working tree of plane mcp

[jawad-khan]

Plane MCP server — Cognito HTTP mode & Plane identity alignment (Pressingly/plane-mcp-server#2)

Summary

This PR adds Cognito-backed streamable HTTP for the Plane MCP server (FastMCP AWSCognitoProvider), a list_workspaces bootstrap tool so callers can discover workspace slugs before hitting /api/v1/workspaces/<slug>/..., and—critically—a fix so browser OAuth MCP callers authenticate as the same Plane user as the web UI when Plane sits behind Traefik + oauth2-proxy ForwardAuth with OAUTH2_PROXY_USER_ID_CLAIM=cognito:username.

No AWS Console changes are required (no Cognito Lambda until ops chooses to add one).

---

Problem statement

1. MCP sessions validate Cognito access tokens at the MCP layer (correct).

2. Plane API requests must carry Authorization: Bearer … through Traefik → oauth2-proxy → Plane. oauth2-proxy is configured for the web cookie flow, where cognito:username appears on ID tokens, not access tokens.

3. Cognito access tokens in typical setups expose username (no cognito: prefix), sub, and often no email that Plane/oauth2-proxy can treat like the web user. email on ID tokens may still be the placeholder cognito:default_val.

4. Forwarding only the access token makes oauth2-proxy fall back to sub for user identity. Plane’s ProxyAuthMiddleware then resolves (sub-derived email / synthetic identity) → a different Django user than the one created via the browser SSO session → 403 / wrong workspace membership.

5. Internal-network hacks don’t survive multi-host production: bypassing Traefik and injecting X-Auth-Request-Email against plane-api:8000 couples MCP to Plane placement and weakens the guarantee that only Traefik/oauth2-proxy may mint X-Auth-Request-* headers.

---

Solution (high level)

Piece	Choice
MCP ingress	FastMCP + AWSCognitoProvider (plane_mcp.cognito_http), mounts GET /healthz, / → MCP, /http/api-key/… for PAT mode
Cursor ↔ MCP	Cursor/mcp-remote OAuth → MCP validates FastMCP-issued reference JWTs → upstream Cognito tokens in Redis-compatible store
Plane ↔ oauth2-proxy	Forward the Cognito ID token as Bearer to Plane’s public HTTPS URL (same aud as access token; JWKS validation succeeds). ID token contains cognito:username, matching oauth2-proxy’s --user-id-claim and Plane’s proxy-auth expectations
Where the swap happens	_PlaneCognitoProvider.load_access_token overrides OAuthProxy.load_access_token: after upstream validation, copy raw_token_data["id_token"] into AccessToken.claims["id_token"]. plane_mcp.client._plane_bearer_for prefers claims["id_token"] when building PlaneClient and list_workspaces httpx calls
Self-signed TLS in dev	list_workspaces uses httpx with verify= from REQUESTS_CA_BUNDLE / SSL_CERT_FILE (httpx does not honor REQUESTS_CA_BUNDLE implicitly; requests/PlaneClient still use env as today)
OAuth ergonomics	COGNITO_RELAX_OAUTH_RESOURCE_MISMATCH (default on): clear mismatched MCP resource vs MCP_BASE_URL so Cursor local resource URLs don’t die with invalid_target before Cognito
DCR redirects	MCP_ALLOWED_CLIENT_REDIRECT_URIS unset → allow any (needed for cursor:// etc.)

---

Architecture

flowchart LR
  subgraph Client
    C[Cursor / mcp-remote]
  end

  subgraph MCP["plane-mcp-server"]
    FM[FastMCP Cognito HTTP]
    JWT[FastMCP reference JWT]
    SWAP[_PlaneCognitoProvider.load_access_token]
    TOK[id_token in AccessToken.claims]
  end

  subgraph Edge
    T[Traefik TLS]
    O[oauth2-proxy ForwardAuth]
  end

  subgraph Plane
    P[plane-api ProxyAuthMiddleware + REST]
  end

  subgraph IdP["AWS Cognito"]
    CO[Cognito OIDC]
  end

  C -->|HTTPS OAuth / MCP JSON-RPC| FM
  FM <-->|Authorization code + tokens| CO
  FM --> JWT
  SWAP --> TOK
  C -->|tools/call + Bearer FastMCP JWT| SWAP

  TOK -->|Bearer Cognito ID token| T
  T --> O
  O -->|X-Auth-Request-* from JWT claims| P

Loading

Validate upstream Cognito access token inside MCP before exposing tools; Plane upstream receives Bearer <id_token>.

