Remote serving: Streamable-HTTP + OAuth 2.1 resource-server#4
Merged
Conversation
…rver Adds the remote counterpart to serve_stdio: a py2mcp FastMCP server can now be served over Streamable HTTP with OAuth 2.1, wrapping FastMCP's native machinery (no transport/auth code reinvented). py2mcp/http.py: - mk_auth_provider(auth): an auth-config dict -> a fastmcp RemoteAuthProvider (resource server). type='jwt' validates a managed IdP's JWTs via JWTVerifier, audience-bound (RFC 8707) so a token for another service can't be replayed; publishes RFC 9728 protected-resource metadata pointing at the IdP. Never issues tokens itself (no AS, no confused-deputy, no token passthrough). - mk_http_app(refs, *, auth=None, transport='streamable-http', stateless_http): build the server + attach auth -> a Starlette ASGI app for any ASGI server. - serve_http(refs, *, host, port, auth): build and run (blocking) via uvicorn. - mk_mcp_server/mk_mcp_from_refs gained an optional `auth` (attached at FastMCP construction); `python -m py2mcp --http` reads auth/host/port from the config. Building the provider/app performs NO network I/O (JWKS fetch is lazy), so it is safe at scaffold/import time and fully offline-testable. First customer: coact's claude-remote-connector publish target (coact writes packaging; py2mcp builds + serves the MCP server — same split as the .mcpb stdio path). 12 offline tests.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds the remote counterpart to
serve_stdio: a py2mcpFastMCPserver can now be served over Streamable HTTP with OAuth 2.1, wrapping FastMCP's native transports/OAuth (nothing reinvented). Newpy2mcp/http.py:mk_auth_provider(auth)— an auth-config dict → a fastmcpRemoteAuthProvider(a resource server).type='jwt'validates a managed IdP's JWTs viaJWTVerifier, audience-bound (RFC 8707) so a token minted for another service can't be replayed; publishes RFC 9728/.well-known/oauth-protected-resourcepointing at the IdP. It never issues tokens (no AS, no confused-deputy, no token passthrough).mk_http_app(refs, *, auth=None, transport='streamable-http', stateless_http=...)— build + attach auth → a Starlette ASGI app to run under any ASGI server.serve_http(refs, *, host, port, auth)— build and run (blocking) via FastMCP/uvicorn.mk_mcp_server/mk_mcp_from_refsgained an optionalauth(attached at FastMCP construction);python -m py2mcp --httpreadsauth/host/portfrom the config.Why
First customer is coact's upcoming
claude-remote-connectorpublish target. Per coact's D17 division of labour, coact writes packaging/deploy scaffolding and py2mcp builds + serves the MCP server — the same split as the local.mcpbstdio path (which usesserve_stdio). aw_agents has no HTTP/OAuth, so this is the right home.Safety / tests
Building the provider and ASGI app does no network I/O (JWKS fetch is lazy), so it is safe at scaffold/import time and fully offline-testable. 12 new offline tests; full suite + doctests green; ruff clean.
fastmcpis already a core dep (itsserver.authprovides all the OAuth machinery).