You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: CHANGELOG.md
+6Lines changed: 6 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
4
4
5
5
## Unreleased
6
6
7
+
### Added
8
+
- Support for FastMCP OAuth/OIDC auth providers on HTTP/SSE transports via the `FASTMCP_SERVER_AUTH` environment variable (e.g. Azure Entra, Google, GitHub, WorkOS). Static token, FastMCP OAuth, and disabled mode are now mutually exclusive; configure exactly one. ([#171](https://github.com/ClickHouse/mcp-clickhouse/issues/171))
9
+
10
+
### Changed
11
+
-`/health` endpoint is now unauthenticated across all auth modes (previously gated only under static-token mode, which was asymmetric and incompatible with redirect-based OAuth providers). Response bodies trimmed to `OK` / generic error strings to avoid leaking ClickHouse version information or connection exception details; underlying errors are logged server-side.
Copy file name to clipboardExpand all lines: README.md
+38-14Lines changed: 38 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -42,13 +42,15 @@ An MCP server for ClickHouse.
42
42
### Health Check Endpoint
43
43
44
44
When running with HTTP or SSE transport, a health check endpoint is available at `/health`. This endpoint:
45
-
- Returns `200 OK` with the ClickHouse version if the server is healthy and can connect to ClickHouse
46
-
- Returns `503 Service Unavailable` if the server cannot connect to ClickHouse
45
+
- Returns `200 OK` (body: `OK`) if the server is healthy and can connect to ClickHouse
46
+
- Returns `503 Service Unavailable` with a generic error message if the server cannot connect to ClickHouse
47
+
48
+
The endpoint is intentionally unauthenticated so orchestrator probes (e.g. Kubernetes liveness/readiness, load balancers) can reach it without credentials. The response body is deliberately minimal to avoid leaking backend version strings or error details; debug failures via the server logs.
When using HTTP or SSE transport, authentication is **required by default**. The `stdio` transport (default) does not require authentication as it only communicates via standard input/output.
59
61
62
+
Three authentication modes are supported. Pick one:
Note: the `/health` endpoint is intentionally unauthenticated (see [Health Check Endpoint](#health-check-endpoint) above). To verify that bearer-token auth is actually rejecting unauthenticated requests, hit the MCP endpoint itself e.g. with the MCP Inspector, or by POSTing a JSON-RPC request to `/mcp` with and without the `Authorization` header and confirming the unauthenticated call returns `401`.
105
+
106
+
#### OAuth / OIDC via FastMCP
107
+
108
+
For production deployments with identity providers (Azure Entra, Google, GitHub, WorkOS, etc.), delegate authentication to [FastMCP's built-in auth providers](https://gofastmcp.com/servers/auth) instead of using a static token. Set `FASTMCP_SERVER_AUTH` to the **full class path** of a FastMCP auth provider, along with the provider-specific `FASTMCP_SERVER_AUTH_*` variables, and leave `CLICKHOUSE_MCP_AUTH_TOKEN` unset.
@@ -515,11 +535,15 @@ The following environment variables are used to configure the ClickHouse and chD
515
535
*`CLICKHOUSE_MCP_QUERY_TIMEOUT`: Timeout in seconds for SELECT tools
516
536
* Default: `"30"`
517
537
* Increase this if you see `Query timed out after ...` errors for heavy queries
518
-
*`CLICKHOUSE_MCP_AUTH_TOKEN`: Authentication token for HTTP/SSE transports
538
+
*`CLICKHOUSE_MCP_AUTH_TOKEN`: Static bearer token for HTTP/SSE transports
519
539
* Default: None
520
-
***Required** when using HTTP or SSE transport (unless `CLICKHOUSE_MCP_AUTH_DISABLED=true`)
540
+
*One of `CLICKHOUSE_MCP_AUTH_TOKEN`, `FASTMCP_SERVER_AUTH`, or `CLICKHOUSE_MCP_AUTH_DISABLED=true` is **required** for HTTP/SSE transports
521
541
* Generate using `uuidgen` or `openssl rand -hex 32`
522
542
* Clients must send this token in the `Authorization: Bearer <token>` header
543
+
*`FASTMCP_SERVER_AUTH`: Delegate authentication to a [FastMCP auth provider](https://gofastmcp.com/servers/auth)
544
+
* Default: None
545
+
* Value is the **full class path** of an AuthProvider subclass, e.g. `fastmcp.server.auth.providers.azure.AzureProvider` or `fastmcp.server.auth.providers.google.GoogleProvider`
546
+
* When set, FastMCP auto-loads the provider from its own `FASTMCP_SERVER_AUTH_*` environment variables; leave `CLICKHOUSE_MCP_AUTH_TOKEN` unset in this mode
523
547
*`CLICKHOUSE_MCP_AUTH_DISABLED`: Disable authentication for HTTP/SSE transports
524
548
* Default: `"false"` (authentication is enabled)
525
549
* Set to `"true"` to disable authentication for local development/testing only
0 commit comments