idprova-mcp 0.1.1

IDProva MCP auth middleware — drop-in identity verification for MCP servers
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220

//! Core MCP authentication — verify DAT tokens for MCP tool access.

use idprova_core::dat::constraints::EvaluationContext;
use idprova_core::trust::TrustLevel;

use crate::error::McpAuthError;

/// Result type for MCP auth operations.
pub type Result<T> = std::result::Result<T, McpAuthError>;

/// Information about a successfully verified agent.
#[derive(Debug, Clone)]
pub struct VerifiedAgent {
    /// Agent DID (the subject of the DAT).
    pub aid: String,
    /// Granted scopes.
    pub scope: Vec<String>,
    /// Trust level of the agent.
    pub trust_level: TrustLevel,
    /// Delegator DID (the issuer of the DAT).
    pub delegator: String,
    /// DAT JTI (unique token identifier).
    pub jti: String,
}

/// MCP authentication verifier.
///
/// Verifies DAT bearer tokens against required scopes and public keys.
/// Supports both online (registry lookup) and offline (direct key) modes.
#[derive(Debug, Clone)]
pub struct McpAuth {
    /// Registry URL for online key resolution (None = offline mode).
    registry_url: Option<String>,
}

impl McpAuth {
    /// Create an McpAuth instance that resolves keys via the IDProva registry.
    pub fn new(registry_url: &str) -> Self {
        Self {
            registry_url: Some(registry_url.to_string()),
        }
    }

    /// Create an McpAuth instance for offline (direct key) verification.
    ///
    /// In offline mode, the caller must supply the public key directly
    /// to `verify_request()`.
    pub fn offline() -> Self {
        Self { registry_url: None }
    }

    /// Returns the configured registry URL, if any.
    pub fn registry_url(&self) -> Option<&str> {
        self.registry_url.as_deref()
    }

    /// Verify a DAT token against a required scope.
    ///
    /// - `dat_token`: compact JWS DAT string
    /// - `required_scope`: 4-part scope string (e.g., "mcp:tool:filesystem:read")
    /// - `public_key`: Ed25519 public key bytes of the token issuer
    ///
    /// Returns a [`VerifiedAgent`] on success with the agent's identity and permissions.
    pub fn verify_request(
        &self,
        dat_token: &str,
        required_scope: &str,
        public_key: &[u8; 32],
    ) -> Result<VerifiedAgent> {
        if dat_token.is_empty() {
            return Err(McpAuthError::MissingToken("DAT token is empty".to_string()));
        }

        let ctx = EvaluationContext::default();

        let dat = idprova_verify::verify_dat(dat_token, public_key, required_scope, &ctx)?;

        // Determine trust level from constraints (if present)
        let trust_level = dat
            .claims
            .constraints
            .as_ref()
            .and_then(|c| c.min_trust_level)
            .and_then(|level| match level {
                0 => Some(TrustLevel::L0),
                1 => Some(TrustLevel::L1),
                2 => Some(TrustLevel::L2),
                3 => Some(TrustLevel::L3),
                4 => Some(TrustLevel::L4),
                _ => None,
            })
            .unwrap_or(TrustLevel::L0);

        Ok(VerifiedAgent {
            aid: dat.claims.sub,
            scope: dat.claims.scope,
            trust_level,
            delegator: dat.claims.iss,
            jti: dat.claims.jti,
        })
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use chrono::{Duration, Utc};
    use idprova_core::crypto::KeyPair;
    use idprova_core::dat::Dat;

    fn issue_dat(kp: &KeyPair, scope: &str) -> String {
        let dat = Dat::issue(
            "did:aid:test:operator",
            "did:aid:test:agent",
            vec![scope.to_string()],
            Utc::now() + Duration::hours(24),
            None,
            None,
            kp,
        )
        .unwrap();
        dat.to_compact().unwrap()
    }

    #[test]
    fn test_verify_request_happy_path() {
        let kp = KeyPair::generate();
        let auth = McpAuth::offline();
        let token = issue_dat(&kp, "mcp:tool:filesystem:read");

        let agent = auth
            .verify_request(&token, "mcp:tool:filesystem:read", &kp.public_key_bytes())
            .unwrap();
        assert_eq!(agent.aid, "did:aid:test:agent");
        assert_eq!(agent.delegator, "did:aid:test:operator");
        assert_eq!(agent.trust_level, TrustLevel::L0);
    }

    #[test]
    fn test_verify_request_scope_denied() {
        let kp = KeyPair::generate();
        let auth = McpAuth::offline();
        let token = issue_dat(&kp, "mcp:tool:filesystem:read");

        let err = auth
            .verify_request(&token, "mcp:tool:filesystem:write", &kp.public_key_bytes())
            .unwrap_err();
        assert!(matches!(err, McpAuthError::InsufficientScope(_)));
    }

    #[test]
    fn test_verify_request_wrong_key() {
        let kp = KeyPair::generate();
        let kp2 = KeyPair::generate();
        let auth = McpAuth::offline();
        let token = issue_dat(&kp, "mcp:tool:filesystem:read");

        let err = auth
            .verify_request(&token, "mcp:tool:filesystem:read", &kp2.public_key_bytes())
            .unwrap_err();
        assert!(matches!(err, McpAuthError::VerificationFailed(_)));
    }

    #[test]
    fn test_verify_request_empty_token() {
        let kp = KeyPair::generate();
        let auth = McpAuth::offline();

        let err = auth
            .verify_request("", "mcp:tool:filesystem:read", &kp.public_key_bytes())
            .unwrap_err();
        assert!(matches!(err, McpAuthError::MissingToken(_)));
    }

    #[test]
    fn test_verify_request_wildcard_scope() {
        let kp = KeyPair::generate();
        let auth = McpAuth::offline();
        let token = issue_dat(&kp, "mcp:*:*:*");

        let agent = auth
            .verify_request(&token, "mcp:tool:filesystem:write", &kp.public_key_bytes())
            .unwrap();
        assert_eq!(agent.aid, "did:aid:test:agent");
    }

    #[test]
    fn test_verify_request_expired_token() {
        let kp = KeyPair::generate();
        let auth = McpAuth::offline();
        let dat = Dat::issue(
            "did:aid:test:operator",
            "did:aid:test:agent",
            vec!["mcp:tool:filesystem:read".to_string()],
            Utc::now() - Duration::hours(1),
            None,
            None,
            &kp,
        )
        .unwrap();
        let token = dat.to_compact().unwrap();

        let err = auth
            .verify_request(&token, "mcp:tool:filesystem:read", &kp.public_key_bytes())
            .unwrap_err();
        assert!(matches!(err, McpAuthError::VerificationFailed(_)));
    }

    #[test]
    fn test_offline_has_no_registry() {
        let auth = McpAuth::offline();
        assert!(auth.registry_url().is_none());
    }

    #[test]
    fn test_new_has_registry() {
        let auth = McpAuth::new("https://registry.idprova.dev");
        assert_eq!(auth.registry_url(), Some("https://registry.idprova.dev"));
    }
}