Relax default MCP auth enforcement

[speterkins]

Summary

• stop requiring auth by default when no auth configuration is present
• continue to parse and expose North auth context when headers are provided
• preserve get_authenticated_user() semantics for truly unauthenticated requests
• remove the trusted_jwks_urls direction from the SDK

Testing

• uv run pytest -q tests/test_north_token_verifier.py tests/test_trusted_issuers.py tests/test_x_north_trusted_issuers.py

---

Note

Medium Risk
Changes the default authentication posture for MCP endpoints, which can unintentionally expose servers if deployers relied on implicit auth enforcement. Signature verification behavior is also refactored around trusted_issuers, so misconfiguration could cause unexpected 401s.

Overview
Relaxes default MCP auth enforcement. When neither server_secret nor trusted_issuers are configured, NorthAuthBackend.authenticate() now returns an empty AuthenticatedUser (instead of raising) and only validates headers if X-North-* or legacy Authorization data is actually provided.

Preserves explicit auth when configured. If server_secret/trusted_issuers are set, requests without auth headers still 401, and token signature verification now explicitly rejects missing/untrusted iss and routes verification through a new _verify_token_signature_from_issuer() helper.

Tests are updated to cover the new “open by default” behavior (including whitespace/absent headers), and the package version is bumped to 0.3.2.

^{Written by Cursor Bugbot for commit 709395d. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}