SaaS fixes (#6578)

Co-authored-by: Claude Opus 4.8 <[email protected]>
Co-authored-by: James Brunton <[email protected]>
Co-authored-by: Reece Browne <[email protected]>
Co-authored-by: ConnorYoh <[email protected]>
Co-authored-by: Reece <[email protected]>
Co-authored-by: EthanHealy01 <[email protected]>
Co-authored-by: Ludy <[email protected]>
This commit is contained in:
Anthony Stirling
2026-06-16 16:41:25 +01:00
committed by GitHub
co-authored by Claude Opus 4.8 James Brunton Reece Browne ConnorYoh Reece EthanHealy01 Ludy
parent 96accea984
commit ddf78d11ae
415 changed files with 29552 additions and 5855 deletions
+24
View File
@@ -77,6 +77,30 @@ if echo "$PRM_BODY" | grep -q "mcp.tools"; then
else
fail "metadata missing mcp.tools scopes"
fi
# RFC 9728 path-inserted form: clients derive {origin}/.well-known/oauth-protected-resource/mcp
# for a resource at /mcp. This must serve the SAME customized metadata; a default document here
# (no authorization_servers) makes clients fall back to treating Stirling as its own AS.
PRM_SUB=$(curl -s -o /tmp/mcp_prm_sub.json -w "%{http_code}" "${PRM_URL}/mcp")
PRM_SUB_BODY=$(cat /tmp/mcp_prm_sub.json 2>/dev/null)
if [ "$PRM_SUB" = "200" ]; then
pass "GET ${PRM_URL}/mcp -> 200 (RFC 9728 path-inserted form)"
else
fail "GET ${PRM_URL}/mcp -> $PRM_SUB (expected 200)"
fi
if echo "$PRM_SUB_BODY" | grep -q "realms/$REALM"; then
pass "path-inserted metadata advertises the Keycloak authorization server"
else
fail "path-inserted metadata missing authorization_servers (filter-chain fall-through regression)"
fi
WWW_AUTH=$(curl -s -o /dev/null -D - -X POST "$MCP_URL" \
-H "Content-Type: application/json" \
-d '{"jsonrpc":"2.0","id":1,"method":"ping"}' | grep -i '^WWW-Authenticate:')
if echo "$WWW_AUTH" | grep -q 'oauth-protected-resource/mcp'; then
pass "401 WWW-Authenticate advertises the path-inserted metadata URL"
else
fail "401 WWW-Authenticate lacks the path-inserted metadata URL: $WWW_AUTH"
fi
echo ""
# unauthenticated access is rejected