[v1.x] Bind transport sessions to the authenticated principal by maxisbey · Pull Request #2719 · modelcontextprotocol/python-sdk
Both HTTP transports now record the principal that created each session — the OAuth client together with the issuer and subject when the token verifier supplies them — and serve subsequent requests for that session only when they present the same principal. Requests presenting a different principal receive the same 404 response as for an unknown session ID, and SSE session entries are removed when the connection ends. Servers without authentication, and authentication backends other than the built-in BearerAuthBackend, are unaffected: no principal is recorded and the comparison always passes.
maxisbey added a commit that referenced this pull request
connect_sse now removes _read_stream_writers[session_id] in a finally once the GET request unwinds (#2719), so the endpoint-event test waits for that cleanup after the client disconnects instead of pinning the old retention behaviour.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters