diff --git a/.changeset/add_serverjson_for_mcp_registry_publishing.md b/.changeset/add_serverjson_for_mcp_registry_publishing.md deleted file mode 100644 index 06a9cdf18..000000000 --- a/.changeset/add_serverjson_for_mcp_registry_publishing.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -default: patch ---- - -### Add server.json for MCP Registry publishing - -In preparation for publishing Apollo MCP Server to the official MCP Registry at `registry.modelcontextprotocol.io`, this PR adds `server.json` configuration file and adds the `io.modelcontextprotocol.server.name` label Dockerfile for registry verification. diff --git a/.changeset/feat_add_insufficient_scope.md b/.changeset/feat_add_insufficient_scope.md deleted file mode 100644 index cbda2a42d..000000000 --- a/.changeset/feat_add_insufficient_scope.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -default: minor ---- - -### feat(auth): Add 403 Forbidden `insufficient_scope` support per MCP Auth Spec 2025-11-25 and RFC 6750 (Section 3.1) - @gocamille PR #537 - -This adds HTTP 403 Forbidden responses with `error="insufficient_scope"` per [MCP Auth Spec 2025-11-25 Section 10: Error Handling](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#error-handling) and [RFC 6750 Section 3.1](https://www.rfc-editor.org/rfc/rfc6750.html#section-3.1). - -**Changes:** - -- `www_authenticate.rs`: Added `BearerError::InsufficientScope` enum and [error](crates/apollo-mcp-server/src/auth/www_authenticate.rs#L135-L149) field to `WWW-Authenticate` header -- `valid_token.rs`: Extract [scope](crates/apollo-mcp-server/src/auth/valid_token.rs#L27-L38)/[scp](crates/apollo-mcp-server/src/auth/valid_token.rs#L503-L509) claims from JWTs (handles both standard OAuth and Azure AD) -- `auth.rs`: Scope validation with fail-closed behaviour—valid tokens lacking required scopes get `403` -- `headers.rs`: Updated tests for new `ValidToken` struct - -**Behavior:** - -- **401 Unauthorized**: Missing or invalid token -- **403 Forbidden**: Valid token but insufficient scopes (includes `error="insufficient_scope"` in response) diff --git a/.changeset/feat_add_scope.md b/.changeset/feat_add_scope.md deleted file mode 100644 index f4b83377d..000000000 --- a/.changeset/feat_add_scope.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -default: minor ---- - -### Add scope parameter to WWW-Authenticate header - @DaleSeo PR #523 - -Add support for optional `scope` parameter in the `WWW-Authenticate` header per [MCP Auth Spec 2025-11-25](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#protected-resource-metadata-discovery-requirements). - -When returning 401 Unauthorized responses, the server now includes the configured scopes to guide clients on appropriate scopes to request during authorization. - -This PR extends the `WwwAuthenticate::Bearer` variant with an optional scope field. When scopes are configured, they are space-separated and included in 401 responses. When no scopes are configured, the parameter is omitted. diff --git a/.changeset/feat_allow_any_audience.md b/.changeset/feat_allow_any_audience.md deleted file mode 100644 index a37d01c82..000000000 --- a/.changeset/feat_allow_any_audience.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -default: minor ---- - -### Allow opting out of audience validation - @DaleSeo PR #535 - -Added an explicit `allow_any_audience` configuration option that follows the same pattern as CORS's `allow_any_origin`. When set to `true`, audience validation is skipped entirely. - -```yaml -auth: - servers: - - https://auth.example.com - - # Validate specific audiences (default) - audiences: ["my-api"] - allow_any_audience: false - - # Or skip audience validation entirely - audiences: [] - allow_any_audience: true## Changes -``` diff --git a/.changeset/feat_david_support_traceparent_context.md b/.changeset/feat_david_support_traceparent_context.md deleted file mode 100644 index 6dcd33b5c..000000000 --- a/.changeset/feat_david_support_traceparent_context.