chore: Cloud auth#213
Merged
Merged
Conversation
Signed-off-by: phernandez <paul@basicmachines.co>
Signed-off-by: phernandez <paul@basicmachines.co>
Signed-off-by: phernandez <paul@basicmachines.co>
- Override FastMCP's built-in OAuth endpoints with custom proxy routes - Add dynamic client registration support via /api/oauth/register - Proxy OAuth metadata and protected resource endpoints to basic-memory-cloud - Use FastMCP's @mcp.custom_route decorator for proper integration - MCP connection works successfully with OAuth flow in Inspector Note: JWT authentication currently disabled - basic-memory-cloud returns mock tokens instead of real JWTs. Auth will be re-enabled once cloud service issues proper JWT tokens with correct aud/iss claims. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Create StytchBearerAuthProvider that supports URN-style issuer format - Override FastMCP's bearer auth to handle Stytch's issuer format: "stytch.com/project-..." instead of requiring HTTP(S) URLs - Update server to use custom auth provider with proper JWT validation - Configure JWKS URI to validate tokens against Stytch's public keys - Remove scope validation temporarily (scopes working but format differs) ✅ OAuth flow + JWT validation + MCP connection now works end-to-end ✅ Tokens properly validated against Stytch JWKS endpoint ✅ Audience and issuer validation working with URN format 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
… auth server - Fix OAuth flow by restoring basic-memory-cloud as authorization server - Add registration_endpoint to basic-memory-cloud OAuth metadata pointing to Stytch - Configure basic-memory as protected resource server only - Remove OAuth proxy routes from basic-memory (no longer needed) - Update environment variables to point authorization_servers to basic-memory-cloud - Move auth provider to src/basic_memory/mcp/http/auth.py with proper settings - Update AUTH_JWT.md documentation to reflect correct architecture The OAuth flow now works properly: 1. MCP Inspector discovers protected resource at basic-memory:8000 2. Follows authorization_servers to basic-memory-cloud:3000 3. Uses Stytch registration endpoint for dynamic client registration 4. Completes OAuth flow via basic-memory-cloud with Stytch authentication 5. Uses JWT tokens to access basic-memory MCP endpoints This restores the working state from yesterday where basic-memory-cloud handles OAuth/authentication and basic-memory handles MCP API/authorization. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: phernandez <paul@basicmachines.co>
Signed-off-by: phernandez <paul@basicmachines.co>
Signed-off-by: phernandez <paul@basicmachines.co>
…ration - Add OAuth authorization server metadata endpoint with registration support - Override MCP's hardcoded OAuth metadata to include public client support - Implement Stytch dynamic client registration endpoint generation - Add comprehensive OAuth 2.1 + PKCE support for Claude Desktop authentication - Configure Fly.io proxy middleware for HTTPS handling in cloud deployments Key changes: - OAuth metadata now includes `registration_endpoint` pointing to Stytch - Support both confidential (`client_secret_post`) and public (`none`) OAuth clients - Add custom middleware for /mcp path handling without redirects - Debug OAuth script for testing authentication flows This enables seamless Claude Desktop authentication with Basic Memory Cloud instances via Stytch magic link authentication and proper OAuth 2.1 flows. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: phernandez <paul@basicmachines.co>
Signed-off-by: phernandez <paul@basicmachines.co>
Signed-off-by: phernandez <paul@basicmachines.co>
Fixed multiple issues that were causing 13+ integration tests to fail: 1. **Remove legacy migration service**: Deleted migration service that was incorrectly removing .basic-memory config directories during tests 2. **Fix critical ConfigManager bugs**: Corrected get_project method that had multiple bugs including wrong variable names and undefined references 3. **Fix test syntax error**: Corrected test assertion to use proper content[0].text accessor 4. **Improve move_note cross-project detection**: Removed overly aggressive keyword-based detection that was causing false positives with legitimate paths like "projects/2025/q2/work/nested-note.md" 5. **Clean up duplicate tests**: Removed redundant cross-project detection test All 103 integration tests now pass successfully. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
- Add api_url field to BasicMemoryConfig for connecting to remote Basic Memory APIs - Refactor async_client.py to conditionally create HTTP or ASGI transport based on config - Add logging for client creation (info for remote, debug for local) - Add basic test coverage for both local ASGI and remote HTTP client creation - When api_url is set, MCP tools will connect to remote API instead of local ASGI transport 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: phernandez <paul@basicmachines.co>
Signed-off-by: phernandez <paul@basicmachines.co>
Signed-off-by: phernandez <paul@basicmachines.co>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
mege changes from cloud-auth branch