Skip to content

Add Tableau OAuth support #71

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 106 commits into
base: main
Choose a base branch
from
Open

Add Tableau OAuth support #71

wants to merge 106 commits into from

Conversation

anyoung-tableau
Copy link
Collaborator

@anyoung-tableau anyoung-tableau commented Jul 23, 2025
edited
Loading

These changes introduce two new concepts:

  1. The ability for server admins to protect their remotely-deployed servers that use the Streamable HTTP transport type with Tableau OAuth. This means to even use the MCP server, users must sign in to the Tableau Server or Cloud.
  2. The ability for server admins to configure their MCP server to no longer require a hard-coded PAT or CA info, but to use the access token issued by Tableau during OAuth dance to authenticate to the Tableau REST APIs. This also means the data returned by these APIs are scoped to the MCP client's user, NOT the user who owns the PAT configured by the MCP server admin.

To clarify, for MCP server admins who protect their server with Tableau OAuth, bullet 2 above is NOT a requirement. They can still provide a PAT or Connected Apps config to use for authenticating to the Tableau REST APIs.

In this implementation, the MCP server is functioning as the authorization server as well. This need not be the case though; the authorization server piece could be deployed as its own distinct service. If necessary, we can revisit the design based on customer feedback.

The OAuth 2.1 authorization flow is implemented as per the MCP spec version 2025-06-18:

This provider handles:

    • Step 1: Initial 401 response with WWW-Authenticate
    • Step 2: Resource metadata discovery
    • Step 3: Authorization server metadata
    • Step 4: Dynamic client registration
    • Step 5: Authorization with PKCE
    • Step 6: OAuth callback
    • Step 7: Token exchange
    • Step 8: Authenticated requests
Screenshot 2025-07-24 113435 Screenshot 2025-07-24 113606 Screenshot 2025-07-24 113756

@anyoung-tableau
Make server non-singleton
c160092
@anyoung-tableau
Make config non-singleton
39a133b
@anyoung-tableau
Parameterize transport
00a8080
@anyoung-tableau
Add streamable http transport layer
41cb5c0
@anyoung-tableau
Wire up relatedRequestId
5280635
@anyoung-tableau
Add start:http script
3372525
@anyoung-tableau
Add signOut API
f1f0b81
@anyoung-tableau
Add useRestApi
b72e16c
@anyoung-tableau
Add procfile
259ade8
@anyoung-tableau
Change start scripts
a175f29
@anyoung-tableau
Rename HTTP_PORT to PORT
0f30937
@anyoung-tableau
Fix script name
1a2d3d6
@anyoung-tableau
Merge remote-tracking branch 'origin/main' into anyoung/stateless
991b53d
@anyoung-tableau
Merge remote-tracking branch 'origin/main' into anyoung/transport
c58bb59
@anyoung-tableau
Merge remote-tracking branch 'origin/main' into anyoung/heroku
5e03cc1
@anyoung-tableau
Move server to its own folder
8350669
@anyoung-tableau
[in progress] Add OAuth
dbefeeb
@anyoung-tableau
Use a signed JWT instead of Tableau access token directly
14e0fcc
@anyoung-tableau
Use Date.now() instead
383bfa9
@anyoung-tableau
Use Tableau user id as JWT sub claim
6d0ab3e
@anyoung-tableau
Merge remote-tracking branch 'origin/main' into anyoung/stateless
963050c
@anyoung-tableau
Merge remote-tracking branch 'origin/main' into anyoung/stateless
ba98f63
@anyoung-tableau
Bump version
6a0f94f
@anyoung-tableau
Fix lint errors
a9294aa
@anyoung-tableau
Merge remote-tracking branch 'origin/anyoung/stateless' into anyoung/…
f256e52 
…transport
@anyoung-tableau
Fix lint error
666bbb8
@anyoung-tableau
Address CVE CVE-2025-49596
452e259
@anyoung-tableau
Move authZ code exchange to OAuth callback
0b8db08
@anyoung-tableau
Remove multiple links to spec
bebbce1
@anyoung-tableau
Organize file
577bb90
anyoung-tableau
anyoung-tableau commented Aug 8, 2025
View reviewed changes
src/config.ts Outdated
}

if (this.auth !== 'oauth') {
invariant(this.siteName, 'The environment variable SITE_NAME is not set');
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is wrong. siteName can be empty for the default site on Server.

