feat: Configuration for disabling authorization token passthrough #336
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Docs preview readyThe preview is ready to be viewed. View the preview File Changes 0 new, 2 changed, 0 removedBuild ID: a1a783ee498e7520d931c31a URL: https://www.apollographql.com/docs/deploy-preview/a1a783ee498e7520d931c31a |
|
❌ Changeset file missing for PR All changes should include an associated changeset file. |
alocay
reviewed
Sep 9, 2025
| .mutation_mode(config.overrides.mutation_mode) | ||
| .disable_type_description(config.overrides.disable_type_description) | ||
| .disable_schema_description(config.overrides.disable_schema_description) | ||
| .disable_auth_token_passthrough(match transport { |
There was a problem hiding this comment.
Can we shorten this a bit via:
match transport {
apollo_mcp_server::server::Transport::STDIO => false,
_ { auth, .. } => auth.map(...).unwrap_or(false)
}
There was a problem hiding this comment.
I can't quite get this syntax working? I think the match needs the enum name so it can pull the auth values from the struct. And the compiler isn't smart enough to pull it as an 'else' case?
DaleSeo
approved these changes
Sep 9, 2025
There was a problem hiding this comment.
Pull Request Overview
This PR adds a configuration option to disable authorization token passthrough from the MCP server to upstream GraphQL APIs. This allows users to prevent validated auth tokens from being forwarded when the upstream API uses different authentication methods.
- Added
disable_auth_token_passthroughboolean configuration parameter with default value offalse - Modified token propagation logic to respect the new configuration setting
- Updated all relevant structs and initialization code to include the new parameter
Reviewed Changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| crates/apollo-mcp-server/src/auth.rs | Added disable_auth_token_passthrough field to auth Config struct |
| crates/apollo-mcp-server/src/main.rs | Added logic to extract and apply the configuration from transport settings |
| crates/apollo-mcp-server/src/server.rs | Added parameter to Server struct and builder method |
| crates/apollo-mcp-server/src/server/states.rs | Added field to internal Config struct and initialization |
| crates/apollo-mcp-server/src/server/states/starting.rs | Passed configuration to Running state |
| crates/apollo-mcp-server/src/server/states/running.rs | Added conditional logic to skip token passthrough and updated test data |
| .changesets/feat_auth_token_passthrough_disable.md | Added changeset documentation |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| let transport = config.transport.clone(); | ||
|
|
||
| Ok(Server::builder() | ||
| .transport(config.transport) |
There was a problem hiding this comment.
The config.transport is being cloned unnecessarily. Since it's moved into the builder on line 115, you can use the cloned transport variable instead of cloning again.
Suggested change
| .transport(config.transport) | |
| .transport(transport) |
Comment on lines
+215
to
+217
| if !self.disable_auth_token_passthrough | ||
| && let Some(token) = axum_parts.extensions.get::<ValidToken>() | ||
| { |
There was a problem hiding this comment.
The condition logic is duplicated between lines 215-217 and 248-250. Consider extracting this into a helper method to reduce code duplication and improve maintainability.
Closed
Merged
esilverm
added a commit
that referenced
this pull request
Sep 16, 2025
* fix(ci): pin to specific stable rust version (#287) This commit pins the rust-toolchain to a specific rust version (1.89.0) for compatibility guarantees. Renovate will handle warning on outdated versions of stable rust. A minimal supported rust version was also added to the underlying crates to ensure compatibility guarantees as the stable verison increments in future updates. * feat: Implement Test Coverage Measurement and Reporting * chore: add changeset * feat: remove unnecessary codecov setting * feat: add codecov badge * feat: add codecov config file * feat: add code coverage docs to CONTRIBUTING.md * test: add tests for uplink schema event * ci: prevent draft PRs from verifying changeset * chore: add changeset * ci: trigger verify changeset workflow when PR becomes ready for review * ci: update github checkout actions * feat: Configuration for disabling authorization token passthrough (#336) * Allow config for not forwarding Auth tokens to GraphQL API * use serde default to make new config optional * Changeset * Fix default case in main.rs * Add new config option to documentation * Redirect /docs/apollo-mcp-server/guides to fix 404 (#349) Co-authored-by: Samuel Collard <[email protected]> Co-authored-by: Michelle Mabuyo <[email protected]> * chore: update RMCP version to latest (#328) This commit updates the RMCP dependency to the latest version 0.6.4. Sadly, schemars was also updated with this, so a lot of unrelated changes were needed to conform with the new stable schemars version. * chore(release): bumping to version 0.8.0 * chore(release): changelog for 0.8.0 --------- Co-authored-by: Apollo Bot <[email protected]> Co-authored-by: Armando Locay <[email protected]> Co-authored-by: Nicholas Cioli <[email protected]> Co-authored-by: Dale Seo <[email protected]> Co-authored-by: Dale Seo <[email protected]> Co-authored-by: Samuel Collard <[email protected]> Co-authored-by: apollo-bot2 <[email protected]> Co-authored-by: Samuel Collard <[email protected]> Co-authored-by: Michelle Mabuyo <[email protected]>
