nat.plugins.mcp.auth.service_account.provider_config#

Classes#

`ServiceTokenConfig`	Configuration for service-specific token in dual authentication patterns.
`MCPServiceAccountProviderConfig`	Configuration for MCP service account authentication using OAuth2 client credentials.

Module Contents#

class ServiceTokenConfig(/, **data: Any)#

Bases: pydantic.BaseModel

Configuration for service-specific token in dual authentication patterns.

Supports two modes:

Static token: Provide token and header directly
Dynamic function: Provide function path and optional kwargs

The function will be called on every request and should have signature:

async def get_service_token(\*\*kwargs) -> str | tuple[str, str]

If function returns tuple[str, str], it’s interpreted as (header_name, token). If function returns str, it’s the token and header field is used for header name.

The function can access runtime context via AIQContext.get() if needed.

Create a new model by parsing and validating input data from keyword arguments.

Raises [ValidationError][pydantic_core.ValidationError] if the input data cannot be validated to form a valid model.

self is explicitly positional-only to allow self as a field name.

token: nat.data_models.common.OptionalSecretStr = None#

header: str = None#

function: str | None = None#

kwargs: dict[str, Any] = None#

validate_token_or_function()#: Ensure either token or function is provided, but not both.

class MCPServiceAccountProviderConfig(/, **data: Any)#

Bases: nat.authentication.interfaces.AuthProviderBaseConfig

Configuration for MCP service account authentication using OAuth2 client credentials.

Generic implementation supporting any OAuth2 client credentials flow.

Supports two authentication patterns: 1. Single authentication: OAuth2 service account token only 2. Dual authentication: OAuth2 service account token + service-specific token

Common use cases: - Headless/automated MCP workflows - CI/CD pipelines - Backend services without user interaction

All values must be provided via configuration. Use ${ENV_VAR} syntax in YAML configs for environment variable substitution.

Create a new model by parsing and validating input data from keyword arguments.

Raises [ValidationError][pydantic_core.ValidationError] if the input data cannot be validated to form a valid model.

self is explicitly positional-only to allow self as a field name.

client_id: str = None#

client_secret: nat.data_models.common.SerializableSecretStr = None#

token_url: str = None#

scopes: list[str] = None#

service_token: ServiceTokenConfig | None = None#

token_cache_buffer_seconds: int = None#

classmethod validate_scopes(v)#: Accept both list[str] and space-delimited string formats for scopes. Converts string to list for consistency.