oauth2.1 truly works

2025-08-02 18:25:08 -04:00
parent 9470a41dde
commit c45bb3956c
7 changed files with 233 additions and 17 deletions
--- a/core/context.py
+++ b/core/context.py
@@ -7,6 +7,11 @@ _injected_oauth_credentials = contextvars.ContextVar(
    "injected_oauth_credentials", default=None
 )

+# Context variable to hold FastMCP session ID for the life of a single request.
+_fastmcp_session_id = contextvars.ContextVar(
+    "fastmcp_session_id", default=None
+)
+
 def get_injected_oauth_credentials():
    """
    Retrieve injected OAuth credentials for the current request context.
@@ -19,4 +24,18 @@ def set_injected_oauth_credentials(credentials: Optional[dict]):
    Set or clear the injected OAuth credentials for the current request context.
    This is called by the service decorator.
    """
-    _injected_oauth_credentials.set(credentials)
+    _injected_oauth_credentials.set(credentials)
+
+def get_fastmcp_session_id() -> Optional[str]:
+    """
+    Retrieve the FastMCP session ID for the current request context.
+    This is called by authentication layer to get the current session.
+    """
+    return _fastmcp_session_id.get()
+
+def set_fastmcp_session_id(session_id: Optional[str]):
+    """
+    Set or clear the FastMCP session ID for the current request context.
+    This is called when a FastMCP request starts.
+    """
+    _fastmcp_session_id.set(session_id)
--- a/core/server.py
+++ b/core/server.py
@@ -453,7 +453,7 @@ async def oauth_authorization_server(request: Request):
                "code_challenge_methods_supported": ["S256"],
                "pkce_required": True,
                "grant_types_supported": ["authorization_code", "refresh_token"],
-                "scopes_supported": ["openid", "email", "profile"],
+                "scopes_supported": SCOPES,
                "token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"]
            },
            headers={
@@ -567,6 +567,13 @@ async def oauth_authorize(request: Request):

    # Ensure response_type is code
    params["response_type"] = "code"
+    
+    # Merge client scopes with our full SCOPES list
+    client_scopes = params.get("scope", "").split() if params.get("scope") else []
+    # Always include all Google Workspace scopes for full functionality
+    all_scopes = set(client_scopes) | set(SCOPES)
+    params["scope"] = " ".join(sorted(all_scopes))
+    logger.info(f"OAuth 2.1 authorization: Requesting scopes: {params['scope']}")

    # Build Google authorization URL
    google_auth_url = "https://accounts.google.com/o/oauth2/v2/auth?" + urlencode(params)