Skip to content

Support MCP 2025-06-18 Protocol Revision#117

Draft
yjacquin wants to merge 23 commits intomainfrom
mcp-2025-06-18
Draft

Support MCP 2025-06-18 Protocol Revision#117
yjacquin wants to merge 23 commits intomainfrom
mcp-2025-06-18

Conversation

@yjacquin
Copy link
Copy Markdown
Owner

@yjacquin yjacquin commented Jun 21, 2025

Update MCP protocol version to 2025-06-18

This branch regroups all issues to come from #109

  • Update PROTOCOL_VERSION constant from '2024-11-05' to '2025-06-18'
  • Add MCP-Protocol-Version header validation to BaseTransport
  • Implement protocol version validation in RackTransport
  • Add proper error responses for unsupported protocol versions
  • Maintain backward compatibility with lenient validation

Closes #109

@yjacquin yjacquin self-assigned this Jun 21, 2025
@yjacquin yjacquin requested a review from Copilot August 16, 2025 18:27
Copilot AI reviewed Aug 16, 2025
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements comprehensive support for the MCP 2025-06-18 protocol revision by updating the protocol version, adding extensive test coverage, and implementing new transport layers with OAuth 2.1 support and metadata validation.

  • Updates PROTOCOL_VERSION constant from '2024-11-05' to '2025-06-18' throughout the codebase
  • Implements new StreamableHTTP transport with unified endpoint support and protocol version validation
  • Adds OAuth 2.1 compliant transport with scope-based authorization and RFC 9728 protected resource metadata

Reviewed Changes

Copilot reviewed 45 out of 53 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
spec/ files Comprehensive test coverage for new OAuth functionality, transport layers, and compliance validation
lib/mcp/transports/ New transport implementations including StreamableHTTP, OAuth, and authenticated variants
lib/mcp/protocol_version.rb Centralized protocol version definition
lib/mcp/oauth/ OAuth 2.1 implementation with token validation and resource server components
lib/mcp/metadata.rb Metadata validation with reserved prefix checking
examples/ Demonstration servers showing new transport capabilities

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

Comment thread lib/mcp/oauth/resource_server.rb Outdated
Comment thread lib/mcp/oauth/resource_server.rb Outdated
Comment thread lib/mcp/oauth/token_validator.rb
Comment thread lib/mcp/transports/streamable_http.rb
yjacquin added 13 commits October 4, 2025 16:26
@yjacquin
Phase 1.1: Update MCP protocol version to 2025-06-18 (#108)
49a783e 
* Update MCP protocol version to 2025-06-18

- Update PROTOCOL_VERSION constant from '2024-11-05' to '2025-06-18'
- Add MCP-Protocol-Version header validation to BaseTransport
- Implement protocol version validation in RackTransport
- Add proper error responses for unsupported protocol versions
- Maintain backward compatibility with lenient validation

This implements Phase 1.1 of the MCP 2025-06-18 specification upgrade.
@yjacquin
Phase 1.2: Enhanced _meta Field Support (#118)
26b0bd4 
Implement comprehensive metadata validation and reserved namespace
protection for MCP 2025-06-18 specification compliance.

- **Metadata validation module** (`lib/mcp/metadata.rb`)
  - Reserved prefix protection (`mcp:`, `mcp-`)
  - Metadata structure validation
  - Sanitization and formatting utilities
  - Metadata merging capabilities

- **Tool class** (`lib/mcp/tool.rb`)
  - Metadata validation on key assignment
  - Reserved prefix error handling
  - Enhanced metadata management

- **Resource class** (`lib/mcp/resource.rb`)
  - Metadata module integration
  - Reserved namespace protection

- **Server class** (`lib/mcp/server.rb`)
  - Enhanced metadata sanitization in send_result
  - Automatic filtering of reserved keys
  - Improved metadata formatting

- **Comprehensive test coverage** (39 new tests)
  - Metadata validation tests
  - Reserved prefix protection tests
  - Tool/Resource metadata integration tests
  - Server metadata handling tests
  - Edge case and error condition coverage

- Tools and Resources now validate metadata keys
- Reserved `mcp:` and `mcp-` prefixes are blocked
- Metadata with invalid keys will raise ReservedMetadataError

- Existing valid metadata continues to work unchanged
- Only newly restricted prefixes cause errors
- Automatic sanitization prevents invalid metadata propagation

Resolves #110 - Enhanced _meta Field Support
Part of #109 - Support MCP 2025-06-18 Protocol Revision
@yjacquin
Feature/phase2 transport modernization (#120)
423401f 
* Add Streamable HTTP

