go-sdk icon indicating copy to clipboard operation
go-sdk copied to clipboard
Published 1 month ago verified publisher icon modelcontextprotocol

auth: add integration tests for security best practices conformance

Open frenchi opened this issue 3 months ago • 3 comments

This PR adds integration tests to catch Security Best Practices 2.2 Token Passthrough.

Add HTTP middleware integration tests to validate MCP Security Best Practices conformance:

  • Invalid tokens (e.g., wrong audience/unknown issuer) return 401, set WWW-Authenticate, and do not invoke the handler
  • Missing required scopes, return 403 and set WWW-Authenticate. Valid tokens succeed (200)
  • No token passthrough: downstream requests do not receive the client Authorization header

Contributes towards #12345

frenchi avatar Sep 12 '25 08:09 frenchi

No objections, I just want to read the doc first. It may be a couple of days.

jba avatar Sep 16 '25 19:09 jba

@samthanawalla, could you please help with this review?

findleyr avatar Oct 07 '25 14:10 findleyr

I don't understand something. The spec says "MCP servers MUST NOT accept any tokens that were not explicitly issued for the MCP server." But the decision on whether to accept the token or not is left up to the TokenVerifier and is out of scope for our SDK. So how can we test this behavior?

jba avatar Oct 07 '25 17:10 jba