Skip to content

Ahmet/eng 8386 implement oauth 21 authorization and protected resource #2292

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 8 commits into
base: main
Choose a base branch
from
Draft

Ahmet/eng 8386 implement oauth 21 authorization and protected resource #2292

wants to merge 8 commits into from

Conversation

@asoorm
Copy link
Contributor

@asoorm asoorm commented Oct 22, 2025

@coderabbitai summary

Checklist

  • I have discussed my proposed changes in an issue and have received approval to proceed.
  • I have followed the coding standards of the project.
  • Tests or benchmarks have been added or updated.
  • Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
  • I have read the Contributors Guide.

asoorm and others added 8 commits October 20, 2025 14:37
@asoorm
feat(mcp): add configurable header forwarding to GraphQL requests
77c4cc9 
Implements header forwarding from MCP requests to GraphQL endpoint with
opt-in configuration for additional headers beyond Authorization.

Key changes:
- Authorization header is always forwarded (maintains backward compatibility)
- New `forward_headers` config with `enabled` (default: false) and `allow_list`
- Support for exact header matches and regex patterns (e.g., "X-.*")
- Case-insensitive header matching
- Context-based header storage and filtering
- Comprehensive unit tests for filtering logic
- Updated JSON schema with validation

Configuration example:
```yaml
mcp:
  forward_headers:
    enabled: true
    allow_list:
      - "X-Tenant-ID"
      - "X-Trace-ID"
      - "X-.*"
@asoorm
integration tests for MCP header forwarding
5e35c2c
@ysmolski @asoorm
feat(router): support the "oneOf" directive (#2246)
388d7a7 
Used reference: graphql/graphql-spec#825
@asoorm
chore(release): Publish [skip ci]
58e6926 
 - [email protected]
@asoorm
Merge branch 'main' into ahmet/eng-8245-allow-header-forwarding-to-th…
18f4469 
…e-router-in-the-mcp-server
@asoorm
fixing golden files
c82c70a
@asoorm
feat(mcp): add OAuth 2.1 authorization with JWT validation
09c0614 
Implement JWKS-based JWT token validation for MCP server with:

MCPAuthorizationConfiguration for config management
TokenValidator with HTTP middleware integration
JSON schema validation support
Reuses router's authentication infrastructure
Authorization is opt-in (disabled by default) and supports multiple
authorization servers with automatic key rotation.
@asoorm
MCP Server Authorization
3a3845f
@coderabbitai
Copy link

coderabbitai bot commented Oct 22, 2025

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions
Copy link

github-actions bot commented Oct 22, 2025
edited
Loading

Router image scan passed

✅ No security vulnerabilities found in image:

ghcr.io/wundergraph/cosmo/router:sha-edd09744e52b22dd8b9ed9fd8bbd8bca60fb5139

@github-actions
Copy link

github-actions bot commented Nov 6, 2025

This PR was marked stale due to lack of activity. It will be closed in 14 days.

@github-actions github-actions bot added the Stale label Nov 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Noroth Noroth Awaiting requested review from Noroth Noroth will be requested when the pull request is marked ready for review Noroth is a code owner

@devsergiy devsergiy Awaiting requested review from devsergiy devsergiy will be requested when the pull request is marked ready for review devsergiy is a code owner

@StarpTech StarpTech Awaiting requested review from StarpTech StarpTech will be requested when the pull request is marked ready for review StarpTech is a code owner

@jensneuse jensneuse Awaiting requested review from jensneuse jensneuse will be requested when the pull request is marked ready for review jensneuse is a code owner

@endigma endigma Awaiting requested review from endigma endigma will be requested when the pull request is marked ready for review endigma is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

router Stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@asoorm @ysmolski