Request path for a tool call (conceptual):

1. Cursor sends MCP traffic with the FastMCP session token.
2. load_access_token verifies that JWT, loads upstream Cognito UpstreamTokenSet, validates access token with Cognito JWKS, attaches id_token string into claims.
3. PlaneClient / httpx calls https://<plane-host>/... with Authorization: Bearer <id_token>.
4. Traefik runs ForwardAuth → oauth2-proxy validates JWT → sets X-Auth-Request-User from cognito:username → Plane resolves the same user as the browser.

---

Decisions not taken (and why)

Alternative	Why we didn’t ship it
Cognito Pre-Token-Generation Lambda adding cognito:username to access tokens	Correct long-term; requires AWS access this repo doesn’t assume
plane-api:8000 + synthetic X-Auth-Request-* from MCP	Breaks multi-host separation of duties; headers must only originate at oauth2-proxy
sha256(access_token) lookup in Redis	Wrong key shape — FastMCP stores upstream tokens under random upstream_token_id keyed by FastMCP JWT jti — fix belongs inside load_access_token

---

Files touched (expected)

• plane_mcp/cognito_http.py — Cognito HTTP app, _PlaneCognitoProvider, load_access_token, redirect/resource relaxation.
• plane_mcp/client.py — _plane_bearer_for (prefer claims["id_token"]).
• plane_mcp/tools/workspaces.py — list_workspaces, _plane_auth_headers, _httpx_verify.
• plane_mcp/__main__.py — runtime branch for Cognito HTTP vs existing modes.
• tests/ — Cognito env / redirect tests; workspace auth/header tests.
• README.md — Cognito HTTP URLs, env vars, transport docs.

---

Related devstack repo (foss-server-bundle-devstack)

Compose wires MCP_BASE_URL, COGNITO_*, OIDC_*, REDIS_* → Valkey, PLANE_BASE_URL (Traefik Plane host), optional PLANE_MCP_* aliases. AGENTS.md documents Bearer = Cognito ID token for plane-mcp.

---

Follow-ups (optional)

• Align README.md PAT URL line with /http/api-key/mcp everywhere (Copilot nit).
• pyproject.toml: add httpx as a direct dependency if list_workspaces keeps httpx (Copilot nit).
• Workspace model docstring: clarify GET /api/users/me/workspaces/ vs /api/v1/workspaces/ (Copilot nit).
• When AWS allows: Cognito Pre Token Generation V2 → inject cognito:username into access tokens → may simplify claims["id_token"] forwarding.

---

Testing

• Cognito HTTP: Cursor connects to https://<host>/mcp, completes OAuth, tools/list succeeds.
• list_workspaces returns workspaces for the same user as the Plane web UI.
• list_projects (or any /api/v1/workspaces/<slug>/...) succeeds for that user with PLANE_WORKSPACE_SLUG set.
• Plane API logs show user_id consistent with web SSO for both python-requests and python-httpx callers.
• oauth2-proxy access logs show cognito:username (numeric user id), not bare sub UUID.

---

Checklist (template compliance)

• Single logical change set (Cognito HTTP + identity alignment + workspace bootstrap).
• Tests updated for redirect/auth helpers.
• CHANGELOG updated if this repo maintains one for releases.

[Copilot]

Pull request overview

Adds a Cognito-backed HTTP mode for the Plane MCP server and introduces a workspace bootstrap tool to discover workspace slugs for authenticated users.

