* fix(mcp): respect X-Forwarded-Proto header in OAuth endpoints
When LiteLLM proxy is deployed behind a reverse proxy (like nginx or a load balancer) that terminates SSL/TLS, the proxy receives HTTP requests internally but should expose HTTPS URLs externally. This change detects the X-Forwarded-Proto header and uses it to construct correct redirect URIs and endpoint URLs.
Changes:
- Added X-Forwarded-Proto detection to authorize, token, oauth_protected_resource_mcp, oauth_authorization_server_mcp, and register_client endpoints
- Added comprehensive tests for X-Forwarded-Proto header support across all affected endpoints
- Fixed existing tests to properly mock request.headers
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix formatting
* feat(mcp): support X-Forwarded-Host for proxy base URL reconstruction
Extended X-Forwarded-Proto support to also handle X-Forwarded-Host and X-Forwarded-Port headers. This allows LiteLLM to correctly construct redirect URIs and endpoint URLs when deployed behind a reverse proxy that changes the host/port.
Example scenario:
- Internal URL: http://localhost:8888/github/mcp
- External URL: https://proxy.abc.com/github/mcp
- Proxy sets: X-Forwarded-Proto: https, X-Forwarded-Host: proxy.abc.com
Changes:
- Added get_request_base_url() helper function to centralize X-Forwarded-* header handling
- Replaced all inline X-Forwarded-Proto checks with calls to the helper function
- Helper handles X-Forwarded-Proto, X-Forwarded-Host, and X-Forwarded-Port
- Added tests for X-Forwarded-Host scenarios in authorize and token endpoints
Fixes issue where protected resource URL mismatch occurred:
Error: Protected resource http://proxy.abc.com:8888/github/mcp
does not match expected https://proxy.abc.com/github/mcp🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* chore: replace Yelp-specific hostnames with generic examples
Changed all references from chatproxy.yelpcorp.com to proxy.example.com in:
- test_proxy_forwarding.py (default host parameter)
- TEST_PROXY_FORWARDING.md (documentation examples)
- discoverable_endpoints.py (docstring example)
- test_discoverable_endpoints.py (test mock data)
This makes the code more generic and suitable for open source.
All 13 tests still passing.
* remove accidentally added files
* fix formatting
* add new test for get_base_url
---------
Co-authored-by: Claude <noreply@anthropic.com>
* fix: Add response_type parameter to OAuth authorization endpoint
Fixes#15684
OAuth providers like Google require the response_type parameter during
the authorization flow. This commit adds response_type=code to the
authorization redirect parameters, which is required by the OAuth 2.0
specification (RFC 6749 Section 4.1.1).
Changes:
- Added response_type=code to authorization params in discoverable_endpoints.py
- Added test coverage for the response_type parameter
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix oauth flow by forwarding code_challenge and forwarding code_verifier
---------
Co-authored-by: Claude <noreply@anthropic.com>
* feat: UI to add specific tools under creating MCP connection
* chore: pydantic + prisma changes
* feat: adding specific MCP tools now works
* fix: allowed tools filtering
* chore: filtered list to mcp server cost config
* chore: update Readme
* chore: refactor the filtering
* test: Added tests
When the allowed_tests is null, empty list or populated
* chore: resolve the proxy issue
* feat: updating MCP tool filtering
Allow proxy admins to add arbitrary metadata fields to MCP servers
in config.yaml under mcp_servers.<server>.mcp_info, similar to how
model_info already works.
Changes:
- Changed MCPInfo from TypedDict to Dict[str, Any] for flexibility
- Updated load_servers_from_config to preserve all custom fields
- Updated add_update_server to handle arbitrary fields from database
- Added comprehensive unit tests covering all scenarios
Sameer Kankute