esilverm
added a commit
that referenced
this pull request
Sep 16, 2025
* Redirect /docs/apollo-mcp-server/guides to fix 404 * Fix bullet point formatting * Add load balancer configuration details for Apollo MCP Added instructions for configuring load balancers with Apollo MCP Server to ensure session affinity. * Update docs/source/deploy.mdx Co-authored-by: Michelle Mabuyo <[email protected]> * Update deploy.mdx * Releasing 0.8.0 (#356) * fix(ci): pin to specific stable rust version (#287) This commit pins the rust-toolchain to a specific rust version (1.89.0) for compatibility guarantees. Renovate will handle warning on outdated versions of stable rust. A minimal supported rust version was also added to the underlying crates to ensure compatibility guarantees as the stable verison increments in future updates. * feat: Implement Test Coverage Measurement and Reporting * chore: add changeset * feat: remove unnecessary codecov setting * feat: add codecov badge * feat: add codecov config file * feat: add code coverage docs to CONTRIBUTING.md * test: add tests for uplink schema event * ci: prevent draft PRs from verifying changeset * chore: add changeset * ci: trigger verify changeset workflow when PR becomes ready for review * ci: update github checkout actions * feat: Configuration for disabling authorization token passthrough (#336) * Allow config for not forwarding Auth tokens to GraphQL API * use serde default to make new config optional * Changeset * Fix default case in main.rs * Add new config option to documentation * Redirect /docs/apollo-mcp-server/guides to fix 404 (#349) Co-authored-by: Samuel Collard <[email protected]> Co-authored-by: Michelle Mabuyo <[email protected]> * chore: update RMCP version to latest (#328) This commit updates the RMCP dependency to the latest version 0.6.4. Sadly, schemars was also updated with this, so a lot of unrelated changes were needed to conform with the new stable schemars version. * chore(release): bumping to version 0.8.0 * chore(release): changelog for 0.8.0 --------- Co-authored-by: Apollo Bot <[email protected]> Co-authored-by: Armando Locay <[email protected]> Co-authored-by: Nicholas Cioli <[email protected]> Co-authored-by: Dale Seo <[email protected]> Co-authored-by: Dale Seo <[email protected]> Co-authored-by: Samuel Collard <[email protected]> Co-authored-by: apollo-bot2 <[email protected]> Co-authored-by: Samuel Collard <[email protected]> Co-authored-by: Michelle Mabuyo <[email protected]> --------- Co-authored-by: Samuel Collard <[email protected]> Co-authored-by: Michelle Mabuyo <[email protected]> Co-authored-by: Alyssa Hursh <[email protected]> Co-authored-by: Lenny Burdette <[email protected]> Co-authored-by: Evan Silverman <[email protected]> Co-authored-by: Armando Locay <[email protected]> Co-authored-by: Nicholas Cioli <[email protected]> Co-authored-by: Dale Seo <[email protected]> Co-authored-by: Dale Seo <[email protected]> Co-authored-by: Samuel Collard <[email protected]>
Closed
Merged
DaleSeo
pushed a commit
that referenced
this pull request
Sep 24, 2025
* Allow config for not forwarding Auth tokens to GraphQL API * use serde default to make new config optional * Changeset * Fix default case in main.rs * Add new config option to documentation
DaleSeo
pushed a commit
that referenced
this pull request
Sep 24, 2025
* Allow config for not forwarding Auth tokens to GraphQL API * use serde default to make new config optional * Changeset * Fix default case in main.rs * Add new config option to documentation
DaleSeo
pushed a commit
that referenced
this pull request
Sep 29, 2025
* Allow config for not forwarding Auth tokens to GraphQL API * use serde default to make new config optional * Changeset * Fix default case in main.rs * Add new config option to documentation
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Auth in the MCP server works by having the user go through the OAuth flow to obtain an auth token. This auth token is then validated and passed to the upstream API in Tool calls for accessing the resources in that API. There has been a request to not perform this passthrough of validated tokens in the event that the upstream API does not share the same auth methods as the mcp server.
This PR adds an optional new parameter to the config.transport.auth config object,
disable_auth_token_passthrough, which isfalseby default, that when true, will no longer pass through validated Auth tokens to the GraphQL API.Contains fix for #280