Changes:

• Introduces plane_mcp.cognito_http to run FastMCP with AWSCognitoProvider, plus a Starlette app with /mcp, /http/api-key/mcp, and /healthz.
• Adds a new list_workspaces tool (and supporting auth/base-url helpers) to fetch /api/users/me/workspaces/.
• Adds unit tests for Cognito redirect/allowed-URI logic and workspace auth/base-url helpers; updates README for the new Cognito mode and transport URLs/tool inventory.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
plane_mcp/cognito_http.py	New Cognito HTTP Starlette/FastMCP wiring, redirect-uri resolution, client redirect allowlisting, and token-claim adjustments.
plane_mcp/__main__.py	Adds runtime selection to start Cognito HTTP server when required env vars are present.
plane_mcp/tools/workspaces.py	Adds list_workspaces plus auth/base-url helpers and a Pydantic Workspace model.
plane_mcp/client.py	Adds _plane_bearer_for to prefer forwarding an attached Cognito ID token; tweaks workspace slug claim handling/docs.
tests/test_cognito_http.py	Unit tests for Cognito env readiness, redirect URI building/validation, and allowed redirect URI parsing.
tests/test_workspaces_tool.py	Unit tests for Plane base URL selection and auth header construction across OAuth/PAT/env modes.
README.md	Documents Cognito HTTP mode and updates remote transport docs/tool listing.

Comments suppressed due to low confidence (1)

README.md:75

• The PAT transport URL is inconsistent: this section says https://mcp.plane.so/api-key/mcp, but the example config below (and the server mounts in plane_mcp/__main__.py / plane_mcp/cognito_http.py) use /http/api-key/mcp. Please make the URL consistent (likely /http/api-key/mcp) so users don’t copy a broken endpoint.

Connect to the hosted Plane MCP server using a Personal Access Token (PAT).