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -default: minor ---- - -### Server adds support for incoming distributed trace context propagation - @david-castaneda PR #484 - -The MCP server now extracts W3C traceparent headers from incoming requests and uses this context for its own emitted traces, enabling handler spans to nest under parent traces for complete end-to-end observability. diff --git a/.changeset/feat_env_var_expansion.md b/.changeset/feat_env_var_expansion.md deleted file mode 100644 index 08258957f..000000000 --- a/.changeset/feat_env_var_expansion.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -default: minor ---- - -### feat: add support for custom environment variable expansion - @gocamille PR #539 - -#### Summary - -This PR adds support for `${env.VAR_NAME}` syntax in configuration files, allowing users to reference custom environment variables without being limited to the `APOLLO_MCP_*` naming convention. - -Closes #454. - -#### Changes - -- `runtime/env_expansion.rs` (new module) - parser for variable expansion -- `runtime.rs` (modified) - integrates expansion into the `read_config()` function -- `config-file.mdx` - updated docs with syntax, escaping, and special characters handling - -- **Note** The `APOLLO_MCP_*` environment variable(s) will still take precedence over expanded custom config values (no breaking change). diff --git a/.changeset/feat_output_schema.md b/.changeset/feat_output_schema.md deleted file mode 100644 index bc10b5ed0..000000000 --- a/.changeset/feat_output_schema.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -default: minor ---- - -### Add outputSchema support - @DaleSeo PR #509 - -This PR implements support for the MCP specification's [outputSchema](https://modelcontextprotocol.io/specification/2025-11-25/server/tools#output-schema) field on tools, which allows tools to declare the expected structure of their output. This helps LLMs better understand and reason about GraphQL response data. - -This feature is opt-in to avoid additional token overhead. To enable it, add the following to your config: - -```yaml -overrides: - enable_output_schema: true -``` diff --git a/.changeset/feat_tls_config.md b/.changeset/feat_tls_config.md deleted file mode 100644 index c280ef87c..000000000 --- a/.changeset/feat_tls_config.md +++ /dev/null @@ -1,23 +0,0 @@ ---- -default: minor ---- - -### Add TLS configuration options for auth - @DaleSeo PR #536 - -Adds TLS configuration options for connecting to OAuth servers during token validation. - -When the MCP server validates OAuth tokens, it connects to upstream OAuth servers to fetch JWKS keys. Previously, this required those servers to have certificates trusted by the system's default CA bundle. This change allows users to trust custom CA certificates or disable validation for development environments. - -```yaml -transport: - streamable_http: - auth: - servers: - - https://auth.example.com - audiences: - - my-audience - resource: https://mcp.example.com/mcp - tls: - ca_cert: /path/to/ca-certificate.pem - danger_accept_invalid_certs: false # Set this to true for development or testing purposes only -``` diff --git a/CHANGELOG.md b/CHANGELOG.md index acb92214c..4e38c1a5e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,109 @@ All notable changes to this project will be documented in this file. This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## 1.4.0 (2026-01-14) + +### Features + +#### feat(auth): Add 403 Forbidden `insufficient_scope` support per MCP Auth Spec 2025-11-25 and RFC 6750 (Section 3.1) - @gocamille PR #537 + +This adds HTTP 403 Forbidden responses with `error="insufficient_scope"` per [MCP Auth Spec 2025-11-25 Section 10: Error Handling](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#error-handling) and [RFC 6750 Section 3.1](https://www.rfc-editor.org/rfc/rfc6750.html#section-3.1). + +**Changes:** + +- `www_authenticate.rs`: Added `BearerError::InsufficientScope` enum and [error](crates/apollo-mcp-server/src/auth/www_authenticate.rs#L135-L149) field to `WWW-Authenticate` header +- `valid_token.rs`: Extract [scope](crates/apollo-mcp-server/src/auth/valid_token.rs#L27-L38)/[scp](crates/apollo-mcp-server/src/auth/valid_token.rs#L503-L509) claims from JWTs (handles both standard OAuth and Azure AD) +- `auth.rs`: