mcp: add to route config, 401 when unauthenticated (#5578)

2025-06-01 02:12:50 +02:00 · 2025-04-22 11:47:09 -04:00 · 2025-04-22 11:47:09 -04:00 · e71fca76f2
commit e71fca76f2
parent a10b505386
6 changed files with 889 additions and 775 deletions
--- a/authorize/check_response.go
+++ b/authorize/check_response.go
@ -98,6 +98,9 @@ func (a *Authorize) handleResultDenied(
 	case invalidClientCertReason(reasons):
 		denyStatusCode = httputil.StatusInvalidClientCertificate
 		denyStatusText = httputil.DetailsText(httputil.StatusInvalidClientCertificate)
+	case request.Policy.IsMCP():
+		denyStatusCode = http.StatusUnauthorized
+		denyStatusText = httputil.DetailsText(http.StatusUnauthorized)
 	}

 	return a.deniedResponse(ctx, in, denyStatusCode, denyStatusText, nil)
@ -216,7 +219,7 @@ func (a *Authorize) requireLoginResponse(
 	options := a.currentConfig.Load().Options
 	state := a.state.Load()

-	if !a.shouldRedirect(in) {
+	if !a.shouldRedirect(in, request) {
 		return a.deniedResponse(ctx, in, http.StatusUnauthorized, "Unauthenticated", nil)
 	}

@ -268,7 +271,7 @@ func (a *Authorize) requireWebAuthnResponse(
 		return a.okResponse(result.Headers), nil
 	}

-	if !a.shouldRedirect(in) {
+	if !a.shouldRedirect(in, request) {
 		return a.deniedResponse(ctx, in, http.StatusUnauthorized, "Unauthenticated", nil)
 	}

@ -353,7 +356,11 @@ func (a *Authorize) userInfoEndpointURL(in *envoy_service_auth_v3.CheckRequest)
 	return urlutil.NewSignedURL(a.state.Load().sharedKey, debugEndpoint).Sign(), nil
 }

-func (a *Authorize) shouldRedirect(in *envoy_service_auth_v3.CheckRequest) bool {
+func (a *Authorize) shouldRedirect(in *envoy_service_auth_v3.CheckRequest, request *evaluator.Request) bool {
+	if request.Policy.IsMCP() {
+		return false
+	}
+
 	requestHeaders := in.GetAttributes().GetRequest().GetHttp().GetHeaders()
 	if requestHeaders == nil {
 		return true