**URL**: `https://mcp.plane.so/api-key/mcp`

**Headers**:
- `Authorization: Bearer <PAT_TOKEN>`
- `X-Workspace-slug: <SLUG>`

**MCP Client Configuration** (for tools like Claude Desktop without native remote MCP support):

```json
{
  "mcpServers": {
    "plane": {
      "command": "npx",
      "args": ["mcp-remote@latest", "https://mcp.plane.so/http/api-key/mcp"],
      "headers": {

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The README’s tool documentation no longer lists several tool categories that are still registered in code (e.g., register_epic_tools, register_milestone_tools, register_label_tools, register_state_tools, etc. in plane_mcp/tools/__init__.py). As a result, the stated “55+ tools across 8 categories” is misleading—please update the README tool list / totals (or remove the tools) to match the actual exported tool surface.

Suggested change

	**Total Tools**: 55+ tools across 8 categories
	**Tool coverage**: The server exports the tools documented above along with additional registered categories, including epic, milestone, label, and state tools. For the complete current tool registry, refer to `plane_mcp/tools/__init__.py`.

[Copilot]

The Workspace model docstring says it is returned from GET /api/v1/workspaces/, but the new list_workspaces() tool actually calls /api/users/me/workspaces/. Please update the docstring to reflect the real endpoint to avoid confusing tool consumers and future maintainers.

[Copilot]

workspaces.py now imports and uses httpx directly, but httpx is not listed as a direct dependency in pyproject.toml. Please add it as an explicit dependency (even if it currently arrives transitively) to avoid installs breaking if upstream dependency graphs change.

[Copilot]

The docstring warns that PLANE_INTERNAL_BASE_URL “skips Traefik+oauth2-proxy” and is only safe for PAT auth, but the implementation always prefers PLANE_INTERNAL_BASE_URL even when using an OAuth bearer token. Either adjust the selection logic (e.g., prefer PLANE_BASE_URL when access_token is used) or update the docs so behavior and guidance match.

[Copilot]

This warning message references PLANE_MCP_BASE_URL, but the code and required env vars use MCP_BASE_URL (and there’s no other mention of PLANE_MCP_BASE_URL in the repo). Please fix the env var name in the log text to avoid sending operators to a non-existent setting.

Suggested change

	"resource binding (COGNITO_RELAX_OAUTH_RESOURCE_MISMATCH). Prefer aligning PLANE_MCP_BASE_URL "
	"/ MCP_BASE_URL with the MCP URL your client uses.",
	"resource binding (COGNITO_RELAX_OAUTH_RESOURCE_MISMATCH). Prefer aligning MCP_BASE_URL "
	"with the MCP URL your client uses.",

[Copilot]

Pull request overview

Copilot reviewed 28 out of 28 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[jawad-khan]

We are not setting PLANE_INTERNAL_BASE_URL in environment.

[Copilot]

Pull request overview

Copilot reviewed 29 out of 29 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 29 out of 29 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 29 out of 29 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[aznszn]

Added a simplification/debloat commit on top of this PR.

What changed: Removed ~170 lines of configurable knobs that all had safe fixed values in practice — nobody was ever setting COGNITO_OIDC_FORWARD_PKCE, COGNITO_TOKEN_ENDPOINT_AUTH_METHOD, COGNITO_RELAX_OAUTH_RESOURCE_MISMATCH, COGNITO_REQUIRE_CONSENT, or MCP_COGNITO_REDIRECT_URI. Hardcoded the defaults, deleted the dead paths.

Biggest change: AUTH_TYPE=SSO explicit opt-in replaces the old heuristic that sniffed env vars to decide whether to start in Cognito mode. Explicit is better — no more partial-config footguns.

No behavior change for the actual deployed configuration. All existing tests pass, added targeted tests for _plane_bearer_for and the id_token header preference.

[hunzlahmalik]

Review — Cognito HTTP + ID-token forwarding + list_workspaces

Reviewed with Pressingly/plane#17 and Pressingly/foss-server-bundle#86 (one feature, ship together). The engineering is sound and genuinely well-tested — _PlaneCognitoProvider, _plane_bearer_for, the get_plane_client_context hard-fail, and the auth-header helper all have targeted tests. I checked the two things that looked risky and they're fine: self.jwt_issuer is a real FastMCP property (oauth_proxy/proxy.py:600, used the same way at :1578), and the _jwt_issuer mock in the tests resolves through it. One doc issue worth blocking on + a couple of low polish items.

🟡 Medium

• README §4 documents the wrong activation trigger (inline). It says "When all of the following environment variables are set…" and AUTH_TYPE isn't in the Required list — but the refactor (fe3b414) gated activation on AUTH_TYPE=SSO (__main__.py: if auth_type == "SSO":). Set every Cognito var, omit AUTH_TYPE=SSO, and you silently get Plane-OAuth/SSE instead, with no error. The devstack plane-mcp-oauth.md was updated for this; the README wasn't. Add AUTH_TYPE=SSO to Required and fix the trigger sentence.

🟢 Low

• load_access_token swallows all exceptions → 401 (inline). except Exception: … return None can't tell "id_token genuinely absent" from "transient Redis error on _upstream_token_store.get," so an infra blip bounces the whole session as an auth failure. The hard-fail posture is deliberate; consider distinguishing the two cases.
• client_secret = MCP_JWT_SIGNING_KEY (inline). Reusing one secret for two roles is only safe because _token_endpoint_auth_method="none" means it's never transmitted. A future change flipping that auth method leaks the session-signing key as a client secret.
• Cosmetic: workspace_slug was threaded through every tool but the Args: docstrings are only partly updated; and list_workspaces hits /api/users/me/workspaces/ (internal web API, session-auth) while the SDK tools hit /api/v1/ — worth a one-line note since the two families authenticate differently.

Good calls: get_plane_client_context now raising ConfigurationError on an unresolved slug (no more malformed /api/v1/workspaces/work-items/... 404s), and httpx added as a direct dep instead of relying on it transitively.

[hunzlahmalik]

🟡 Medium — stale trigger. The refactor (fe3b414) changed activation to AUTH_TYPE=SSO (plane_mcp/__main__.py: if auth_type == "SSO":), but this still says "When all of the following environment variables are set…" and AUTH_TYPE is missing from the Required list below. Net effect: set every Cognito var, omit AUTH_TYPE=SSO, and you silently fall through to Plane-OAuth/SSE with no error. Add AUTH_TYPE=SSO to Required and reword the trigger.

[hunzlahmalik]

🟢 Low. This except Exception: return None makes any failure here (e.g. a transient _upstream_token_store / Redis error) indistinguishable from "id_token absent," and returning None rejects the whole session as invalid auth. Consider catching narrowly / re-raising infra errors so a store hiccup isn't surfaced as a 401.

[hunzlahmalik]

🟢 Low. client_secret=jwt_signing_key reuses MCP_JWT_SIGNING_KEY for two distinct roles. Safe only because _token_endpoint_auth_method="none" (set just below) means it's never sent to Cognito. If that auth method ever changes, the session-signing key leaks as a client secret. A dummy client_secret (or a sharper comment) would be safer.