Title: Bind transport sessions to the authenticated principal by maxisbey · Pull Request #2718 · modelcontextprotocol/python-sdk · GitHub
Open Graph Title: Bind transport sessions to the authenticated principal by maxisbey · Pull Request #2718 · modelcontextprotocol/python-sdk
X Title: Bind transport sessions to the authenticated principal by maxisbey · Pull Request #2718 · modelcontextprotocol/python-sdk
Description: Summary The Streamable HTTP and SSE transports now record the principal that created each session — the OAuth client together with the issuer and subject when the token verifier supplies them — and serve subsequent requests for that session only when they present the same principal. Requests presenting a different principal receive the same 404 response as for an unknown session ID. SSE session entries are also removed when the connection ends rather than retained for the lifetime of the transport. The new in-process SSE tests bring connect_sse, handle_post_message, and TransportSecurityMiddleware under tracked coverage, so the corresponding no cover pragmas are removed. Motivation Brings the Python transports in line with the Go SDK (TokenInfo.UserID-keyed) and C# SDK (UserIdClaim-keyed). Relevant for hosted MCP hosts and gateways where many end-users go through one OAuth client. Behaviour Server Effect No auth, or non-BearerAuthBackend auth None — no principal is recorded and the comparison always passes BearerAuthBackend, verifier populates subject/claims["iss"] Sessions keyed on {client_id, issuer, subject} BearerAuthBackend, verifier does not Absent components are None and the comparison degrades to the remaining ones — see the simple-auth example verifier for populating them Test plan Streamable HTTP: parametrised over POST/GET/DELETE; same-client / different-client / different-subject / different-issuer / unauthenticated SSE: same matrix; verifies session entry is gone after disconnect; in-process round-trip and edge-case tests TransportSecurityMiddleware.validate_request host/origin/content-type tests Full suite, ruff, pyright, ./scripts/test clean Breaking changes None for default deployments. A hand-rolled SSE setup that applies BearerAuthBackend only to the POST route and not the GET route would now reject every message; MCPServer applies auth at the app level and is unaffected. AI Disclaimer
Open Graph Description: Summary The Streamable HTTP and SSE transports now record the principal that created each session — the OAuth client together with the issuer and subject when the token verifier supplies them — and...
X Description: Summary The Streamable HTTP and SSE transports now record the principal that created each session — the OAuth client together with the issuer and subject when the token verifier supplies them — and...
Opengraph URL: https://github.com/modelcontextprotocol/python-sdk/pull/2718
X: @github
Domain: github.com
| route-pattern | /:user_id/:repository/pull/:id/files(.:format) |
| route-controller | pull_requests |
| route-action | files |
| fetch-nonce | v2:f3f83a2d-7b8c-0b60-40d5-c15ea2326dae |
| current-catalog-service-hash | ae870bc5e265a340912cde392f23dad3671a0a881730ffdadd82f2f57d81641b |
| request-id | 9264:1AA1A0:243FF1:2F4D8C:6A5ACCAF |
| html-safe-nonce | 9ffcc4076ecd6fff3c391cc5a1923ee4d3b1dccc663e97d8efacefc621abe6a0 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiI5MjY0OjFBQTFBMDoyNDNGRjE6MkY0RDhDOjZBNUFDQ0FGIiwidmlzaXRvcl9pZCI6IjU1MjY3MjE0NzU0MTAzMTY0NjMiLCJyZWdpb25fZWRnZSI6ImlhZCIsInJlZ2lvbl9yZW5kZXIiOiJpYWQifQ== |
| visitor-hmac | fa977c40fb0aa5f47c1c8394ded2919877b8a7297f96d2681dee8b2611d9aa79 |
| hovercard-subject-tag | pull_request:3770054216 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/modelcontextprotocol/python-sdk/pull/2718/files |
| twitter:image | https://avatars.githubusercontent.com/u/224885523?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/u/224885523?s=400&v=4 |
| og:image:alt | Summary The Streamable HTTP and SSE transports now record the principal that created each session — the OAuth client together with the issuer and subject when the token verifier supplies them — and... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | 887a0902ea4987c46dd44cbc73dfadecb93a29560d7519a576fcecd81716148c |
| turbo-cache-control | no-preview |
| diff-view | unified |
| go-import | github.com/modelcontextprotocol/python-sdk git https://github.com/modelcontextprotocol/python-sdk.git |
| octolytics-dimension-user_id | 182288589 |
| octolytics-dimension-user_login | modelcontextprotocol |
| octolytics-dimension-repository_id | 862584018 |
| octolytics-dimension-repository_nwo | modelcontextprotocol/python-sdk |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 862584018 |
| octolytics-dimension-repository_network_root_nwo | modelcontextprotocol/python-sdk |
| turbo-body-classes | logged-out env-production page-responsive full-width |
| disable-turbo | true |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 2606513ce6b72f8b775db6a60283f9cf7d4d70a5 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width