rusackas opened a new pull request, #41292: URL: https://github.com/apache/superset/pull/41292
### SUMMARY When the MCP service has JWT auth enabled (`MCP_AUTH_ENABLED=True`), the audience claim was only validated if `MCP_JWT_AUDIENCE` happened to be set. With it unset, the verifier was built with audience validation skipped, so any otherwise-valid token from the same issuer was accepted regardless of which service it was minted for. This makes audience configuration a required precondition for MCP JWT auth so tokens are correctly bound to this service: - The default auth factory (`create_default_mcp_auth_factory`) now raises a dedicated `MCPAuthConfigError` when `MCP_AUTH_ENABLED` is true but `MCP_JWT_AUDIENCE` is unset. - The server bootstrap (`_create_auth_provider`) re-raises that error rather than swallowing it. This matters because a swallowed build error returns a `None` provider, and the start path treats `auth_provider is None` as "auth disabled" — i.e. the service would otherwise come up unauthenticated. Failing closed makes the misconfiguration a fast, explicit startup error instead. - API-key-only deployments (JWT auth disabled) are unaffected and do not require an audience. The check is placed at the config/bootstrap layer so it covers both verifier variants (`MCPJWTVerifier` and `DetailedJWTVerifier`) uniformly. ### BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF N/A — backend configuration behavior. ### TESTING INSTRUCTIONS Unit tests added in `tests/unit_tests/mcp_service/test_mcp_config.py` and `tests/unit_tests/mcp_service/test_mcp_server.py`: - `MCP_AUTH_ENABLED=True` without `MCP_JWT_AUDIENCE` raises `MCPAuthConfigError`. - API-key-only auth does not require an audience. - JWT auth with an audience set builds the verifier as before. - `_create_auth_provider` propagates `MCPAuthConfigError` instead of returning `None`. Manual: start the MCP service with `MCP_AUTH_ENABLED=True` and `MCP_JWT_AUDIENCE` unset → startup fails with a clear message. Set `MCP_JWT_AUDIENCE` → starts normally. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Migration is atomic, supports rollback & is backwards-compatible - [ ] Confirm DB migration upgrade and downgrade tested - [ ] Runtime estimates and downtime expectations provided - [ ] Introduces new feature or API - [ ] Removes existing feature or API > Note: this is a backwards-incompatible change for deployments that enable MCP JWT auth without an audience; documented in `UPDATING.md`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
