feat(oauth): MCP OAuth Standardization with RFC 8414 Metadata #26
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit finalizes the implementation of OAuth 2.0 authentication for the TaskFlow MCP server, enabling seamless integration for CLI agents. Key updates include: - Introduced Device Flow for headless CLI authentication, allowing agents to authenticate without a browser. - Implemented JWT validation middleware for secure token handling. - Simplified tool signatures by removing user_id and access_token parameters, leveraging user context from middleware. - Updated ChatKit integration to utilize header-based authentication. These enhancements ensure that all MCP clients can authenticate using the standard Authorization: Bearer <token> header, reinforcing the principle of agents as first-class citizens in the TaskFlow platform.
This commit expands the authentication capabilities of the TaskFlow API by introducing support for opaque access tokens alongside JWTs. Key updates include: - Added `verify_opaque_token` function to validate opaque tokens via the SSO userinfo endpoint. - Updated `get_current_user` to attempt JWT validation first, falling back to opaque token validation if necessary. - Enhanced audit logging to include client ID and client name for better traceability of actions performed by different OAuth clients. - Updated relevant routes and services to ensure consistent handling of both token types. These enhancements reinforce the platform's commitment to robust authentication mechanisms and improve the overall user experience for CLI agents and other clients.
…rmation display This commit improves the AuditContent component by refining how audit details are formatted. Key changes include: - Excluded `client_id` and `client_name` from detail formatting to streamline the output. - Enhanced the display of client information by showing "via Client" when `client_name` is present. - Updated the layout to allow for better wrapping of audit entry details. These enhancements aim to improve the clarity and usability of the audit logs in the web dashboard, ensuring that relevant information is presented effectively.
- Remove custom taskflow:read/write scopes, use standard OIDC scopes only - Add /.well-known/oauth-authorization-server route for MCP client discovery - Add taskflow MCP server config to .mcp.json - Aligns with Better Auth which doesn't support custom scopes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Created PR #26 for OAuth standardization with RFC 8414 compliance. - Removed custom taskflow:read/write scopes, standardized to OIDC scopes only. - Added RFC 8414 OAuth AS metadata endpoint for MCP client discovery. - Updated taskflow MCP server config in .mcp.json. This commit reflects the autonomous execution of a git workflow, ensuring alignment with OAuth standards and enhancing the MCP server's capabilities.
…ChatKitServer - Simplified the retrieval of the `max_occurrences` value by removing unnecessary line breaks for better readability. - Ensured that the logic for fetching the value remains intact, maintaining functionality. This change enhances code clarity without altering the existing behavior of the TaskFlowChatKitServer.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
openid,profile,email) - removes customtaskflow:read/writescopes that Better Auth doesn't support/.well-known/oauth-authorization-server) for MCP client discovery.mcp.jsonChanges
MCP Server (
packages/mcp-server/src/taskflow_mcp/server.py)taskflow:readandtaskflow:writescopes from OAuth metadata/.well-known/oauth-protected-resourceto return standard OIDC scopesSSO Platform (
sso-platform/src/app/.well-known/oauth-authorization-server/route.ts)Configuration (
.mcp.json)Test plan
/.well-known/oauth-protected-resource/.well-known/oauth-authorization-server🤖 Generated with Claude Code