Skip to content

tests: add MCP auth e2e collection covering discovery, credential matrix, OAuth issuance, refresh rotation, revocation window, and runtime mode flip #4525

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Pratham-Mishra04 wants to merge 1 commit into
base: 06-18-feat_adds_mcp_oauth_server_type_e2e_tests
Choose a base branch
from
Open

tests: add MCP auth e2e collection covering discovery, credential matrix, OAuth issuance, refresh rotation, revocation window, and runtime mode flip #4525

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions tests/e2e/api/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -228,6 +228,46 @@ Run locally (from this directory):
# options: --port <port> (default 8090), --html, --json, --verbose, --bail
```

### MCP Auth Tests

| Path | Description |
|------|-------------|
| `collections/bifrost-v1-mcp-auth.postman_collection.json` | Asserts inbound `/mcp` authentication across the three server auth modes (`headers` / `both` / `oauth`): discovery gating, the credential connect matrix, the full issuance flow, refresh rotation + family revocation, the revocation window, and the runtime `headers`→`both` upgrade. |
| `runners/individual/run-newman-mcp-auth-tests.sh` | Builds + starts the upstream MCP server, then boots a fresh server per `client.mcp_server_auth_mode` and runs the collection against each. |

Like the auth-matrix runner, this one **boots its own servers** — each mode needs a
different boot config. It also builds and starts the upstream MCP server
(`examples/mcps/http-no-ping-server`) so `/mcp` exposes real tools, and pre-seeds it
as an MCP client plus two virtual keys (one active, one inactive). It requires a
built `bifrost-http` binary.

The collection's test scripts branch on the `auth_mode` env-var, so a single
collection encodes the full matrix. Per mode it asserts:

- **`headers` (default):** discovery endpoints 404; every virtual-key credential
(`x-bf-vk`, `Authorization: Bearer <vk>`, `x-api-key`) connects exactly as before;
anonymous connects when auth is not enforced; an inactive key never connects. The
OAuth surface is invisible.
- **`both`:** every header-credential outcome is identical to `headers`, and only
*adds* JWT acceptance + live discovery; an invalid JWT is rejected with
`WWW-Authenticate`.
- **`oauth`:** header credentials and anonymous are rejected (401 +
`WWW-Authenticate`); only issued JWTs connect.

In `both`/`oauth` it also runs the end-to-end issuance flow (dynamic client
registration, PKCE-S256 authorize, consent bound to a virtual key or to a
server-minted session, token exchange, JWT connect), then refresh rotation with
stolen-token family revocation, the revocation window (a revoked grant stops refresh
while its already-issued access token keeps working until expiry), and — from the
`headers` boot — the runtime `headers`→`both` upgrade.

Run locally (from this directory):

```bash
./runners/individual/run-newman-mcp-auth-tests.sh --binary /path/to/bifrost-http
# options: --port <port> (default 8090), --html, --json, --verbose, --bail
```
Comment on lines +268 to +269

@coderabbitai coderabbitai Bot Jun 18, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Document --mcp-port in MCP auth runner options.

Line 268 lists runner flags but omits --mcp-port, which the runner supports (see run-newman-mcp-auth-tests.sh, Line 66). This makes local runs harder when port 3001 is occupied.

📝 Suggested doc fix 
-# options: --port <port> (default 8090), --html, --json, --verbose, --bail
+# options: --port <port> (default 8090), --mcp-port <port> (default 3001), --html, --json, --verbose, --bail
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/e2e/api/README.md` around lines 268 - 269, The documentation comment
for MCP auth runner options is missing the `--mcp-port` flag from the list of
supported options. Update the comment line that documents the runner options
(currently showing `--port`, `--html`, `--json`, `--verbose`, `--bail`) to also
include `--mcp-port` with an appropriate description (e.g., default port number
for MCP server). This will allow users to easily discover and use the flag when
configuring local test runs.


### Test Success Criteria

A request **passes** if either:
Expand Down
Loading
Loading