Updating token validator return type to comply with MCP sdk.

ericevans-nv · ericevans-nv · commit 1343c18e5323 · 2025-09-18T08:53:10.000-05:00
Signed-off-by: Eric Evans &lt;194135482+ericevans-nv@users.noreply.github.com&gt;
diff --git a/src/nat/data_models/authentication.py b/src/nat/data_models/authentication.py
@@ -184,7 +184,7 @@ class TokenValidationResult(BaseModel):
     """
     model_config = ConfigDict(extra="forbid")
 
-    client_id: str = Field(description="OAuth2 client identifier")
+    client_id: str | None = Field(description="OAuth2 client identifier")
     scopes: list[str] | None = Field(default=None, description="List of granted scopes (introspection only)")
     expires_at: int | None = Field(default=None, description="Token expiration time (Unix timestamp)")
     audience: list[str] | None = Field(default=None, description="Token audiences (aud claim)")
diff --git a/src/nat/front_ends/mcp/introspection_token_verifier.py b/src/nat/front_ends/mcp/introspection_token_verifier.py
@@ -15,15 +15,12 @@
 """OAuth 2.0 Token Introspection verifier implementation for MCP servers."""
 
 import logging
-from typing import Any
-from typing import overload
 
 from mcp.server.auth.provider import AccessToken
 from mcp.server.auth.provider import TokenVerifier
 
 from nat.authentication.credential_validator.bearer_token_validator import BearerTokenValidator
 from nat.authentication.oauth2.oauth2_resource_server_config import OAuth2ResourceServerConfig
-from nat.data_models.authentication import TokenValidationResult
 
 logger = logging.getLogger(__name__)
 
@@ -67,21 +64,20 @@ def __init__(self, config: OAuth2ResourceServerConfig):
             client_secret=client_secret,
         )
 
-    @overload
-    async def verify_token(self, token: str) -> TokenValidationResult | None:
-        ...
-
-    @overload
     async def verify_token(self, token: str) -> AccessToken | None:
-        ...
-
-    async def verify_token(self, token: str) -> Any:
         """Verify token by delegating to BearerTokenValidator.
 
         Args:
             token: The Bearer token to verify
 
         Returns:
-            TokenValidationResult | AccessToken | None
+            AccessToken | None: AccessToken if valid, None if invalid
         """
-        return await self._bearer_token_validator.verify(token)
+        validation_result = await self._bearer_token_validator.verify(token)
+
+        if validation_result.active:
+            return AccessToken(token=token,
+                               expires_at=validation_result.expires_at,
+                               scopes=validation_result.scopes or [],
+                               client_id=validation_result.client_id or "")
+        return None
diff --git a/src/nat/front_ends/mcp/mcp_front_end_config.py b/src/nat/front_ends/mcp/mcp_front_end_config.py
@@ -42,4 +42,4 @@ class MCPFrontEndConfig(FrontEndBaseConfig, name="mcp"):
         default=None, description="Custom worker class for handling MCP routes (default: built-in worker)")
 
     server_auth: OAuth2ResourceServerConfig | None = Field(
-        description=("OAuth 2.0 Resource Server configuration for token verification."))
+        default=None, description=("OAuth 2.0 Resource Server configuration for token verification."))
