tests: add MCP auth e2e collection covering discovery, credential matrix, OAuth issuance, refresh rotation, revocation window, and runtime mode flip

[Pratham-Mishra04]

Summary

Adds a comprehensive end-to-end test suite for MCP inbound authentication, covering all three server auth modes (headers, both, oauth) in a single Postman collection driven by a dedicated Newman runner.

Changes

• Added bifrost-v1-mcp-auth.postman_collection.json with five new test folders:
  • Config validation: asserts that unknown mcp_server_auth_mode values and oauth2_server_config payloads sent with headers mode are rejected with 400, and that the boot mode round-trips correctly through GET /api/config.
  • Full OAuth flow (virtual-key identity): covers dynamic client registration, PKCE-S256 authorize, consent bound to a virtual key, token exchange, JWT connect to /mcp, refresh rotation, and stolen-token family revocation (replaying a rotated refresh token revokes the entire grant family).
  • Revocation window: issues a fresh grant, revokes it via the management API, then asserts that the refresh token is immediately rejected while the already-issued short-lived access token continues to connect until expiry.
  • Full OAuth flow (session identity): consent mints a server-side session identity, the resulting JWT connects to /mcp, and then enabling enforce_auth_on_inference at runtime causes that same session token to be rejected.
  • Runtime config flip (headers → both): from a headers-mode boot, upgrades to both via PUT /api/config, confirms discovery endpoints come alive, and verifies header-VK connections are unaffected.
• All test scripts branch on the auth_mode env-var so a single collection encodes the full credential matrix across modes; steps that do not apply to a given mode are skipped with a passing no-op assertion.
• Added --ignore-redirects to the Newman invocation in run-newman-mcp-auth-tests.sh so that authorize redirects are captured as 302 responses rather than followed, allowing the collection to extract flow IDs from Location headers.
• Updated README.md with a full description of the new collection and runner, including per-mode assertion summaries and local run instructions.

Type of change

• Bug fix
• Feature
• Refactor
• Documentation
• Chore/CI

Affected areas

• Core (Go)
• Transports (HTTP)
• Providers/Integrations
• Plugins
• UI (React)
• Docs

How to test

Run the MCP auth test suite locally from tests/e2e/api:

./runners/individual/run-newman-mcp-auth-tests.sh --binary /path/to/bifrost-http

# Optional flags
# --port <port>   (default 8090)
# --html          emit HTML report
# --json          emit JSON report
# --verbose       verbose Newman output
# --bail          stop on first failure

The runner builds and starts the upstream MCP server (examples/mcps/http-no-ping-server), boots a fresh server instance per mcp_server_auth_mode, pre-seeds an MCP client and two virtual keys (one active, one inactive), and executes the collection against each mode in sequence. A built bifrost-http binary is required.

Screenshots/Recordings

N/A

Breaking changes

• Yes
• No

Related issues

N/A

Security considerations

The collection exercises the full OAuth 2.0 issuance surface including PKCE, refresh rotation, stolen-token family revocation, and the revocation window. No secrets are introduced; all credentials are ephemeral test values seeded by the runner.

Checklist

• I read docs/contributing/README.md and followed the guidelines
• I added/updated tests where appropriate
• I updated documentation where needed
• I verified builds succeed (Go and UI)
• I verified the CI pipeline passes locally if applicable

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[Pratham-Mishra04]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• tests: add MCP auth e2e collection covering discovery, credential matrix, OAuth issuance, refresh rotation, revocation window, and runtime mode flip #4525 👈 (View in Graphite)
• tests: add MCP auth mode e2e collection and Newman runner for headers/both/oauth #4524
• tests: add OAuth2 issuance, JWT verification, consent, discovery, sessions, and MCP auth unit tests #4523
• feat: add mcp_server_auth_mode and OAuth 2.1 gateway auth docs with gateway-auth page #4522
• ui: add OAuth Grants page and identity exact-match filter for MCP sessions #4511
• ui: add OAuth2 consent page and MCP server auth mode settings #4510
• feat: add OAuth2 session listing, revocation, family-revocation, VK liveness check, and sweep worker #4509
• feat: add JWT Bearer authentication path for /mcp with session validation and context injection #4508
• feat: add OAuth2ConsentHandler with VK, session, and user identity resolution modes #4507
• feat: add OAuth2 issuance endpoints (DCR, authorize, token) with PKCE and refresh token rotation #4506
• feat: add OAuth2 AS discovery endpoints, signing key management, and MCPServerAuthMode config #4505
• dev

This stack of pull requests is managed by Graphite. Learn more about stacking.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• Tests

  • Expanded MCP authentication end-to-end coverage, including OAuth config validation, PKCE-based authorization, virtual-key and session identity flows, refresh rotation with replay failure, revocation-window behavior, and runtime config switching.
  • Updated the MCP auth test runner to ignore HTTP redirects during Postman execution.

• Documentation

  • Added a new “MCP Auth Tests” section documenting the auth test collection(s), runner behavior across auth modes, expected outcomes, and local run commands/options.

Walkthrough

Extends the MCP auth Postman collection with config validation, full OAuth virtual-key identity and session identity flows, revocation window tests, and a runtime config flip scenario. The Newman runner gains --ignore-redirects, and the README gains a new MCP Auth Tests documentation section.

