Added Provider for OCI IAM service.

[kiranthakkar]

Description

Contributors Checklist

• [2316] My change closes Want to add support for OCI IAM service. #2316
• [ Y] I have followed the repository's development workflow
• [ Y] I have tested my changes manually and by adding relevant tests
• [ Y] I have performed all required documentation updates

Review Checklist

• [Y ] I have self-reviewed my changes
• [ Y] My Pull Request is ready for review

---

Summary by CodeRabbit

• New Features
  • Added Oracle Cloud Infrastructure (OCI) OIDC authentication provider for FastMCP.
  • Exposes environment-backed configuration for client credentials, audience, issuer/base URLs, required scopes, redirect URIs, and JWT signing key.
  • Includes validation for required configuration fields and initialization logging to assist setup and troubleshooting.

[coderabbitai]

Walkthrough

Adds an OCI OIDC authentication provider: new OCIProviderSettings (Pydantic BaseSettings with env-prefix parsing and scope parsing) and OCIProvider (extends OIDCProxy) that validates required fields, constructs settings, and initializes the OIDC proxy with mapped values and logging.

Changes

Cohort / File(s)

Change Summary

OCI OIDC Provider Implementation src/fastmcp/server/auth/providers/ociprovider.py

Added OCIProviderSettings (Pydantic BaseSettings) with fields config_url, client_id, client_secret, audience, base_url, issuer_url, redirect_path, required_scopes, allowed_client_redirect_uris, jwt_signing_key; uses env prefix FASTMCP_SERVER_AUTH_OCI_ and a before validator _parse_scopes that calls parse_scopes. Added OCIProvider (public) extending OIDCProxy; constructor accepts typed params (many defaulting to NotSet), enforces presence of config_url, client_id, client_secret, and base_url (raises ValueError with explicit messages), builds OCIProviderSettings, maps/normalizes values (converts client_secret to plain text), calls super().__init__ with those values, and logs initialization (client_id and scopes). No other behavioral changes.

Sequence Diagram(s)

sequenceDiagram
  participant App as FastMCP App
  participant OCIProv as OCIProvider
  participant Settings as OCIProviderSettings
  participant OIDC as OIDCProxy

  Note over App,OCIProv: Provider instantiation
  App->>OCIProv: instantiate OCIProvider(...)
  OCIProv->>Settings: construct settings (env FASTMCP_SERVER_AUTH_OCI_)
  Settings-->>OCIProv: validated settings (scopes parsed)
  OCIProv->>OIDC: super().__init__(mapped values, client_secret plain)
  OIDC-->>OCIProv: initialized
  OCIProv-->>App: ready (logs client_id & scopes)

Loading

Possibly related issues

• Want to add support for OCI IAM service. #2316 — Implements the requested OCI OIDC authentication provider by adding OCIProvider and its settings, matching the issue objective.

Poem

🐰 I nibble configs beneath the moonlight,
I parse each scope, keep secrets snug and tight,
I stitch settings, validate with care,
OCI keys tucked safely in my lair,
FastMCP hops forward, small and bright.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Description Check	❓ Inconclusive	The pull request description section is present but extremely minimal, consisting of a single sentence that provides only a high-level overview of the changes. Given that the raw summary indicates two new public classes (OCIProviderSettings and OCIProvider) with multiple fields, validators, and complex initialization logic were added, the description lacks the necessary detail about what was specifically implemented and why. Additionally, while the contributor and review checklist items are marked as completed, the checkbox formatting is non-standard (using brackets with letters/numbers instead of proper checkboxes), making it unclear if the items are intended to be marked as checked. The required sections are technically present but are insufficiently detailed to constitute a complete pull request description.	The author should provide a more detailed description of the changes beyond the single sentence, including what functionality was added, which files were modified, and the purpose of the new OCIProviderSettings and OCIProvider classes. Additionally, the contributor and review checklist items should use proper checkbox formatting (either - [x] for checked or - [ ] for unchecked) to clearly indicate the completion status of each requirement. The description should be more specific about the implementation details rather than remaining at such a generic, high-level overview.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title "Added Provider for OCI IAM service." is directly related to the main change in the pull request. The raw summary confirms that the changeset adds a new OCI OIDC authentication provider by introducing OCIProviderSettings and OCIProvider classes. The title is clear, specific, and concise—it describes what was added (a Provider) and for which service (OCI IAM), making it easy for teammates scanning history to understand the primary change without requiring knowledge of internal implementation details.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d12f51d and 2cb1f41.

📒 Files selected for processing (1)

• src/fastmcp/server/auth/providers/ociprovider.py (1 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

src/**/*.py

📄 CodeRabbit inference engine (AGENTS.md)

Use Python ≥ 3.10 and provide full type annotations for library code

Files:

• src/fastmcp/server/auth/providers/ociprovider.py

**/*.py

📄 CodeRabbit inference engine (AGENTS.md)

Never use bare except; always catch specific exception types

Files:

• src/fastmcp/server/auth/providers/ociprovider.py

🧬 Code graph analysis (1)

src/fastmcp/server/auth/providers/ociprovider.py (3)

src/fastmcp/server/auth/oidc_proxy.py (1)

• OIDCProxy (172-384)

src/fastmcp/utilities/auth.py (1)

• parse_scopes (9-34)

src/fastmcp/utilities/logging.py (1)

• get_logger (14-26)

🪛 GitHub Actions: Run static analysis

src/fastmcp/server/auth/providers/ociprovider.py

[error] 97-97: B006 Do not use mutable data structures for argument defaults. Replace with None; initialize within function. (ruff-check)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Run tests: Python 3.10 on windows-latest
• GitHub Check: Run tests with lowest-direct dependencies
• GitHub Check: label-issue-or-pr

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 397bf6e and fc3c3bf.

