience reduce overhead under load.
fahreddinozcan
force-pushed
the
ctx7-1655-azure-apim-integration
branch
from
f98154f to
741781f
Compare
fahreddinozcan
changed the title
Resolves prettier/eslint errors blocking the test workflow, and refreshes the changeset to match the actual MCP-side behavior (validate only; user resolution lives in the app middleware).
enesgules
reviewed
May 25, 2026
| requiredScope: string | null; | ||
| } | ||
|
|
||
| const CONFIG_TTL_MS = 5 * 60 * 1000; |
Collaborator
There was a problem hiding this comment.
Caching null results under the same 5-minute TTL means one transient failure (5xx, network blip, JSON parse error) locks every Entra token for that audience out of the server for 5 minutes with a misleading Unknown audience error.
Suggest only negative-caching on an explicit 404 - anything else should bypass the cache so the next request retries:
if (res.ok) {
value = (await res-json()) as EntraConfig;
} else if (res status != 404) {
return null; // transient - don't cache
}
In the app we have
- 404 when getEntraConfigByAudience(audience) returns null — that's the authoritative "this audience is not configured" answer. Safe to cache.
- 400 for missing audience (won't happen from the MCP server).
- 500 in the catch block — any exception thrown by Redis or the service layer. That's the "I don't know" case. Not safe to cache.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
entra_user_mappings.Test plan
pnpm --filter @upstash/context7-mcp testpasses (jwt.test.ts covers Entra path + Clerk path + scope enforcement)Unknown audience