Changes

MCP Auth E2E Test Suite Expansion

Layer / File(s)	Summary
Newman runner flag and README documentation tests/e2e/api/runners/individual/run-newman-mcp-auth-tests.sh, tests/e2e/api/README.md	Adds --ignore-redirects to newman run in the MCP auth runner and introduces a README section documenting the collection paths, per-mode boot strategy, per-mode acceptance/rejection expectations, and the local run command with options.
Config validation tests tests/e2e/api/collections/bifrost-v1-mcp-auth.postman_collection.json	Adds a Config validation suite that PUTs invalid mcp_server_auth_mode and incompatible oauth2_server_config to /api/config (expecting 400), then round-trips a GET to confirm the boot mode persists.
Full OAuth flows: virtual-key identity and revocation window tests/e2e/api/collections/bifrost-v1-mcp-auth.postman_collection.json	Adds end-to-end virtual-key identity OAuth tests (DCR, PKCE S256 authorize, virtual-key consent binding, token exchange, /mcp connection, refresh rotation, stolen-family revocation after replay) and revocation window tests (management API revocation, immediate refresh failure, access token still valid within window).
Session identity flow and runtime config flip tests/e2e/api/collections/bifrost-v1-mcp-auth.postman_collection.json	Adds session-mode OAuth consent tests confirming /mcp connectivity when enforce_auth_on_inference is off and rejection after runtime enable, plus a headers-boot-only test that flips mcp_server_auth_mode to both, confirms discovery endpoints appear, and verifies header-based virtual-key /mcp remains non-401.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• akshaydeo
• danpiths

Poem

🐇 Hoppity-hop through the OAuth maze,
Where tokens rotate and sessions ablaze,
The rabbit checks headers, then flips the mode switch,
Revocation windows — no token can snitch!
With --ignore-redirects, we leap without fear,
The MCP auth tests have finally arrived here. 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically summarizes the main change: adding a comprehensive MCP auth e2e test collection covering multiple scenarios (discovery, OAuth issuance, refresh rotation, revocation window, runtime mode flip).
Description check	✅ Passed	The PR description is well-structured and substantially complete. It includes a clear summary, detailed changes breakdown, type of change selection, affected areas, comprehensive testing instructions, security considerations, and properly completed checklist items.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 06-18-feat_mcp_oauth_server_e2e_tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Confidence Score: 5/5

Test-only additions with no changes to production Go or transport code; safe to merge.

All three changed files are test infrastructure. The single-line runner change is mechanical and directly required by the new collection. The collection logic is well-structured with consistent auth_mode guards, correct RFC 7636 PKCE, and robust grant isolation via set-difference.

No files require special attention.

Important Files Changed

Filename	Overview
tests/e2e/api/collections/bifrost-v1-mcp-auth.postman_collection.json	Adds five new test folders covering the full MCP OAuth surface; grant isolation in the revocation-window folder now uses a pre-snapshot set-difference to avoid ordering issues raised in a prior review.
tests/e2e/api/runners/individual/run-newman-mcp-auth-tests.sh	One-line addition of --ignore-redirects to Newman; correctly required so authorize 302s are visible to collection test scripts for Location-header extraction.
tests/e2e/api/README.md	Documentation update describing the new collection, runner, per-mode assertion matrix, and local run instructions; accurate and self-consistent.

_{Reviews (3): Last reviewed commit: "feat: mcp oauth server e2e tests" | Re-trigger Greptile}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/e2e/api/README.md`:
- Around line 268-269: The documentation comment for MCP auth runner options is
missing the `--mcp-port` flag from the list of supported options. Update the
comment line that documents the runner options (currently showing `--port`,
`--html`, `--json`, `--verbose`, `--bail`) to also include `--mcp-port` with an
appropriate description (e.g., default port number for MCP server). This will
allow users to easily discover and use the flag when configuring local test
runs.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 76273975-5e1a-4083-b462-b4bf00757edd

📥 Commits

Reviewing files that changed from the base of the PR and between 395dd0c and fb2ee5f.

📒 Files selected for processing (3)

• tests/e2e/api/README.md
• tests/e2e/api/collections/bifrost-v1-mcp-auth.postman_collection.json
• tests/e2e/api/runners/individual/run-newman-mcp-auth-tests.sh

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Document --mcp-port in MCP auth runner options.

Line 268 lists runner flags but omits --mcp-port, which the runner supports (see run-newman-mcp-auth-tests.sh, Line 66). This makes local runs harder when port 3001 is occupied.

📝 Suggested doc fix

-# options: --port <port> (default 8090), --html, --json, --verbose, --bail
+# options: --port <port> (default 8090), --mcp-port <port> (default 3001), --html, --json, --verbose, --bail

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/e2e/api/README.md` around lines 268 - 269, The documentation comment
for MCP auth runner options is missing the `--mcp-port` flag from the list of
supported options. Update the comment line that documents the runner options
(currently showing `--port`, `--html`, `--json`, `--verbose`, `--bail`) to also
include `--mcp-port` with an appropriate description (e.g., default port number
for MCP server). This will allow users to easily discover and use the flag when
configuring local test runs.