Which endpoints need to be publicly accessable for Google OAuth2 to work?

[ivanrezic]

This is my main mcp code:

import asyncio
import logging
from concurrent.futures import ThreadPoolExecutor
from contextlib import asynccontextmanager
from typing import Any, Dict

from fastapi import FastAPI, Request
from fastmcp import Context, FastMCP
from fastmcp.server.auth.providers.google import GoogleProvider
from lakehouse.api.config import config
from lakehouse.api.mcp.main import dlh_docs_and_schema_introspection
from lakehouse.api.webhooks import redbrick
from lakehouse.api.webhooks.redbrick import RedbrickWebhookPayload
from lakehouse.api.webhooks.slack import slack_request_handler
from lakehouse.client.metabase import MetabaseClient

logging.basicConfig(level=config.logging_level, format=config.logging_format)

lifespan_context: Dict[str, Any] = {}


@asynccontextmanager
async def api_lifespan(app: FastAPI):
    loop = asyncio.get_running_loop()
    executor = ThreadPoolExecutor(max_workers=config.max_thread_workers)
    loop.set_default_executor(executor)

    lifespan_context["slack_request_handler"] = slack_request_handler

    yield

    # Cleanup
    executor.shutdown(wait=True)
    lifespan_context.clear()


auth = GoogleProvider(
    client_id=config.google_client_id,
    client_secret=config.google_client_secret,
    base_url=config.api_base_url,
)

mcp = FastMCP(
    name="Data Lakehouse Documentation and Schema Server",
    instructions="Provides comprehensive documentation from Notion and database schema introspection for"
    "Data Lakehouse (DLH). Used as a context for query generation.",
    auth=auth,
)
mcp_app = mcp.http_app(path="/mcp")


@asynccontextmanager
async def combined_lifespan(app: FastAPI):
    # necessary for fastmcp integration with fastapi
    # more info: https://gofastmcp.com/integrations/fastapi#combining-lifespans
    async with api_lifespan(app):
        async with mcp_app.lifespan(app):
            yield


app = FastAPI(lifespan=combined_lifespan)
app.mount("/", mcp_app)


async def metabase_client() -> MetabaseClient:
    return MetabaseClient(
        base_url=config.metabase_base_url,
        username=config.metabase_user,
        password=config.metabase_password,
    )


@app.post("/slack/events")
async def endpoint(
    req: Request,
):
    return await lifespan_context["slack_request_handler"].handle(req)


@app.post("/redbrick/webhook")
async def redbrick_webhook_endpoint(payload: RedbrickWebhookPayload):
    """
    Webhook endpoint to receive events from Redbrick
    """
    processed_tasks = await redbrick.handle_webhook(payload)
    return {"status": f"Successfully processed {len(processed_tasks)} tasks."}


@mcp.tool
async def introspect_dlh(ctx: Context) -> str:
    """
    Comprehensive Data Lakehouse introspection tool that first retrieves documentation
    from Notion and then performs database schema introspection.

    Returns a comprehensive text description of both the documentation and database schema.
    Should be used to understand the Data Lakehouse.

    IMPORTANT: When using results to generate SQL:
    - Always quote "case" table name (reserved word)
    - Use PostgreSQL syntax
    - Keep responses concise
    """
    return await dlh_docs_and_schema_introspection(ctx)

And Google OAuth2 works correctly when ran locally.
But when I want to deploy it to internal k8s cluster which is hidden in VPN it doesn't work.

I have made {api_base_url}/mcp publicly accessable and it didn't work, I tried exposing {api_base_url}/auth/callback to public as well but it still doesn't work.

Do I need any other endpoint exposed for OAuth Proxy to work?

[jlowin]

This might be resolved by #1706 which fixes an issue that some nested routes don’t work well with oauth advertisement - hard to say though. As long as you configured your oauth app’s redirect correctly you shouldn’t have to add new routes