* Finish OAuth

* remove authorization server related code and add docs

* Refact attempt for resource server behavior

* oauth and resource server spec fixes

* fix oauth streamable http transport specs

* fix token validator specs

* update docs

* doc changes
@yjacquin
refactor oauth logic
baa1853
@yjacquin
lint
02f7b01
@yjacquin
remove useless generated docs
3a9e107
@yjacquin
wip
8107ee8
@yjacquin
wip
b942aff
@yjacquin
add trailing comma
3c98eb0
@yjacquin
fix linting
bba06a5
@yjacquin
fix forgotten update
e712e6f
@yjacquin
fix specs
b8c24cb
@yjacquin
fix rubocop issues
767c7ef
yjacquin and others added 10 commits October 4, 2025 17:20
@yjacquin
Add fiber-based web server support
f8fb8d1
@yjacquin
Prepare for v1.7.0 release
70236aa 
- Fix critical audience binding logic bug in OAuth resource server
- Bump version to 1.7.0
- Add comprehensive CHANGELOG entry for v1.7.0
- Update README to mention MCP Protocol 2025-06-18 support
- Update logger TODO with implementation note
- Complete Rails integration guide documentation
- Remove implementation plan development artifact
@yjacquin
Add deprecation notices to legacy transport examples
faf9977
@yjacquin
remove session management docs
4f136b1
@yjacquin
Fix documentation cross-references and standardize parameter names
792997f 
- Fix broken cross-references in migration_guide.md, oauth-resource-server.md, and streamable_http_transport.md
- Standardize JWKS parameter name to jwks_uri across all documentation
- Replace references to non-existent files with correct documentation links
- All 370 tests still passing
@yjacquin
Add JWT algorithm validation tests
bb527bc 
- Add tests for allowed algorithms (HS256, HS384, HS512)
- Add test for rejecting unallowed algorithms (e.g., RS256)
- Ensures token validator properly validates algorithm whitelist
- All 374 tests passing
@DanBradbury @yjacquin
Move shared logic from legacy and updated transport layers to properl…
39528cd 
…y handle yield

- fixes issue with tools not being detected due to yield being used in
  called method
@yjacquin
Fixate gem version for base64
a347e85
@yjacquin
remove useless arg in setup_streamable_rails_transport
3181615
@yjacquin
fix server initializationn
5892fcc
@spikex
Copy link
Copy Markdown

spikex commented Oct 16, 2025

Hey @yjacquin, thanks for your great work on this project! Any timeline on releasing 2025-06-18 support?

alejandrok93
alejandrok93 reviewed Oct 23, 2025
View reviewed changes
Copy link
Copy Markdown

@alejandrok93 alejandrok93 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hi @yjacquin wanted to check if this PR is ready to merge?

@quorak
Copy link
Copy Markdown

quorak commented Dec 2, 2025
edited
Loading

Hey there, massive amount of work. thank you!

We’re currently trying to use OpenID Connect with Doorkeeper as our auth server in a Rails stack. Token issuing works, and we’re also able to connect via the http_streaming method.

Our opaque_token_validator successfully receives the Bearer token, validates it against Doorkeeper, and returns a valid hash with scope (including mcp:tools), subject, and other fields.

However, when we try to list the available tools, the request fails with:

MCP error -32001: Error POSTing to endpoint (HTTP 403):
{"error":"invalid_scope","error_description":"Required scope: mcp:tools"}

I debugged into it and It looks like its trying to extract the extract_claims:

Not totally sure what the right approach here would be. Hope this helps!

@postpostmodern
Copy link
Copy Markdown

postpostmodern commented Dec 5, 2025

Hey there, massive amount of work. thank you!

We’re currently trying to use OpenID Connect with Doorkeeper as our auth server in a Rails stack. Token issuing works, and we’re also able to connect via the http_streaming method.

Our opaque_token_validator successfully receives the Bearer token, validates it against Doorkeeper, and returns a valid hash with scope (including mcp:tools), subject, and other fields.

However, when we try to list the available tools, the request fails with:

MCP error -32001: Error POSTing to endpoint (HTTP 403):
{"error":"invalid_scope","error_description":"Required scope: mcp:tools"}

I debugged into it and It looks like its trying to extract the extract_claims:

* It looks like [TokenValidator.extract_claims](https://github.com/yjacquin/fast-mcp/blob/5892fcc2a5fa39cfac39b279ce1a08f4573f3c3f/lib/mcp/oauth/token_validator.rb#L59) is not working for opaque_token and always returns an empty scope.

* The call chain is as follows: [ResourceServer.extract_token_info](https://github.com/yjacquin/fast-mcp/blob/5892fcc2a5fa39cfac39b279ce1a08f4573f3c3f/lib/mcp/oauth/resource_server.rb#L75) -->[LocalIntrospector.token_info](https://github.com/yjacquin/fast-mcp/blob/mcp-2025-06-18/lib/mcp/oauth/introspection.rb#L16) --> [TokenValidator.extract_claims](https://github.com/yjacquin/fast-mcp/blob/5892fcc2a5fa39cfac39b279ce1a08f4573f3c3f/lib/mcp/oauth/token_validator.rb#L59)

Not totally sure what the right approach here would be. Hope this helps!

I had the same issue. I don't know if this is the best approach, but here's how I fixed it:

diff --git a/lib/mcp/oauth/token_validator.rb b/lib/mcp/oauth/token_validator.rb
index 97e7bf0..79c66b2 100644
--- a/lib/mcp/oauth/token_validator.rb
+++ b/lib/mcp/oauth/token_validator.rb
@@ -56,11 +56,20 @@ module FastMcp

       # Extract claims from a valid token (for debugging/logging)
       def extract_claims(token)
-        return nil unless jwt_token?(token)
-
-        # Decode without verification for claim extraction
-        payload, = JWT.decode(token, nil, false)
-        payload
+        if jwt_token?(token)
+          # Decode without verification for claim extraction
+          payload, = JWT.decode(token, nil, false)
+          payload
+        else
+          opaque_token_info = @opaque_token_validator.call(token)
+          opaque_token_info.transform_keys(
+            {
+              scopes: 'scope',
+              subject: 'sub',
+              valid: 'valid'
+            }
+          )
+        end
       rescue StandardError => e
         @logger.debug("Failed to extract claims: #{e.message}")
         nil

@manuelmeurer
Copy link
Copy Markdown

manuelmeurer commented Feb 24, 2026

Hey @yjacquin , how can we help to get this over the finish line?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@alejandrok93 alejandrok93 alejandrok93 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@yjacquin yjacquin

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support MCP 2025-06-18 Protocol Revision

8 participants

@yjacquin @spikex @quorak @postpostmodern @manuelmeurer @alejandrok93 @DanBradbury