feat(mcp): wire up oauth2 token verification for streamable-http transport

the mcp sdk (v1.26.0+) has built-in oauth 2.1 support via AuthSettings
and TokenVerifier, but the agent-memory-server never wired it up for the
streamable-http transport. without it, unauthenticated requests to /mcp
return 406 instead of 401 + WWW-Authenticate header, which prevents mcp
clients (like claude) from discovering the oauth flow.

changes:

- add JWTTokenVerifier that implements the sdk's TokenVerifier protocol
  by wrapping the existing verify_jwt() function
- conditionally pass AuthSettings + token_verifier to FastMCP when
  AUTH_MODE=oauth2 and OAUTH2_RESOURCE_HOST are set
- add /.well-known/oauth-authorization-server endpoint (RFC 9728) to
  the REST API for protected resource metadata discovery
- add OAUTH2_RESOURCE_HOST config setting for the server's public hostname

when enabled, the mcp transport now:
- returns 401 with WWW-Authenticate: Bearer resource_metadata="..." header
- serves /.well-known/oauth-protected-resource automatically (sdk built-in)
- validates jwt tokens on all mcp requests via jwks

when AUTH_MODE != oauth2 or OAUTH2_RESOURCE_HOST is unset, behavior is
unchanged — no auth kwargs are passed to FastMCP.

tested with ory hydra as the oidc provider and claude as the mcp client.

Author: Piotr1215

agent_memory_server/config.py

@@ -427,6 +427,7 @@ class Settings(BaseSettings):
     oauth2_audience: str | None = None
     oauth2_jwks_url: str | None = None
     oauth2_algorithms: list[str] = ["RS256"]
+    oauth2_resource_host: str | None = None
 
     # Token Authentication settings
     token_auth_enabled: bool = False

agent_memory_server/main.py

@@ -130,6 +130,17 @@ async def lifespan(app: FastAPI):
 app.include_router(memory_router)
 
 
+@app.get("/.well-known/oauth-authorization-server")
+async def oauth_authorization_server_metadata():
+    """RFC 9728 Protected Resource Metadata for MCP OIDC discovery."""
+    if not settings.oauth2_issuer_url:
+        return {"error": "OIDC not configured"}
+    return {
+        "resource": f"https://{settings.oauth2_resource_host or 'localhost'}",
+        "authorization_servers": [settings.oauth2_issuer_url],
+    }
+
+
 def on_start_logger(port: int):
     """Log startup information"""
     print("\n-----------------------------------")

agent_memory_server/mcp.py

@@ -3,6 +3,8 @@
 from typing import Any
 
 import ulid
+from mcp.server.auth.provider import AccessToken, TokenVerifier
+from mcp.server.auth.settings import AuthSettings
 from mcp.server.fastmcp import FastMCP as _FastMCPBase
 
 from agent_memory_server import working_memory as working_memory_core
@@ -255,12 +257,51 @@ async def run_stdio_async(self):
 """
 
 
+class JWTTokenVerifier(TokenVerifier):
+    """Verify JWT tokens from Hydra using the existing auth module."""
+
+    async def verify_token(self, token: str) -> AccessToken | None:
+        from agent_memory_server.auth import verify_jwt
+
+        try:
+            user_info = verify_jwt(token)
+            scopes = user_info.scope.split() if user_info.scope else []
+            return AccessToken(
+                token=token,
+                client_id=user_info.sub,
+                scopes=scopes,
+                expires_at=user_info.exp,
+            )
+        except Exception:
+            return None
+
+
+def _build_mcp_auth_kwargs() -> dict[str, Any]:
+    """Build auth kwargs for FastMCP if OAuth2 is configured."""
+    if (
+        settings.auth_mode != "oauth2"
+        or not settings.oauth2_issuer_url
+        or not settings.oauth2_resource_host
+    ):
+        return {}
+
+    resource_url = f"https://{settings.oauth2_resource_host}"
+    return {
+        "auth": AuthSettings(
+            issuer_url=settings.oauth2_issuer_url,
+            resource_server_url=resource_url,
+        ),
+        "token_verifier": JWTTokenVerifier(),
+    }
+
+
 mcp_app = FastMCP(
     "Redis Agent Memory Server",
     host=settings.mcp_host,
     port=settings.mcp_port,
     instructions=INSTRUCTIONS,
     default_namespace=settings.default_mcp_namespace,
+    **_build_mcp_auth_kwargs(),
 )