feat: implement RFC-compliant OAuth discovery with dynamic scope selection for MCP providers (#28294)

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
2025-11-20 11:18:16 +08:00
parent 014cbaf387
commit 6be013e072
14 changed files with 442 additions and 141 deletions
--- a/api/services/tools/mcp_tools_manage_service.py
+++ b/api/services/tools/mcp_tools_manage_service.py
@@ -507,7 +507,11 @@ class MCPToolManageService:
        return auth_result.response

    def auth_with_actions(
-        self, provider_entity: MCPProviderEntity, authorization_code: str | None = None
+        self,
+        provider_entity: MCPProviderEntity,
+        authorization_code: str | None = None,
+        resource_metadata_url: str | None = None,
+        scope_hint: str | None = None,
    ) -> dict[str, str]:
        """
        Perform authentication and execute all resulting actions.
@@ -517,11 +521,18 @@ class MCPToolManageService:
        Args:
            provider_entity: The MCP provider entity
            authorization_code: Optional authorization code
+            resource_metadata_url: Optional Protected Resource Metadata URL from WWW-Authenticate
+            scope_hint: Optional scope hint from WWW-Authenticate header

        Returns:
            Response dictionary from auth result
        """
-        auth_result = auth(provider_entity, authorization_code)
+        auth_result = auth(
+            provider_entity,
+            authorization_code,
+            resource_metadata_url=resource_metadata_url,
+            scope_hint=scope_hint,
+        )
        return self.execute_auth_actions(auth_result)

    def _reconnect_provider(self, *, server_url: str, provider: MCPToolProvider) -> ReconnectResult: