Pangea AuthZ integration for FastMCP
Project description
pangea-authz-fastmcp
Easily add authorization to a FastMCP server with Pangea's AuthZ service.
Installation
pip install -U pangea-authz-fastmcp
Pangea AuthZ setup
- Create a Pangea account at https://pangea.cloud/signup. During the account creation process, an organization (top-level group) and project (individual app) will be created as well. On the "Get started with a common service" dialog, just click on the Skip button to get redirected to the developer console.
- In the developer console, there will be a list of services in the left hand panel. Click the AuthZ service to enable it.
- In the modal, there will be a prompt to create a new Pangea API token or to extend an existing one. Choose Create a new token and click on Done.
Usage
Use FastMCP's add_middleware method to add the authorization middleware to a
FastMCP server. The middleware requires a Pangea AuthZ token (to perform
authorization checks) and a function that maps an OAuth access token to a list
of subject IDs.
import os
from fastmcp.server.dependencies import AccessToken
from fastmcp.server.middleware import MiddlewareContext
from mcp.types import CallToolRequestParams
from pangea_authz_fastmcp import PangeaAuthzMiddleware
async def get_subject_ids(access_token: AccessToken, context: MiddlewareContext[CallToolRequestParams]) -> list[str]:
# Fetch the subject ID(s) for the given access token. For example, this can
# be just the associated user ID, or it can be a list of group IDs that the
# user is a member of. How this function is implemented will depend on the
# identity provider.
return ["id1", "id2"]
mcp = FastMCP(name="My MCP Server")
mcp.add_middleware(
PangeaAuthzMiddleware(pangea_authz_token=os.getenv("PANGEA_AUTHZ_TOKEN", ""), get_subject_ids=get_subject_ids)
)
If you're already using the pangea-authn-fastmcp package to authenticate users, then this package can recognize that and will automatically fetch the user's AuthN group memberships.
import os
from fastmcp import FastMCP
from pangea_authn_fastmcp import PangeaOAuthProvider
from pangea_authz_fastmcp import PangeaAuthzMiddleware
oauth_provider = PangeaOAuthProvider(...)
mcp= FastMCP(name="My MCP Server", auth=oauth_provider)
mcp.add_middleware(
PangeaAuthzMiddleware(
# Need an AuthN token to fetch the user's group memberships.
pangea_authn_token=os.getenv("PANGEA_AUTHN_TOKEN", ""),
# Still need the AuthZ token.
pangea_authz_token=os.getenv("PANGEA_AUTHZ_TOKEN", ""),
# get_subject_ids is no longer required.
)
)
Google Workspace groups
This package comes with an optional command-line tool that can be used to enumerate groups from a Google Workspace and map these groups to MCP resources and tools in AuthZ. To install it, run:
pip install -U pangea-authz-fastmcp[cli]
Prerequisites:
- The Admin SDK API must be enabled.
- An OAuth 2.0 client.
Download the client secret as JSON and save it to a file like
credentials.json.
Usage: pangea-authz-fastmcp google-workspace [ARGS] [OPTIONS]
╭─ Parameters ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ CUSTOMER --customer The unique ID for the customer's Google Workspace account. │
│ DOMAIN --domain The domain name. Use this flag to get groups from only one domain. To return all domains for a customer account, use the │
│ --customer flag instead. │
│ CREDENTIALS --credentials The path to the credentials file. [default: credentials.json] │
│ MAX-GROUPS --max-groups Maximum number of groups to fetch. [default: 30] │
│ FILES --files --empty-files Files to discover MCP servers from. [default: ['~/AppData/Roaming/Claude/claude_desktop_config.json', '~/.cursor/mcp.json', │
│ '~/.codeium/windsurf/mcp_config.json']] │
│ SUBJECT-TYPE --subject-type [default: group] │
│ RELATION --relation [default: caller] │
│ RESOURCE-TYPE --resource-type [default: tool] │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
export PANGEA_AUTHZ_TOKEN="pts_..."
pangea-authz-fastmcp google-workspace --credentials path/to/credentials.json --domain example.org
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file pangea_authz_fastmcp-0.0.1.tar.gz.
File metadata
- Download URL: pangea_authz_fastmcp-0.0.1.tar.gz
- Upload date:
- Size: 105.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.12.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
650224af7f86f61b8948c8c7a42970c50daa08efb4d77cb03a571e6827edac23
|
|
| MD5 |
27a7587f84cb7a1cb177ef5e6a9d1e56
|
|
| BLAKE2b-256 |
4a16fde845188e7404641ca7ac80128d50e317fe320fd89f59138cac433b7b97
|
File details
Details for the file pangea_authz_fastmcp-0.0.1-py3-none-any.whl.
File metadata
- Download URL: pangea_authz_fastmcp-0.0.1-py3-none-any.whl
- Upload date:
- Size: 9.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.12.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d551c5899d982a5e5cb59c5bd32fb4dc4a781fe1c7ef0676ac95fef166a45800
|
|
| MD5 |
14d57faebba17c2b918cd81d95773873
|
|
| BLAKE2b-256 |
a1d07bbc085a7bd1dcd86749806bae6979340848d95bd4f84eb820b98e992fd7
|
