rusackas opened a new pull request, #40653: URL: https://github.com/apache/superset/pull/40653
### SUMMARY Hardens the MCP service's JWT authentication path with four strict-mode enforcements. Each is **config-gated** and only fails closed when the relevant configuration is set; otherwise it warns and preserves existing behavior, so single-service / unconfigured deployments are not broken. Stacked on `fix/mcp-auth-error-and-logging` (same files). 1. **Audience enforcement** — When `MCP_JWT_AUDIENCE` IS configured, audience validation is unchanged. When it is NOT configured, the verifier logs a clear WARNING at init that audience validation is disabled. We chose **warn over fail-closed** because failing init would break valid single-service deployments that intentionally omit an audience. 2. **Algorithm enforcement** — Unsigned (`none`) tokens are now **always rejected** in `load_access_token`, regardless of whether an algorithm is pinned (case-insensitive). Additionally, a WARNING is logged at init when no algorithm is pinned. We did not hard-fail on unpinned algorithm because fastmcp's `JWTVerifier` always coerces an algorithm default, and JWKS-based deployments legitimately rely on advertised algorithms. 3. **Issuer-bound user lookup** — For single-issuer deployments (the common case) the issuer is already pinned by the verifier, so the existing username/email lookup key is unambiguous and is left unchanged (changing it would break those deployments). For **multi-issuer** configs (`MCP_JWT_ISSUER` is a list) without an issuer-aware `MCP_USER_RESOLVER`, a WARNING is logged recommending a compound (iss+sub) resolver. This is the least-breaking correct option. 4. **Scope-aware tool authorization** — `check_tool_permission()` now enforces the **intersection** of token scopes and DB RBAC: the tool method (read/write/delete) maps to a required scope and access is denied if the token lacks it. **Critically, this is enforced ONLY when the token actually carries scopes.** Scope-less JWTs, API keys, and dev-mode fall back to the current RBAC-only behavior unchanged. Each enforcement fails closed **only when the relevant config is set**, with explicit back-compat fallbacks documented inline. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A — backend auth hardening, no UI. ### TESTING INSTRUCTIONS Unit tests added/extended (all pass; full `tests/unit_tests/mcp_service/` suite green — 2145 passed): - `test_jwt_verifier.py`: `none` algorithm rejected (pinned and unpinned), audience-missing warns, algorithm-unpinned warns, no warning when fully configured. - `test_auth_rbac.py`: scope intersection denies when token lacks the required scope (read & write), allows when scope present, falls back to RBAC when token has no scopes or no JWT context. - `test_auth_user_resolution.py`: multi-issuer warns without a custom resolver; single-issuer and custom-resolver paths do not warn. Run: `pytest tests/unit_tests/mcp_service/test_jwt_verifier.py tests/unit_tests/mcp_service/test_auth_rbac.py tests/unit_tests/mcp_service/test_auth_user_resolution.py` ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Introduces new feature or API - [ ] Removes existing feature or API > Note: this PR is **stacked** on `fix/mcp-auth-error-and-logging` and targets that branch as its base for a clean diff; it will be re-targeted to `master` after the parent merges. 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
