kaxil opened a new pull request, #68104: URL: https://github.com/apache/airflow/pull/68104
## Summary `MCPHook` built the MCP server with a single static `Authorization` header taken from the connection `password`, so it could not authenticate to MCP endpoints that require a freshly minted or short-lived token. The motivating case is a [Snowflake managed MCP server](https://docs.snowflake.com/en/user-guide/snowflake-cortex/cortex-agents-mcp), best authenticated with a [key-pair JWT](https://docs.snowflake.com/en/user-guide/key-pair-auth) that expires after about an hour and cannot be stored as a static value. The same limit blocked OAuth/refresh tokens, Workload Identity Federation, and GitHub App installation tokens. `MCPHook` and `MCPToolset` now accept an optional `token_provider` callable. ## How it works - When `token_provider` is set, it is invoked each time the HTTP/SSE server connection is established and its return value is used as the bearer token, overriding the static `password`. - The minted token is registered with secret masking (matching the auto-masking the connection password already receives), so it does not leak into task logs. - A provider that returns a non-string or empty value fails loud rather than silently sending an unauthenticated request. - `token_provider` is resolved in DAG code (a Python callable, not a stored connection field), so the signing key never enters the serialized DAG. ## Usage ```python def mint_snowflake_jwt() -> str: ... # sign a short-lived JWT from the connection's key-pair MCPToolset(mcp_conn_id="snowflake_managed_mcp", token_provider=mint_snowflake_jwt) ``` ## Gotchas - `token_provider` applies to HTTP/SSE transports only; it is ignored for `stdio` (which has no HTTP headers). - The provider is called when the server connection is established; the resulting server is cached for the toolset instance's lifetime (one task run), so the token must remain valid for that run. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
