Add forwardAuthorization flag for conditional token forwarding#147
Add forwardAuthorization flag for conditional token forwarding#147hrntknr merged 3 commits intosigbit:mainfrom
Conversation
- Introduced `--proxy-forward-authorization` command line option. - Updated configuration documentation to include new option. - Modified proxy handling to conditionally forward the Authorization header based on the new flag. - Added tests to verify the behavior of the new flag.
There was a problem hiding this comment.
Pull request overview
Adds a configuration flag to optionally forward the incoming Authorization: Bearer … header to the backend after the proxy validates the token, instead of stripping it by default.
Changes:
- Introduces
--proxy-forward-authorization/PROXY_FORWARD_AUTHORIZATIONand wires it through CLI → runner → proxy router. - Updates proxy routing logic to conditionally retain or strip the
Authorizationheader, while still allowing configured proxy headers to override it. - Adds/updates tests to cover default stripping and explicit forwarding behavior.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
pkg/proxy/proxy.go |
Adds forwardAuthorizationHeader to ProxyRouter and conditionally strips Authorization before proxying. |
pkg/proxy/proxy_test.go |
Updates router construction for new parameter and adds tests for default strip vs enabled forward behavior. |
pkg/mcp-proxy/main.go |
Propagates the new forwarding boolean into NewProxyRouter creation. |
main.go |
Adds CLI flag/env default parsing and passes the new parameter into the runner. |
main_test.go |
Extends runner signature and adds a CLI-flag test for --proxy-forward-authorization. |
docs/docs/configuration.md |
Documents the new CLI flag and environment variable in configuration docs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| func TestNewRootCommand_ForwardAuthorizationFlag(t *testing.T) { | ||
| t.Setenv("PROXY_FORWARD_AUTHORIZATION", "") | ||
|
|
||
| var forwardAuthorization bool |
There was a problem hiding this comment.
The new --proxy-forward-authorization flag is tested, but there’s no test that verifies the PROXY_FORWARD_AUTHORIZATION environment variable is correctly wired into newRootCommand (e.g., catching a typo in the env var name). Consider adding a TestNewRootCommand_ForwardAuthorizationFromEnv similar to TestNewRootCommand_HTTPStreamingOnlyFromEnv.
|
Thanks for the PR! Before going deeper, could you share a bit more about the use case? |
Hi! I have a use case so that the mcp-auth-proxy would be used as authenticator (that is DCR capable since Entra doesn't support it) and the authorization is made in the backend server. The exact use case is to use mcp-grafana that passes the Authorization towards Grafana where i can have JWT auth that authorizes specific user. I don't want to use JWT claim mapping because they can be spoofed. (Let me know if i have missed something.)
The JWKS endpoint is exposed in I have validated this use case and it's working as i need it. |
|
Oh, there was indeed a JWKS endpoint... thank you |
|
Ah, I see now. You want mcp-auth-proxy to function as a lightweight DCR adapter that doesn't perform any authentication or authorization itself. |
Well it authenticates and passes the authentication tokens onwards :) |
hrntknr
left a comment
hrntknr
left a comment
There was a problem hiding this comment.
Thanks for the fix, and thanks for the report about the spoofing issue too.
|
Please fix only the lint issues. |
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
Introduce a new configuration option to control whether the incoming Authorization bearer token is forwarded to the backend after validation. By default, the proxy strips the Authorization header before forwarding requests, but with the new
--proxy-forward-authorizationflag (orPROXY_FORWARD_AUTHORIZATIONenvironment variable), this behavior can be changed. The implementation includes updates to the CLI, configuration, proxy logic, and comprehensive tests to cover the new functionality.New Authorization Forwarding Feature:
Added the
--proxy-forward-authorizationCLI flag andPROXY_FORWARD_AUTHORIZATIONenvironment variable, allowing users to forward the incoming Authorization bearer token to the backend after validation. This is documented inconfiguration.mdand wired into the CLI and environment variable parsing. [1] [2] [3]Updated the proxy runner, main logic, and proxy router to accept and propagate the new
forwardAuthorizationHeaderboolean parameter throughout the application. [1] [2] [3] [4] [5] [6] [7]Proxy Logic Changes:
Testing Enhancements:
These changes provide users with more control over how authentication information is handled when proxying requests, improving flexibility and security.- Introduced
--proxy-forward-authorizationcommand line option.Summary
Now possible to pass JWT token towards backend servers for identity mapping via Authorization header.
Type of Change