WORKSPACE_EXTERNAL_URL - add an document usage

2025-08-22 09:51:49 -04:00
parent 4c424d95d5
commit f1b06446bc
10 changed files with 80 additions and 40 deletions
--- a/auth/oauth_config.py
+++ b/auth/oauth_config.py
@@ -25,7 +25,10 @@ class OAuthConfig:
        # Base server configuration
        self.base_uri = os.getenv("WORKSPACE_MCP_BASE_URI", "http://localhost")
        self.port = int(os.getenv("PORT", os.getenv("WORKSPACE_MCP_PORT", "8000")))
-        self.base_url = f"{self.base_uri}"
+        self.base_url = f"{self.base_uri}:{self.port}"
+        
+        # External URL for reverse proxy scenarios
+        self.external_url = os.getenv("WORKSPACE_EXTERNAL_URL")

        # OAuth client configuration
        self.client_id = os.getenv("GOOGLE_OAUTH_CLIENT_ID")
@@ -112,10 +115,15 @@ class OAuthConfig:
    def get_oauth_base_url(self) -> str:
        """
        Get OAuth base URL for constructing OAuth endpoints.
+        
+        Uses WORKSPACE_EXTERNAL_URL if set (for reverse proxy scenarios),
+        otherwise falls back to constructed base_url with port.

        Returns:
            Base URL for OAuth endpoints
        """
+        if self.external_url:
+            return self.external_url
        return self.base_url

    def validate_redirect_uri(self, uri: str) -> bool:
@@ -140,6 +148,8 @@ class OAuthConfig:
        """
        return {
            "base_url": self.base_url,
+            "external_url": self.external_url,
+            "effective_oauth_url": self.get_oauth_base_url(),
            "redirect_uri": self.redirect_uri,
            "client_configured": bool(self.client_id),
            "oauth21_enabled": self.oauth21_enabled,
@@ -232,11 +242,12 @@ class OAuthConfig:
        Returns:
            Authorization server metadata dictionary
        """
+        oauth_base = self.get_oauth_base_url()
        metadata = {
-            "issuer": self.base_url,
-            "authorization_endpoint": f"{self.base_url}/oauth2/authorize",
-            "token_endpoint": f"{self.base_url}/oauth2/token",
-            "registration_endpoint": f"{self.base_url}/oauth2/register",
+            "issuer": oauth_base,
+            "authorization_endpoint": f"{oauth_base}/oauth2/authorize",
+            "token_endpoint": f"{oauth_base}/oauth2/token",
+            "registration_endpoint": f"{oauth_base}/oauth2/register",
            "jwks_uri": "https://www.googleapis.com/oauth2/v3/certs",
            "response_types_supported": ["code", "token"],
            "grant_types_supported": ["authorization_code", "refresh_token"],