fix: use POST ping for StreamableHTTP health checks and unauthenticated liveness probes#4146
Open
ecthelion77 wants to merge 1 commit intoIBM:mainfrom
Open
Conversation
Contributor
Author
|
Suggested labels: |
ecthelion77
force-pushed
the
fix/streamablehttp-health-check-405-upstream
branch
from
41ed1a6 to
099f3f0
Compare
ecthelion77
force-pushed
the
fix/streamablehttp-health-check-405-upstream
branch
2 times, most recently
from
6c8dba8 to
6751f72
Compare
Signed-off-by: Olivier Gintrand <olivier.gintrand@forterro.com>
ecthelion77
force-pushed
the
fix/streamablehttp-health-check-405-upstream
branch
from
6751f72 to
7995bf4
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🐛 Bug-fix PR
🔗 Issue
Closes #4154
📌 Summary
StreamableHTTP servers return 405 Method Not Allowed during health checks because the gateway uses a full MCP SDK client
initialize()call which sends HTTP methods the server does not accept for health probing. Additionally, servers configured withauthorization_codeOAuth grant fail liveness checks because the gateway has no user token to authenticate with.🔁 Reproduction Steps
authorization_codegateways: health checks fail with 401/403 even when the server is up🐞 Root Cause
_check_streamablehttp_health()method creates a fullstreamablehttp_client()session and callssession.initialize(), which sends MCP protocol handshake messages. Many StreamableHTTP servers only accept POST with specific JSON-RPC payloads, returning 405 for the SDK's approach.authorization_codegrant type gateways, the health check runs as the gateway service account, which has no user-delegated OAuth token. The server correctly rejects the unauthenticated request.💡 Fix Description
initialize()call with a lightweightPOSTrequest sending a JSON-RPCpingmethod. This is the standard MCP liveness check that StreamableHTTP servers accept. A 200 response (or even a valid JSON-RPC error response) confirms the server is alive.authorization_codegrant type, skip OAuth token injection and send the ping without credentials. A 401/403 response is treated as "server is alive" (it responded), while connection errors or timeouts indicate the server is truly down.🧪 Verification
make lintmake testmake coverage📐 MCP Compliance (if relevant)
✅ Checklist
make black isort pre-commit)