anyoung-tableau and others added 29 commits August 8, 2025 13:56
@anyoung-tableau
Merge remote-tracking branch 'origin/main' into anyoung/oauth
ea359a8
@anyoung-tableau
Add Connected App JWT support (OAuth) (#76)
66af838 
* Add back CA support

* Rename var

* s/replace/replaceAll

* Update readme

* Add tests

* Use jose instead of jsonwebtoken

* Update env examples

* Rename to JWT_ADDITIONAL_PAYLOAD

* Choose scopes per tool

* Fix tests

* Fix typo in readme

* Remove {OAUTH_USERNAME} when OAuth is not enabled

* Remove accessToken from AuthConfig

* Delete merge files

* Default additional payload to empty object

* Sign out for direct-trust too

* Add basePath to protected resource

* Use issuer instead

* Fix bad merge

* Again
@anyoung-tableau
Merge remote-tracking branch 'origin/main' into anyoung/oauth
b599938
@anyoung-tableau
Use encrypted JWE instead of non-encrypted JWT for MCP access token (#92
1ed24e1 
)

* Use JWE instead of JWT

* Remove old code

* Remove more unused code

* Verify issuer and audience

* Fix manifest

* Add OAUTH_JWE_PRIVATE_KEY_PASSPHRASE

* Add OAUTH_JWE_PRIVATE_KEY_PASSPHRASE to readme

* Update readme

* Fix lint errors

* Make getters private
@anyoung-tableau
Merge remote-tracking branch 'origin/main' into anyoung/oauth
b928bc0
@anyoung-tableau
Merge remote-tracking branch 'origin/main' into anyoung/oauth
b24b0cf
@anyoung-tableau
Add docs for OAuth
040da8e
@anyoung-tableau
Make OAuth the defualt behavior for http transport
3746b3a
@anyoung-tableau
Upload docs to artifacts
6774155
@anyoung-tableau
Fix http transport test
b42c929
@anyoung-tableau
Link to DISABLE_OAUTH section
6133f34
@anyoung-tableau
Default auth to oauth when OAuth is enabled
f9a4ad2
@anyoung-tableau
Add env file generator
d0a0510
@anyoung-tableau
Fix state issue
4b22e0a
@anyoung-tableau
Open links in new tab
6f80d9e
@anyoung-tableau
Add commas to vs code config
bc1a241
@anyoung-tableau
Make SERVER and SITE_NAME optional when AUTH is oauth (#101)
94ea897 
* Add basic session management

* Read originHost from token response

* Remove state

* Clean up

* Combine env var docs

* Change default access token timeout to 1 hour

* Revert registerRequestHandlers

* Add constant for TabCloud URL

* Fix OAuth tests
@anyoung-tableau
Add OAuth sequence diagram
e34656b
@anyoung-tableau
Gen private key
f1c65d1
@anyoung-tableau
Add Claude redirect URIs
2764614
@anyoung-tableau
Revert that, unnecessary
c618981
@anyoung-tableau
Delete refresh token after timeout
8c5465c
@anyoung-tableau
Add OAUTH_JWE_PRIVATE_KEY
c78b278
@anyoung-tableau
Don't get private key
975db31
@anyoung-tableau
Merge remote-tracking branch 'origin/main' into anyoung/oauth
f80a6a4
@anyoung-tableau
Fix lint errors
0b58e47
@anyoung-tableau
Fix doc links
f391d8c
@anyoung-tableau
Refactor into individual files
dbad79e
@anyoung-tableau
Merge remote-tracking branch 'origin/main' into anyoung/oauth
bcee110
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renoyjohnm renoyjohnm renoyjohnm approved these changes

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@anyoung-tableau @renoyjohnm @stephendeoca