Pull all auth settings out into a separate config

Author: praboud-ant

src/mcp/server/auth/router.py

@@ -1,7 +1,6 @@
-from dataclasses import dataclass
 from typing import Callable
 
-from pydantic import AnyHttpUrl
+from pydantic import AnyHttpUrl, BaseModel, Field
 from starlette.routing import Route
 
 from mcp.server.auth.handlers.authorize import AuthorizationHandler
@@ -14,17 +13,29 @@
 from mcp.shared.auth import OAuthMetadata
 
 
-@dataclass
-class ClientRegistrationOptions:
+class ClientRegistrationOptions(BaseModel):
     enabled: bool = False
     client_secret_expiry_seconds: int | None = None
 
 
-@dataclass
-class RevocationOptions:
+class RevocationOptions(BaseModel):
     enabled: bool = False
 
 
+class AuthSettings(BaseModel):
+    issuer_url: AnyHttpUrl = Field(
+        ...,
+        description="URL advertised as OAuth issuer; this should be the URL the server "
+        "is reachable at",
+    )
+    service_documentation_url: AnyHttpUrl | None = Field(
+        None, description="Service documentation URL advertised by OAuth"
+    )
+    client_registration_options: ClientRegistrationOptions | None = None
+    revocation_options: RevocationOptions | None = None
+    required_scopes: list[str] | None = None
+
+
 def validate_issuer_url(url: AnyHttpUrl):
     """
     Validate that the issuer URL meets OAuth 2.0 requirements.

src/mcp/server/fastmcp/server.py

@@ -16,7 +16,7 @@
 import anyio
 import pydantic_core
 import uvicorn
-from pydantic import AnyHttpUrl, BaseModel, Field
+from pydantic import BaseModel, Field
 from pydantic.networks import AnyUrl
 from pydantic_settings import BaseSettings, SettingsConfigDict
 from sse_starlette import EventSourceResponse
@@ -30,7 +30,9 @@
     RequireAuthMiddleware,
 )
 from mcp.server.auth.provider import OAuthServerProvider
-from mcp.server.auth.router import ClientRegistrationOptions, RevocationOptions
+from mcp.server.auth.router import (
+    AuthSettings,
+)
 from mcp.server.fastmcp.exceptions import ResourceError
 from mcp.server.fastmcp.prompts import Prompt, PromptManager
 from mcp.server.fastmcp.resources import FunctionResource, Resource, ResourceManager
@@ -71,6 +73,8 @@ class Settings(BaseSettings, Generic[LifespanResultT]):
     model_config = SettingsConfigDict(
         env_prefix="FASTMCP_",
         env_file=".env",
+        env_nested_delimiter="__",
+        nested_model_default_partial_update=True,
         extra="ignore",
     )
 
@@ -100,17 +104,7 @@ class Settings(BaseSettings, Generic[LifespanResultT]):
         Callable[["FastMCP"], AbstractAsyncContextManager[LifespanResultT]] | None
     ) = Field(None, description="Lifespan context manager")
 
-    auth_issuer_url: AnyHttpUrl | None = Field(
-        None,
-        description="URL advertised as OAuth issuer; this should be the URL the server "
-        "is reachable at",
-    )
-    auth_service_documentation_url: AnyHttpUrl | None = Field(
-        None, description="Service documentation URL advertised by OAuth"
-    )
-    auth_client_registration_options: ClientRegistrationOptions | None = None
-    auth_revocation_options: RevocationOptions | None = None
-    auth_required_scopes: list[str] | None = None
+    auth: AuthSettings | None = None
 
 
 def lifespan_wrapper(
@@ -151,6 +145,11 @@ def __init__(
         self._prompt_manager = PromptManager(
             warn_on_duplicate_prompts=self.settings.warn_on_duplicate_prompts
         )
+        if (self.settings.auth is not None) != (auth_provider is not None):
+            raise ValueError(
+                "settings.auth must be specified if and only if auth_provider "
+                "is specified"
+            )
         self._auth_provider = auth_provider
         self._custom_starlette_routes = []
         self.dependencies = self.settings.dependencies
@@ -541,12 +540,15 @@ async def handle_sse(request) -> EventSourceResponse:
         # Create routes
         routes = []
         middleware = []
-        required_scopes = self.settings.auth_required_scopes or []
+        required_scopes = []
 
         # Add auth endpoints if auth provider is configured
-        if self._auth_provider and self.settings.auth_issuer_url:
+        if self._auth_provider:
+            assert self.settings.auth
             from mcp.server.auth.router import create_auth_routes
 
+            required_scopes = self.settings.auth.required_scopes or []
+
             middleware = [
                 # extract auth info from request (but do not require it)
                 Middleware(
@@ -562,10 +564,10 @@ async def handle_sse(request) -> EventSourceResponse:
             routes.extend(
                 create_auth_routes(
                     provider=self._auth_provider,
-                    issuer_url=self.settings.auth_issuer_url,
-                    service_documentation_url=self.settings.auth_service_documentation_url,
-                    client_registration_options=self.settings.auth_client_registration_options,
-                    revocation_options=self.settings.auth_revocation_options,
+                    issuer_url=self.settings.auth.issuer_url,
+                    service_documentation_url=self.settings.auth.service_documentation_url,
+                    client_registration_options=self.settings.auth.client_registration_options,
+                    revocation_options=self.settings.auth.revocation_options,
                 )
             )
 

tests/server/fastmcp/auth/test_auth_integration.py

@@ -16,7 +16,6 @@
 from httpx_sse import aconnect_sse
 from pydantic import AnyHttpUrl
 from starlette.applications import Starlette
-from starlette.routing import Mount
 
 from mcp.server.auth.provider import (
     AuthInfo,
@@ -28,6 +27,7 @@
     construct_redirect_uri,
 )
 from mcp.server.auth.router import (
+    AuthSettings,
     ClientRegistrationOptions,
     RevocationOptions,
     create_auth_routes,
@@ -958,11 +958,13 @@ async def test_fastmcp_with_auth(
         # Create FastMCP server with auth provider
         mcp = FastMCP(
             auth_provider=mock_oauth_provider,
-            auth_issuer_url="https://auth.example.com",
             require_auth=True,
-            auth_client_registration_options=ClientRegistrationOptions(enabled=True),
-            auth_revocation_options=RevocationOptions(enabled=True),
-            auth_required_scopes=["read"],
+            auth=AuthSettings(
+                issuer_url=AnyHttpUrl("https://auth.example.com"),
+                client_registration_options=ClientRegistrationOptions(enabled=True),
+                revocation_options=RevocationOptions(enabled=True),
+                required_scopes=["read"],
+            ),
         )
 
         # Add a test tool