weather_service: forward inbound Authorization header to MCP tool calls#203
Merged
huang195 merged 1 commit intokagenti:mainfrom Mar 26, 2026
Merged
Conversation
huang195
force-pushed
the
forward-token-weather-service
branch
from
6bf3f3c to
4d7a28f
Compare
Same pattern as git_issue_agent (c8ebde1): extract the inbound Authorization header from context.call_context.state and pass it to the MCP client via the headers config. This enables transparent token exchange when the agent is deployed behind a waypoint proxy or AuthBridge — the outbound MCP call carries the token so the proxy can validate and exchange it for the tool's audience. Signed-off-by: Hai Huang <huang195@gmail.com>
huang195
force-pushed
the
forward-token-weather-service
branch
from
4d7a28f to
4a7f60e
Compare
esnible
reviewed
Mar 26, 2026
Contributor
esnible
left a comment
esnible
left a comment
There was a problem hiding this comment.
These are great! A few nits, not needed for merge.
It would also be awesome if somehow the traceparent header could be processed and/or forwarded to the MCP tool. I don't know if that should be in the same PR as this one.
| } | ||
| if headers: | ||
| mcp_config["headers"] = headers | ||
| return MultiServerMCPClient({"math": mcp_config}) |
Contributor
There was a problem hiding this comment.
Suggested change
| return MultiServerMCPClient({"math": mcp_config}) | |
| return MultiServerMCPClient({"weather": mcp_config}) |
This isn't your fault, but some (generated?) code is calling weather a math tool.
|
|
||
| # Forward inbound Authorization header to outbound MCP tool calls. | ||
| # This enables transparent token exchange when deployed behind a waypoint | ||
| # or AuthBridge proxy (same pattern as git_issue_agent, see c8ebde1). |
Contributor
There was a problem hiding this comment.
Suggested change
| # or AuthBridge proxy (same pattern as git_issue_agent, see c8ebde1). | |
| # or [AuthBridge](https://github.com/kagenti/kagenti-extensions/tree/main/AuthBridge) proxy (same pattern as git_issue_agent, see c8ebde1). |
esnible
approved these changes
Mar 26, 2026
huang195
added a commit
to huang195/authbridge-waypoint
that referenced
this pull request
Mar 26, 2026
Remove the local patch overlay now that the token forwarding change has been submitted upstream (kagenti/agent-examples#203). The official image will include the Authorization header forwarding once merged. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Same pattern as the git_issue_agent change in c8ebde1.
Why
When the weather_service agent is deployed behind a token exchange proxy (e.g., Istio waypoint with ext_authz, or AuthBridge), the proxy needs the Authorization header on outbound requests to perform RFC 8693 token exchange. Without this change, the MCP client makes unauthenticated calls to the tool, which the proxy rejects.
Test plan
Generated with Claude Code