Allow MCP to use ADC #8735
Allow MCP to use ADC #8735
Conversation
src/mcp/index.ts
Outdated
| return mcpAuthError(); | ||
| if (tool.mcp._meta?.requiresAuth) { | ||
| try { | ||
| await requireAuth(await this.resolveOptions()); |
There was a problem hiding this comment.
How it is different then calling getAuthenticatedUser()?
async getAuthenticatedUser(): Promise<string | null> {
try {
return await requireAuth(await this.resolveOptions());
} catch (e) {
return null;
}
}
There was a problem hiding this comment.
Correct me if I am wrong
It sounds like getAuthenticatedUser() currently returns:
- string for
firebase login - null for
gcloud auth application-default login - Throw error if there is neither
Should we document that clearly in requireAuth().
Maybe change this.getAuthenticatedUser() to encode that information property
There was a problem hiding this comment.
requireAuth can return null when you are authenticated via a service account, but it errors when the user is not authenticated. getAuthenticated catches those errors and returns null. Under the previous logic, this triggered the conditional that returned mcpAuthError()
There was a problem hiding this comment.
Good call - refactored this. Now, getAuthenticatedUser() returns:
email for firebase login
'Application default credentials when using ADC
null for gcloud auth application-default login
and we skip the redundant requireAuth call.
src/mcp/index.ts
Outdated
| try { | ||
| return await requireAuth(await this.resolveOptions()); | ||
| const email = await requireAuth(await this.resolveOptions()); | ||
| return email ?? "Application default credentials"; |
There was a problem hiding this comment.
nit: "Application Default Credentials"
Could you also update the tsdoc on requireAuth? It wasn't obvious what null means reading it.
Thanks!
Description
Fixes #8671.
Scenarios Tested
Ran
firebase logout,gcloud auth application-default login, and then tested a tool that required auth and confirmed that it did not error out.