Using the OAuthProxy mounted in a FastAPI Server

[joelacummings]

Hi,

This might be a bit of an unusual case. I have a Fast API server that I'm essentially using to integrate two FastMCP servers due to different authentication requirements. So I have one server mounted using the OAuth proxy and one mounted as a plain FastMCP server but I have added some API key checking middleware.

I'm initiallizing both on different starting endpoints /oauth for my oauth implementation and /api-key for my api key implementation. The problem is that servers are looking for the well known resources at the root path:

INFO:     127.0.0.1:47724 - "OPTIONS /.well-known/oauth-protected-resource/oauth/mcp HTTP/1.1" 404 Not Found
INFO:     127.0.0.1:47724 - "GET /.well-known/oauth-protected-resource/oauth/mcp HTTP/1.1" 404 Not Found
INFO:     127.0.0.1:47724 - "OPTIONS /.well-known/oauth-protected-resource HTTP/1.1" 404 Not Found
INFO:     127.0.0.1:47724 - "GET /.well-known/oauth-protected-resource HTTP/1.1" 404 Not Found
INFO:     127.0.0.1:47724 - "OPTIONS /.well-known/oauth-authorization-server HTTP/1.1" 404 Not Found
INFO:     127.0.0.1:47724 - "GET /.well-known/oauth-authorization-server HTTP/1.1" 404 Not Found
INFO:     127.0.0.1:47724 - "OPTIONS /.well-known/openid-configuration HTTP/1.1" 404 Not Found
INFO:     127.0.0.1:47724 - "GET /.well-known/openid-configuration HTTP/1.1" 404 Not Found

So is there a suggested workaround for getting these generated paths to the root level? (They exist at /oauth/.well-known Can I select just those paths from the application and mount them separately with FastAPI? I'm also imagining this will be an issue for the callback as well... Should I just create the routes in Fast API?

Here is the FastMCP/FastAPI code if that is helpful.

PUBLIC_BASE_URL = os.environ.get("PUBLIC_BASE_URL", "http://127.0.0.1:8000/oauth")

auth = OAuthProxy(
    token_verifier=verifier,
    upstream_authorization_endpoint=f"{COGNITO_DOMAIN}.auth.{REGION}.amazoncognito.com/oauth2/authorize",
    upstream_token_endpoint=f"{COGNITO_DOMAIN}.auth.{REGION}.amazoncognito.com/oauth2/token",
    upstream_client_id=COGNITO_CLIENT_ID,
    upstream_client_secret=get_secret(COGNITO_SECRET_NAME),
    base_url=PUBLIC_BASE_URL,
    redirect_path="/callback",
)

# Create the OAuth MCP server
oauth_mcp = FastMCP(
    name="Data Items MCP Server",
    instructions=server_instructions,
    auth=auth
)
MCPToolSet(oauth_mcp)

# create the API Key MCP Server
api_key_mcp = FastMCP(
    name="Data Items MCP Server",
    instructions=server_instructions,
    middleware=[ApiKeyVerificationMiddleware()]
)
MCPToolSet(api_key_mcp, True)
oauth_app = oauth_mcp.http_app(path='/mcp')
api_key_app = api_key_mcp.http_app(path='/mcp')


# Combine both lifespans
@asynccontextmanager
async def combined_lifespan(app: FastAPI):
    # Run both lifespans
    async with api_key_app.lifespan(app):
        async with oauth_app.lifespan(app):
            yield

api = FastAPI(title="Server", lifespan=combined_lifespan)

@api.get('/healthz')
def healthz():
    return {"status": "ok"}

api.mount('/oauth', oauth_app)
api.mount('/api-key', api_key_app)

Also if this just doesn't seem like a good way to handle having two methods of auth or servers I'm open to ideas on that as well.

Thanks

[joelacummings]

I also saw this PR and thought of another possiblity, could I mount another MCP app within my MCP but combine the lifespans to make that compatible?

Something like this but sorting out the lifespan troubles?

# create the API Key MCP Server
api_key_mcp = FastMCP(
    name="Data Items MCP Server",
    instructions=server_instructions,
    middleware=[ApiKeyVerificationMiddleware()],
)
api_key_app = api_key_mcp.http_app(path='/mcp')
MCPToolSet(api_key_mcp, True)

# Create the OAuth MCP server
oauth_mcp = FastMCP(
    name="Data Items MCP Server",
    instructions=server_instructions,
    auth=auth,
    lifespan=api_key_app.lifespan
)
MCPToolSet(oauth_mcp)
oauth_app = oauth_mcp.http_app(path='/oauth/mcp')

oauth_app.mount('/api-key', api_key_app)

Currently with this the /oauth server works but the api_key mounted app does not since I get lifespan issue. I did try passing in a lifespan but I suspect I'm not doing this as intended.

I get this error:

RuntimeError: FastMCP's StreamableHTTPSessionManager task group was not initialized. This commonly occurs when the FastMCP application's lifespan is not passed to the parent ASGI application (e.g., FastAPI or Starlette). Please ensure you are setting `lifespan=mcp_app.lifespan` in your parent app's constructor, where `mcp_app` is the application instance returned by `fastmcp_instance.http_app()`. \nFor more details, see the FastMCP ASGI integration documentation: https://gofastmcp.com/deployment/asgi\nOriginal error: Task group is not initialized. Make sure to use run().