Add MCP_AUTH_CONFIG for inline OAuth tokens#89
Merged
Conversation
Deploying mcp serve in Kubernetes with a read-only root filesystem made auth.json awkward: MCP_AUTH_PATH only accepts a file path, so OAuth tokens had to be mounted as a file instead of injected from a Secret like every other piece of config. MCP_SERVERS_CONFIG already solved this for servers.json — auth needed the same escape hatch. Mirror the MCP_SERVERS_CONFIG pattern: when MCP_AUTH_CONFIG is set, load_auth_store reads the JSON inline and skips the file entirely, taking precedence over MCP_AUTH_PATH. Since auth.json is mutable (OAuth refresh writes new tokens), save_auth_store becomes a no-op in inline mode with a single warn log via std::sync::Once — refresh keeps working in-process for the pod's lifetime, and on restart the Secret is read again. Documented as a container-only feature in the k8s/docker how-tos so it doesn't pollute the workstation guide. Signed-off-by: Avelino <31996+avelino@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Adds a container-focused escape hatch for OAuth token storage by allowing auth.json to be provided inline via an environment variable, mirroring the existing MCP_SERVERS_CONFIG pattern used for servers.json.
Changes:
- Introduces
MCP_AUTH_CONFIG(higher precedence thanMCP_AUTH_PATH) to load the auth store from inline JSON. - Makes
save_auth_storea no-op whenMCP_AUTH_CONFIGis set (with a one-timewarn), and adds unit tests for inline-mode behavior. - Documents
MCP_AUTH_CONFIGusage and precedence across the environment variable reference and the Kubernetes/Docker/container configuration guides.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
src/auth/store.rs |
Adds inline auth store loading via MCP_AUTH_CONFIG, makes saves no-op in inline mode, and adds tests. |
docs/reference/environment-variables.md |
Documents MCP_AUTH_CONFIG, its precedence, and intended container use. |
docs/howto/kubernetes.md |
Adds Kubernetes Secret-based deployment instructions for inline OAuth tokens. |
docs/howto/docker.md |
Adds MCP_AUTH_CONFIG to the container env var list and Docker OAuth limitations guidance. |
docs/guides/configuration.md |
Adds a container/Kubernetes section describing inline JSON env vars for config and auth. |
Signed-off-by: Avelino <31996+avelino@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Deploying mcp serve in Kubernetes with a read-only root filesystem made auth.json awkward: MCP_AUTH_PATH only accepts a file path, so OAuth tokens had to be mounted as a file instead of injected from a Secret like every other piece of config. MCP_SERVERS_CONFIG already solved this for servers.json — auth needed the same escape hatch.
Mirror the MCP_SERVERS_CONFIG pattern: when MCP_AUTH_CONFIG is set, load_auth_store reads the JSON inline and skips the file entirely, taking precedence over MCP_AUTH_PATH. Since auth.json is mutable (OAuth refresh writes new tokens), save_auth_store becomes a no-op in inline mode with a single warn log via std::sync::Once — refresh keeps working in-process for the pod's lifetime, and on restart the Secret is read again. Documented as a container-only feature in the k8s/docker how-tos so it doesn't pollute the workstation guide.