You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Implement outgoing authentication strategies for vMCP (#2451)
* Reorganize incoming auth factory into subfolder to prevent an import cycle
Move incoming authentication factory from pkg/vmcp/auth/ to
pkg/vmcp/auth/factory/ subfolder to improve code organization.
This separates factory code from core authentication types and
middleware.
* Refactor outgoing auth to separate registry from strategy
Rename OutgoingAuthenticator to OutgoingAuthRegistry to better reflect
its responsibility as a strategy registry rather than an authenticator.
The interface now focuses solely on strategy management (registration
and retrieval), while authentication is performed directly by Strategy
implementations.
This separation improves performance by eliminating indirection in the
hot path (per-request authentication) and clarifies the single
responsibility of each component: the registry manages strategies,
strategies perform authentication.
* Add factory package to resolve auth import cycle
Introduces pkg/vmcp/auth/factory to break the circular dependency
between pkg/vmcp/auth and pkg/vmcp/auth/strategies.
The import cycle occurred because:
- auth package needed to import strategies to instantiate them
- strategies package imported auth for Identity and context helpers
The factory package sits at the composition layer and can import both
auth (for interfaces) and strategies (for implementations) without
creating cycles.
* Integrate authentication registry into HTTP backend client
Refactors HTTPBackendClient to accept an OutgoingAuthRegistry and
apply authentication strategies to all backend requests via a new
authRoundTripper middleware.
Authentication is now resolved and validated once at client creation
time rather than per-request, improving performance and enabling
early error detection for misconfigurations.
The authRoundTripper clones requests to preserve immutability before
applying authentication, ensuring thread-safety and preventing
unintended side effects.
* Apply auth configuration in backend discoverer
The CLI backend discoverer now accepts authentication configuration and
applies it to discovered backends during the discovery process.
This change enables per-backend authentication by:
- Adding authConfig parameter to NewCLIBackendDiscoverer constructor
- Implementing resolveAuthConfig() to select backend-specific or default
authentication settings with proper precedence
- Populating Backend.AuthStrategy and Backend.AuthMetadata fields during
backend creation
Authentication configuration follows this precedence:
1. Backend-specific configuration (cfg.Backends[backendID])
2. Default configuration (cfg.Default)
3. No authentication (if neither is configured)
The populated authentication fields are later consumed when converting
Backend instances to BackendTarget for use by the HTTP client's
authRoundTripper.
* Complete outgoing authentication integration in serve command
Finalizes the end-to-end authentication flow by connecting the
authentication factory, backend discoverer, and HTTP client in the
serve command. This enables vMCP proxy to authenticate requests to
downstream MCP servers using configured authentication strategies.
The serve command now:
- Creates outgoing authenticator from configuration using the factory
- Provides authentication config to backend discoverer for setup
- Supplies authenticator to HTTP client for request signing
- Uses factory for incoming authentication middleware (consistency)
This completes the authentication architecture where configuration
flows through the factory to create strategies that are applied by
the client's round tripper to outgoing requests.
Also simplifies redundant type annotation in client variable
declaration for consistency with Go style conventions.
* Add explicit unauthenticated strategy for vMCP
Replace the pattern of passing nil authenticators with an explicit
UnauthenticatedStrategy that implements the Strategy interface as a
no-op. This makes the intent clear in configuration and improves
type safety by eliminating nil checks.
The strategy is appropriate for backends on trusted networks or where
authentication is handled at the network layer. Configuration now
explicitly declares "strategy: unauthenticated" instead of relying
on implicit nil behavior.
* Implement HeaderInjection authentication strategy
Add HeaderInjectionStrategy for injecting static header values into
backend requests. This general-purpose strategy supports any HTTP header
with any static value, enabling flexible authentication schemes like API
keys, bearer tokens, and custom auth headers.
The strategy extracts header_name and api_key from metadata configuration
and validates them to prevent CRLF injection attacks using pkg/validation
functions. Validation occurs at configuration time for fail-fast behavior.
* Update validator to only accept implemented strategies
Limit validTypes to strategies actually implemented in this PR:
- unauthenticated
- header_injection
Comment out unimplemented strategies with TODO to add them as they
are implemented in future PRs. This prevents accepting configuration
for strategies that don't exist yet.
* Update example configs to use implemented strategies
Update example configuration files to use only implemented
authentication strategies (unauthenticated and header_injection).
Changes:
- Replace pass_through with unauthenticated in defaults
- Show header_injection example for backends
- Comment out unimplemented strategies (pass_through, token_exchange,
service_account) with TODOs
- Add clear notes about which strategies are currently implemented
This ensures example configs are valid and can be used immediately
without validation errors.
* Rename api_key to header_value in HeaderInjectionStrategy
Rename the misleading 'api_key' field to 'header_value' to better
reflect that this strategy can inject any HTTP header value, not just
API keys. This improves semantic clarity and matches the general-
purpose nature of the strategy.
* Fix header_injection metadata parsing in YAML loader
Add dedicated rawHeaderInjectionAuth struct and update
transformBackendAuthStrategy to properly parse header_injection
configuration from YAML files.
Previously, the header_injection strategy used a generic metadata field
in YAML, but the transform function had no case to handle it, resulting
in empty metadata maps. This follows the established pattern used by
token_exchange and service_account strategies.
The YAML format is now consistent across all strategies:
backends:
github:
type: header_injection
header_injection:
header_name: Authorization
header_value: Bearer xxx
* Fix auth loss when querying backend capabilities
QueryCapabilities was manually creating BackendTarget but omitted
AuthStrategy and AuthMetadata fields, causing all backends to fall
back to unauthenticated strategy during capability queries.
Replace manual struct creation with BackendToTarget() helper to
ensure all fields (including auth) are properly copied from Backend
to BackendTarget.
This bug prevented per-backend authentication from working during
the initial capability discovery phase, even though auth was
correctly configured by the discoverer.
0 commit comments