MCP (Model Context Protocol) server for reading and writing an Obsidian vault, gated by OAuth-issued JWT bearer tokens. See README.md for setup.
This commit is contained in:
@@ -0,0 +1,85 @@
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
|
||||
namespace ObsidianMcp.Auth;
|
||||
|
||||
/// <summary>
|
||||
/// 自定义 scope 校验 Policy:
|
||||
/// RequireScope("read:obsidian")
|
||||
/// RequireScope("write:obsidian")
|
||||
///
|
||||
/// JWT 的 scope claim 可能是单个字符串(空格分隔)或多个 claim,两种都处理。
|
||||
/// </summary>
|
||||
public static class ScopePolicies
|
||||
{
|
||||
public const string ReadObsidian = "read:obsidian";
|
||||
public const string WriteObsidian = "write:obsidian";
|
||||
|
||||
/// <summary>注册两条 scope policy 到 AuthorizationOptions。</summary>
|
||||
public static void AddScopePolicies(this AuthorizationOptions opts)
|
||||
{
|
||||
opts.AddPolicy(ReadObsidian, policy =>
|
||||
policy.RequireAuthenticatedUser()
|
||||
.AddRequirements(new ScopeRequirement(ReadObsidian)));
|
||||
|
||||
opts.AddPolicy(WriteObsidian, policy =>
|
||||
policy.RequireAuthenticatedUser()
|
||||
.AddRequirements(new ScopeRequirement(WriteObsidian)));
|
||||
}
|
||||
}
|
||||
|
||||
// ---------- Requirement ----------
|
||||
|
||||
public class ScopeRequirement(string scope) : IAuthorizationRequirement
|
||||
{
|
||||
public string RequiredScope { get; } = scope;
|
||||
}
|
||||
|
||||
// ---------- Handler ----------
|
||||
|
||||
public class ScopeAuthorizationHandler : AuthorizationHandler<ScopeRequirement>
|
||||
{
|
||||
protected override Task HandleRequirementAsync(
|
||||
AuthorizationHandlerContext context,
|
||||
ScopeRequirement requirement)
|
||||
{
|
||||
// scope claim 在 JWT 里可能是一整个空格分隔的字符串,也可能是多个 claim。
|
||||
// OAuth 2.0 (RFC 6749) 规定 scope 大小写敏感,按 Ordinal 比对。
|
||||
var scopes = context.User
|
||||
.FindAll("scope")
|
||||
.SelectMany(c => c.Value.Split(' ', StringSplitOptions.RemoveEmptyEntries))
|
||||
.ToHashSet(StringComparer.Ordinal);
|
||||
|
||||
if (scopes.Contains(requirement.RequiredScope))
|
||||
context.Succeed(requirement);
|
||||
|
||||
return Task.CompletedTask;
|
||||
}
|
||||
}
|
||||
|
||||
// ---------- Per-tool scope guard helper ----------
|
||||
|
||||
/// <summary>
|
||||
/// MCP Tool 内部 scope 校验:从当前 HttpContext.User 读 scope claim,
|
||||
/// 不包含 requiredScope 时抛 UnauthorizedAccessException。
|
||||
///
|
||||
/// 用法:在每个读 / 写 Tool 的方法体首行调一下,给客户端可读的失败原因。
|
||||
/// 端点级 RequireAuthorization 只确保 JWT 验签通过;scope 颗粒度门禁在这里。
|
||||
/// OAuth 2.0 (RFC 6749) 规定 scope 大小写敏感。
|
||||
/// </summary>
|
||||
public static class ToolScopeGuard
|
||||
{
|
||||
public static void EnsureScope(IHttpContextAccessor http, string requiredScope)
|
||||
{
|
||||
var ctx = http.HttpContext
|
||||
?? throw new InvalidOperationException("无 HttpContext,无法校验 scope。");
|
||||
|
||||
var scopes = ctx.User
|
||||
.FindAll("scope")
|
||||
.SelectMany(c => c.Value.Split(' ', StringSplitOptions.RemoveEmptyEntries))
|
||||
.ToHashSet(StringComparer.Ordinal);
|
||||
|
||||
if (!scopes.Contains(requiredScope))
|
||||
throw new UnauthorizedAccessException(
|
||||
$"当前 Token 缺少所需 scope:{requiredScope}");
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user