Scope validation with fail-closed behaviour—valid tokens lacking required scopes get `403` +- `headers.rs`: Updated tests for new `ValidToken` struct + +**Behavior:** + +- **401 Unauthorized**: Missing or invalid token +- **403 Forbidden**: Valid token but insufficient scopes (includes `error="insufficient_scope"` in response) + +#### Add scope parameter to WWW-Authenticate header - @DaleSeo PR #523 + +Add support for optional `scope` parameter in the `WWW-Authenticate` header per [MCP Auth Spec 2025-11-25](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#protected-resource-metadata-discovery-requirements). + +When returning 401 Unauthorized responses, the server now includes the configured scopes to guide clients on appropriate scopes to request during authorization. + +This PR extends the `WwwAuthenticate::Bearer` variant with an optional scope field. When scopes are configured, they are space-separated and included in 401 responses. When no scopes are configured, the parameter is omitted. + +#### Allow opting out of audience validation - @DaleSeo PR #535 + +Added an explicit `allow_any_audience` configuration option that follows the same pattern as CORS's `allow_any_origin`. When set to `true`, audience validation is skipped entirely. + +```yaml +auth: + servers: + - https://auth.example.com + + # Validate specific audiences (default) + audiences: ["my-api"] + allow_any_audience: false + + # Or skip audience validation entirely + audiences: [] + allow_any_audience: true## Changes +``` + +#### Server adds support for incoming distributed trace context propagation - @david-castaneda PR #484 + +The MCP server now extracts W3C traceparent headers from incoming requests and uses this context for its own emitted traces, enabling handler spans to nest under parent traces for complete end-to-end observability. + +#### feat: add support for custom environment variable expansion - @gocamille PR #539 + +##### Summary + +This PR adds support for `${env.VAR_NAME}` syntax in configuration files, allowing users to reference custom environment variables without being limited to the `APOLLO_MCP_*` naming convention. + +Closes #454. + +##### Changes + +- `runtime/env_expansion.rs` (new module) - parser for variable expansion +- `runtime.rs` (modified) - integrates expansion into the `read_config()` function +- `config-file.mdx` - updated docs with syntax, escaping, and special characters handling + +- **Note** The `APOLLO_MCP_*` environment variable(s) will still take precedence over expanded custom config values (no breaking change). + +#### Add outputSchema support - @DaleSeo PR #509 + +This PR implements support for the MCP specification's [outputSchema](https://modelcontextprotocol.io/specification/2025-11-25/server/tools#output-schema) field on tools, which allows tools to declare the expected structure of their output. This helps LLMs better understand and reason about GraphQL response data. + +This feature is opt-in to avoid additional token overhead. To enable it, add the following to your config: + +```yaml +overrides: + enable_output_schema: true +``` + +#### Add TLS configuration options for auth - @DaleSeo PR #536 + +Adds TLS configuration options for connecting to OAuth servers during token validation. + +When the MCP server validates OAuth tokens, it connects to upstream OAuth servers to fetch JWKS keys. Previously, this required those servers to have certificates trusted by the system's default CA bundle. This change allows users to trust custom CA certificates or disable validation for development environments. + +```yaml +transport: + streamable_http: + auth: + servers: + - https://auth.example.com + audiences: + - my-audience + resource: https://mcp.example.com/mcp + tls: + ca_cert: /path/to/ca-certificate.pem + danger_accept_invalid_certs: false # Set this to true for development or testing purposes only +``` + +### Fixes + +#### Add server.json for MCP Registry publishing + +In preparation for publishing Apollo MCP Server to the official MCP Registry at `registry.modelcontextprotocol.io`, this PR adds `server.json` configuration file and adds the `io.modelcontextprotocol.server.name` label Dockerfile for registry verification. + ## 1.3.0 (2025-12-10) ### 🚀 Features diff --git a/Cargo.lock b/Cargo.lock index ea29d90ac..1fa1c63cc 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -199,7 +199,7 @@ dependencies = [ [[package]] name = "apollo-mcp-server" -version = "1.3.0" +version = "1.4.0" dependencies = [ "anyhow", "apollo-compiler", diff --git a/Cargo.toml b/Cargo.toml index e4c38e38c..b02b7543a 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -12,7 +12,7 @@ edition = "2024" license-file = "LICENSE" repository = "https://github.com/apollographql/apollo-mcp-server" rust-version = "1.89.0" -version = "1.3.0" +version = "1.4.0" [workspace.dependencies] apollo-compiler = "1.27.0" diff --git a/docs/source/run.mdx b/docs/source/run.mdx index cd0a4f029..7b46c487a 100644 --- a/docs/source/run.mdx +++ b/docs/source/run.mdx @@ -55,7 +55,7 @@ To install or upgrade to a **specific version** of Apollo MCP Server (recommende ```terminal showLineNumbers=false # Note the `v` prefixing the version number - curl -sSL https://mcp.apollo.dev/download/nix/v1.3.0 | sh + curl -sSL https://mcp.apollo.dev/download/nix/v1.4.0 | sh ``` @@ -64,7 +64,7 @@ To install or upgrade to a **specific version** of Apollo MCP Server (recommende ```terminal showLineNumbers=false # Note the `v` prefixing the version number - iwr 'https://mcp.apollo.dev/download/win/v1.3.0' | iex + iwr 'https://mcp.apollo.dev/download/win/v1.4.0' | iex ``` @@ -78,7 +78,7 @@ To install or upgrade to a specific version of Apollo MCP Server that is a **rel ```terminal showLineNumbers=false # Note the `v` prefixing the version number and the `-rc` suffix - curl -sSL https://mcp.apollo.dev/download/nix/v1.3.0-rc.1 | sh + curl -sSL https://mcp.apollo.dev/download/nix/v1.4.0-rc.1 | sh ``` @@ -87,7 +87,7 @@ To install or upgrade to a specific version of Apollo MCP Server that is a **rel ```terminal showLineNumbers=false # Note the `v` prefixing the version number and the `-rc` suffix - iwr 'https://mcp.apollo.dev/download/win/v1.3.0-rc.1' | iex + iwr 'https://mcp.apollo.dev/download/win/v1.4.0-rc.1' | iex ``` @@ -124,14 +124,14 @@ To download a **specific version** of Apollo MCP Server (recommended for CI envi ```bash # Note the `v` prefixing the version number -docker image pull ghcr.io/apollographql/apollo-mcp-server:v1.3.0 +docker image pull ghcr.io/apollographql/apollo-mcp-server:v1.4.0 ``` To download a specific version of Apollo MCP Server that is a release candidate: ```bash # Note the `v` prefixing the version number and the `-rc` suffix -docker image pull ghcr.io/apollographql/apollo-mcp-server:v1.3.0-rc.1 +docker image pull ghcr.io/apollographql/apollo-mcp-server:v1.4.0-rc.1 ``` diff --git a/scripts/nix/install.sh b/scripts/nix/install.sh index 4462b0376..562013e17 100755 --- a/scripts/nix/install.sh +++ b/scripts/nix/install.sh @@ -14,7 +14,7 @@ BINARY_DOWNLOAD_PREFIX="${APOLLO_MCP_SERVER_BINARY_DOWNLOAD_PREFIX:="https://git # Apollo MCP Server version defined in apollo-mcp-server's Cargo.toml # Note: Change this line manually during the release steps. -PACKAGE_VERSION="v1.3.0" +PACKAGE_VERSION="v1.4.0" download_binary_and_run_installer() { downloader --check diff --git a/scripts/windows/install.ps1 b/scripts/windows/install.ps1 index 0e40f2042..3956ec330 100644 --- a/scripts/windows/install.ps1 +++ b/scripts/windows/install.ps1 @@ -8,7 +8,7 @@ # Apollo MCP Server version defined in apollo-mcp-server's Cargo.toml # Note: Change this line manually during the release steps. -$package_version = 'v1.3.0' +$package_version = 'v1.4.0' function Install-Binary($apollo_mcp_server_install_args) { $old_erroractionpreference = $ErrorActionPreference diff --git a/server.json b/server.json index 1623e1842..11f0073b4 100644 --- a/server.json +++ b/server.json @@ -8,11 +8,11 @@ "url": "https://github.com/apollographql/apollo-mcp-server", "source": "github" }, - "version": "1.3.0", + "version": "1.4.0", "packages": [ { "registryType": "oci", - "identifier": "ghcr.io/apollographql/apollo-mcp-server:v1.3.0", + "identifier": "ghcr.io/apollographql/apollo-mcp-server:v1.4.0", "transport": { "type": "stdio" },