Skip to content

feat: add MCP HTTP transport endpoint with authentication #18670

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: thomask33/06-30-feat_oauth2_remove_unique_constraint_on_app_names_for_rfc_7591_compliance
Choose a base branch
from
Open

feat: add MCP HTTP transport endpoint with authentication #18670

wants to merge 1 commit into from
+1,686 −7

Conversation

ThomasK33
Copy link
Member

@ThomasK33 ThomasK33 commented Jun 30, 2025
edited
Loading

Add MCP HTTP server with streamable transport support

  • Add MCP HTTP server with streamable transport support
  • Integrate with existing toolsdk for Coder workspace operations
  • Add comprehensive E2E tests with OAuth2 bearer token support
  • Register MCP endpoint at /api/experimental/mcp/http with authentication
  • Support RFC 6750 Bearer token authentication for MCP clients

Change-Id: Ib9024569ae452729908797c42155006aa04330af
Signed-off-by: Thomas Kosiewski tk@coder.com

This was referenced Jun 30, 2025
Open
Merged
Merged
Open
Open
Open
Open
Open
@ThomasK33 Graphite App
Copy link
Member Author

ThomasK33 commented Jun 30, 2025
edited
Loading

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

This stack of pull requests is managed by Graphite. Learn more about stacking.

@ThomasK33 ThomasK33 mentioned this pull request Jun 30, 2025
Open
@ThomasK33 ThomasK33 changed the title feat(mcp): implement MCP HTTP server with toolsdk integration feat: add MCP HTTP transport endpoint with authentication Jun 30, 2025
@ThomasK33 ThomasK33 marked this pull request as ready for review June 30, 2025 16:44
@ThomasK33 ThomasK33 force-pushed the thomask33/06-30-feat_oauth2_remove_unique_constraint_on_app_names_for_rfc_7591_compliance branch from 4efb07a to 8a3f7a9 Compare June 30, 2025 16:45
@ThomasK33 ThomasK33 force-pushed the thomask33/06-30-feat_mcp_implement_mcp_http_server_with_toolsdk_integration branch from 4d966b2 to 4ffc58e Compare June 30, 2025 16:45
@ThomasK33 ThomasK33 force-pushed the thomask33/06-30-feat_oauth2_remove_unique_constraint_on_app_names_for_rfc_7591_compliance branch from 8a3f7a9 to e7d56c2 Compare June 30, 2025 17:08
@ThomasK33 ThomasK33 force-pushed the thomask33/06-30-feat_mcp_implement_mcp_http_server_with_toolsdk_integration branch from 4ffc58e to 23804bb Compare June 30, 2025 17:08
@ThomasK33 ThomasK33 force-pushed the thomask33/06-30-feat_oauth2_remove_unique_constraint_on_app_names_for_rfc_7591_compliance branch from e7d56c2 to 10701da Compare June 30, 2025 17:56
@ThomasK33 ThomasK33 force-pushed the thomask33/06-30-feat_mcp_implement_mcp_http_server_with_toolsdk_integration branch from 23804bb to 06d9b57 Compare June 30, 2025 17:56
@ThomasK33 ThomasK33 force-pushed the thomask33/06-30-feat_oauth2_remove_unique_constraint_on_app_names_for_rfc_7591_compliance branch from 10701da to a2607a8 Compare July 1, 2025 09:15
@ThomasK33 ThomasK33 force-pushed the thomask33/06-30-feat_mcp_implement_mcp_http_server_with_toolsdk_integration branch from 06d9b57 to cee654a Compare July 1, 2025 09:15
@ThomasK33 ThomasK33 force-pushed the thomask33/06-30-feat_oauth2_remove_unique_constraint_on_app_names_for_rfc_7591_compliance branch from a2607a8 to 990f706 Compare July 1, 2025 09:27
@ThomasK33 ThomasK33 force-pushed the thomask33/06-30-feat_mcp_implement_mcp_http_server_with_toolsdk_integration branch 2 times, most recently from 8cb9d74 to 3e540ef Compare July 1, 2025 13:23
@ThomasK33 ThomasK33 force-pushed the thomask33/06-30-feat_oauth2_remove_unique_constraint_on_app_names_for_rfc_7591_compliance branch from 990f706 to 95c0496 Compare July 1, 2025 13:23
@ThomasK33 ThomasK33 mentioned this pull request Jul 1, 2025
Open
@ThomasK33 ThomasK33 force-pushed the thomask33/06-30-feat_oauth2_remove_unique_constraint_on_app_names_for_rfc_7591_compliance branch from 95c0496 to b17d907 Compare July 1, 2025 13:43
@ThomasK33
feat(mcp): implement MCP HTTP server with toolsdk integration
0447dc7 
- Add MCP HTTP server with streamable transport support
- Integrate with existing toolsdk for Coder workspace operations
- Add comprehensive E2E tests with OAuth2 bearer token support
- Register MCP endpoint at /api/experimental/mcp/http with authentication
- Support RFC 6750 Bearer token authentication for MCP clients

Change-Id: Ib9024569ae452729908797c42155006aa04330af
Signed-off-by: Thomas Kosiewski <tk@coder.com>
@ThomasK33 ThomasK33 force-pushed the thomask33/06-30-feat_mcp_implement_mcp_http_server_with_toolsdk_integration branch from 3e540ef to 0447dc7 Compare July 1, 2025 13:44
johnstcn
johnstcn requested changes Jul 1, 2025
View reviewed changes
Copy link
Member

@johnstcn johnstcn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This appears to still be running inside coderd. I don't think it should exit experimental until it can be run independently of Coder. Could this simply be a separate server subcommand instead? This will allow admins to deploy it separately depending on their threat model. Right now, this just auto-enables it for all deployments regardless of whether you want it or not.

coderd/mcp/mcp_e2e_test.go
func mustParseURL(rawURL string) *url.URL {
u, err := url.Parse(rawURL)
if err != nil {
panic(fmt.Sprintf("Failed to parse URL %q: %v", rawURL, err))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't require.NoError here make more sense?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe. (?)

I'm not opposed to making this a mustParseURL(t *testing.T, ..., but usually most helper functions that mustDoSomething panic on an error.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm down for whatever returns the most meaningful output 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johnstcn johnstcn johnstcn requested changes

@dannykopping dannykopping Awaiting requested review from dannykopping

Assignees

@ThomasK33 ThomasK33

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ThomasK33 @johnstcn