JWT Authentication Implementation

Implementation: JWT authentication is provided by oauth-mcp-proxy.
For JWT configuration, validation logic, and security details, see the oauth-mcp-proxy documentation.

This document describes the JWT-based authentication architecture for mcp-trino server, providing secure access control at the server level.

Overview

The mcp-trino server implements JWT Bearer token authentication with server-level request interception, ensuring complete API protection for all MCP methods. This approach provides security for the entire API surface, not just individual tools.

Architecture

Authentication Flow

Key Flow Steps:

HTTP Request: Client sends request with Authorization: Bearer <jwt-token> header
Token Extraction: Server extracts token from headers into request context
Server-Level Authentication: Authentication hook validates token before any processing
Request Processing: If authenticated, request proceeds to appropriate MCP handler

Security Model

Complete API Protection

All MCP Methods Protected: Every API endpoint requires authentication
Server-Level Enforcement: Authentication applied before method-specific processing
Early Termination: Invalid requests rejected immediately
Context Propagation: User information available throughout request lifecycle

JWT Validation Features

Signature Verification: Proper HMAC-SHA256 signature validation
Claims Validation: Required claims checking (sub, exp, iat)
Token Caching: Performance optimization with secure secret caching
Secure Token Logging: JWT tokens logged as SHA256 hashes to prevent exposure
Mandatory JWT_SECRET: Server fails to start without JWT_SECRET in HMAC mode

Configuration

Environment Variables

# Authentication Configuration
OAUTH_ENABLED=true        # Default: true (secure by default)
JWT_SECRET=your-secret-key      # JWT signing secret (REQUIRED - server fails without it)

# Transport Configuration
MCP_TRANSPORT=http              # Enable HTTP transport
MCP_PORT=8080                   # Server port

Required JWT Claims

JWT tokens must include the following claims:

sub (subject): Required user identifier
preferred_username: Username for logging and display
email: User email address
exp (expiration): Token expiration timestamp
iat (issued at): Token issuance timestamp

Protected API Surface

With server-level authentication, ALL MCP methods are protected:

✅ initialize - Session establishment
✅ tools/list - List available tools
✅ tools/call - Execute tools
✅ resources/list - List available resources
✅ resources/read - Read resources
✅ prompts/list - List available prompts
✅ prompts/get - Get prompt templates
✅ All other MCP methods

Transport Endpoints

Dual Endpoint Support

The server supports both modern and legacy endpoints for backward compatibility:

Endpoint

Status

Description

/mcp

✅ Recommended

Modern StreamableHTTP endpoint

/sse

✅ Legacy Support

Backward compatibility for existing clients

Client Configuration

Modern Endpoint (Recommended):

{
  "mcpServers": {
    "trino-jwt": {
      "url": "https://your-server.com/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_JWT_TOKEN"
      }
    }
  }
}

Legacy Endpoint (Backward Compatibility):

{
  "mcpServers": {
    "trino-jwt": {
      "url": "https://your-server.com/sse",
      "headers": {
        "Authorization": "Bearer YOUR_JWT_TOKEN"
      }
    }
  }
}

Security Features

Authentication Enforcement

Server-Level Security: Authentication applied before any request processing
No Bypass Routes: Every MCP method requires authentication
Proper Error Handling: Clear error messages for authentication failures
Debug Logging: Comprehensive logging for troubleshooting

Token Security

Hash-Based Logging: JWT tokens logged as SHA256 hashes to prevent sensitive data exposure
Secret Enforcement: Server startup blocked without proper JWT_SECRET configuration
Secret Caching: Efficient JWT secret management with sync.Once pattern
Signature Verification: Proper HMAC-SHA256 validation
Claims Validation: Required claims verification
Context Management: Secure token and user information storage

Testing and Validation

Authentication Testing

Valid Token Test: Authenticated requests should succeed
Invalid Token Test: Unauthenticated requests should be blocked
Missing Token Test: Requests without tokens should be rejected
Malformed Token Test: Corrupted tokens should be handled gracefully

Expected Behavior

❌ Unauthenticated requests: Blocked with "authentication required"
✅ Authenticated requests: Allowed with proper JWT token
🔒 All API methods: Protected uniformly across the entire surface

Migration Considerations

From Tool-Only Middleware

If migrating from tool-specific middleware:

Remove tool-specific middleware configuration
Add server-level hooks for complete API protection
Test all MCP methods for proper authentication
Update client configurations to include authentication headers

From SSE Transport

If migrating from Server-Sent Events:

Replace SSE server with StreamableHTTP server
Update client endpoints from /sse to /mcp (optional)
Maintain backward compatibility if needed
Test session management compatibility

Production Considerations

Security Requirements

HTTPS Required: JWT authentication should always use HTTPS in production
Strong Secrets: Use cryptographically strong JWT secrets (minimum 256 bits)
Mandatory Configuration: JWT_SECRET required for HMAC mode (server fails without it)
Secure Logging: JWT tokens logged as hashes to prevent sensitive data exposure
Token Expiration: Implement appropriate token lifetimes
Rate Limiting: Consider adding rate limiting middleware
Audit Logging: Log authentication attempts and failures

Performance Optimizations

Secret Caching: JWT secret cached for performance
Context Efficiency: Minimal overhead for token validation
Early Termination: Invalid requests rejected quickly
Session Management: Proper MCP session handling

Troubleshooting

Common Issues

"authentication required": Missing or malformed Authorization header
"failed to parse token": JWT token corrupted or invalid format
"missing subject in token": JWT missing required sub claim
"unexpected signing method": Token signed with unsupported algorithm

Debug Information

Enable detailed logging to see:

Token extraction from headers
JWT validation results (tokens logged as secure hashes)
User authentication status
Request processing flow
SHA256 token hashes for debugging without exposing sensitive data

Implementation Status

✅ Complete JWT Implementation

Server-level authentication with complete API protection
Secure JWT validation with proper signature verification
Modern StreamableHTTP transport with backward compatibility
Comprehensive testing framework and client integration
Production-ready security features and error handling

The JWT authentication implementation provides robust, server-level security for the mcp-trino server with modern transport protocols and comprehensive API protection.

PreviousMCP Client Integrations NextOAuth 2.1 Authentication Architecture

Last updated 3 months ago

Was this helpful?

Good afternoon

hashtagOverview

hashtagArchitecture

hashtagAuthentication Flow

hashtagSecurity Model

hashtagComplete API Protection

hashtagJWT Validation Features

hashtagConfiguration

hashtagEnvironment Variables

hashtagRequired JWT Claims

hashtagProtected API Surface

hashtagTransport Endpoints

hashtagDual Endpoint Support

hashtagClient Configuration

hashtagSecurity Features

hashtagAuthentication Enforcement

hashtagToken Security

hashtagTesting and Validation

hashtagAuthentication Testing

hashtagExpected Behavior

hashtagMigration Considerations

hashtagFrom Tool-Only Middleware

hashtagFrom SSE Transport

hashtagProduction Considerations

hashtagSecurity Requirements

hashtagPerformance Optimizations

hashtagTroubleshooting

hashtagCommon Issues

hashtagDebug Information

hashtagImplementation Status