📒 Files selected for processing (1)

• src/fastmcp/server/auth/providers/ociprovider.py (1 hunks)

🧰 Additional context used

📓 Path-based instructions (2)

src/**/*.py

📄 CodeRabbit inference engine (AGENTS.md)

Use Python ≥ 3.10 and provide full type annotations for library code

Files:

• src/fastmcp/server/auth/providers/ociprovider.py

**/*.py

📄 CodeRabbit inference engine (AGENTS.md)

Never use bare except; always catch specific exception types

Files:

• src/fastmcp/server/auth/providers/ociprovider.py

🧬 Code graph analysis (1)

src/fastmcp/server/auth/providers/ociprovider.py (3)

src/fastmcp/server/auth/oidc_proxy.py (1)

• OIDCProxy (172-384)

src/fastmcp/utilities/auth.py (1)

• parse_scopes (9-34)

src/fastmcp/utilities/logging.py (1)

• get_logger (14-26)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Run tests with lowest-direct dependencies
• GitHub Check: Run tests: Python 3.10 on windows-latest

🔇 Additional comments (3)

src/fastmcp/server/auth/providers/ociprovider.py (3)

1-35: LGTM! Well-structured module with clear documentation.

The module docstring provides a clear example, imports are well-organized, and the logger follows FastMCP conventions.

---

119-157: LGTM! Solid validation logic with helpful error messages.

The settings construction correctly filters out NotSet values to allow environment variable fallbacks, and the required field validation provides clear guidance on how to set missing values.

---

158-179: LGTM! Clean initialization with proper value mapping.

The parent constructor receives correctly mapped values, including secure extraction of the client secret and proper handling of the jwt_signing_key (which correctly supports both str and bytes). The debug logging provides useful information for troubleshooting.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Add return type annotation to the validator.

For library code, full type annotations improve type safety and code clarity. The validator should explicitly annotate its return type.

Apply this diff:

     @field_validator("required_scopes", mode="before")
     @classmethod
-    def _parse_scopes(cls, v):
+    def _parse_scopes(cls, v) -> list[str] | None:
         return parse_scopes(v)

As per coding guidelines

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	@field_validator("required_scopes", mode="before")
	@classmethod
	def _parse_scopes(cls, v):
	return parse_scopes(v)
	@field_validator("required_scopes", mode="before")
	@classmethod
	def _parse_scopes(cls, v) -> list[str] | None:
	return parse_scopes(v)

🤖 Prompt for AI Agents

In src/fastmcp/server/auth/providers/ociprovider.py around lines 58 to 61, the
Pydantic field validator _parse_scopes lacks an explicit return type; update its
signature to include the correct return type that matches parse_scopes (for
example -> list[str] or whatever parse_scopes returns), and add any necessary
typing imports (or use from __future__ import annotations) so the module remains
fully typed.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Complete the docstring with missing parameter documentation.

The docstring is missing documentation for three parameters: client_storage, jwt_signing_key, and require_authorization_consent. These are important configuration options (especially require_authorization_consent which has security implications) and should be documented for library users.

Consider adding documentation similar to the parent OIDCProxy class:

             redirect_path: Redirect path configured in OCI IAM Domain Integrated Application.
                     The default is "/auth/callback".
             allowed_client_redirect_uris: List of allowed redirect URI patterns for MCP clients.
+                Patterns support wildcards (e.g., "http://localhost:*", "https://*.example.com/*").
+                If None (default), only localhost redirect URIs are allowed.
+            client_storage: Storage backend for OAuth state (client registrations, encrypted tokens).
+                If None, a DiskStore will be created in the data directory.
+            jwt_signing_key: Secret for signing FastMCP JWT tokens (any string or bytes).
+                If not provided, the client secret will be used to derive a key.
+            require_authorization_consent: Whether to require user consent before authorizing clients (default True).
+                When False, authorization proceeds without user confirmation.
+                SECURITY WARNING: Only disable for local development or testing environments.
         """

🤖 Prompt for AI Agents

In src/fastmcp/server/auth/providers/ociprovider.py around lines 105 to 118, the
docstring omits documentation for the parameters client_storage,
jwt_signing_key, and require_authorization_consent; update the docstring to add
brief descriptions for each: document client_storage (what storage
implementation is expected and its role), jwt_signing_key (purpose for signing
JWTs and expected format), and require_authorization_consent (boolean behavior
and security implication when true/false), mirroring style and phrasing used in
the parent OIDCProxy class so callers understand defaults and security impact.

[jlowin]

It appears that this doesn't actually "do" anything -- the arguments are passed directly to the OIDC proxy provider without defaults, validation, or any other OCI-specific logic. [The Auth0 provider does something similar, I see]. Is there a strong reason to introduce this class rather than simply encourage users to use the OIDC proxy? For example, the docstring shows config_url="https://{IDCS_GUID}.identity.oraclecloud.com/.well-known/openid-configuration" - is this an opportunity to simplify the user burden and just take the IDCS value?

[kiranthakkar]

That is right. I will also be able to add documentation specific to OCI (How do users create an Integrated application (OAuth Client) in OCI IAM service) in the Integrations section for OCI.
Step 2 for me is to add token exchange code for OCI. OCI control plane requires request signing. I will add a code to exchange OAuth token for OCI session token to be used with OCI control plane.