feat(web): add Forward-user-identity toggle to MCP provider modal (M3)

Exposes the M2 backend flags as a switch on the MCP provider create/edit modal so workspace admins can opt in to enterprise SSO identity-forwarding per provider. When the toggle flips on, the modal sends forward_user_identity=true + identity_mode="idp_token" to the console API (which the M2 backend persists on tool_mcp_providers). - The toggle lives between Server Identifier and the Authentication tabs; it overrides the static Authorization (from Auth/Headers) at invoke time. - The form-state hook hydrates from the GET response so editing preserves the previous choice across sessions. - en-US + zh-Hans strings added; other locales fall back to en-US. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
feat(api): add MCP user-identity forwarding (M2)
2026-06-01 06:28:14 +08:00 · 2026-05-29 19:51:36 -07:00 · 2026-05-29 19:51:20 -07:00
24 changed files with 336 additions and 142 deletions
--- a/.codex
+++ b/.codex
--- a/.codex/environments/environment.toml
+++ b/.codex/environments/environment.toml
@ -1,8 +0,0 @@
-# THIS IS AUTOGENERATED. DO NOT EDIT MANUALLY
-version = 1
-name = "dify"
-
-[setup]
-script = '''
-pnpm install --frozen-lockfile --prefer-offline
-'''
--- a/api/controllers/console/app/app.py
+++ b/api/controllers/console/app/app.py
@ -467,8 +467,7 @@ class AppListApi(Resource):
    @login_required
    @account_initialization_required
    @enterprise_license_required
-    @with_session(write=False)
-    def get(self, session: Session):
+    def get(self):
        """Get app list"""
        current_user, current_tenant_id = current_account_with_tenant()

@ -505,7 +504,7 @@ class AppListApi(Resource):
        draft_trigger_app_ids: set[str] = set()
        if workflow_capable_app_ids:
            draft_workflows = (
-                session.execute(
+                db.session.execute(
                    select(Workflow).where(
                        Workflow.version == Workflow.VERSION_DRAFT,
                        Workflow.app_id.in_(workflow_capable_app_ids),
--- a/api/controllers/console/app/generator.py
+++ b/api/controllers/console/app/generator.py
@ -2,7 +2,6 @@ from collections.abc import Sequence

 from flask_restx import Resource
 from pydantic import BaseModel, Field
-from sqlalchemy.orm import Session

 from controllers.common.schema import register_enum_models, register_schema_models
 from controllers.console import console_ns
@ -12,7 +11,6 @@ from controllers.console.app.error import (
    ProviderNotInitializeError,
    ProviderQuotaExceededError,
 )
-from controllers.console.app.wraps import with_session
 from controllers.console.wraps import account_initialization_required, setup_required, with_current_tenant_id
 from core.app.app_config.entities import ModelConfig
 from core.errors.error import ModelCurrentlyNotSupportError, ProviderTokenNotInitError, QuotaExceededError
@ -21,6 +19,7 @@ from core.helper.code_executor.javascript.javascript_code_provider import Javasc
 from core.helper.code_executor.python3.python3_code_provider import Python3CodeProvider
 from core.llm_generator.entities import RuleCodeGeneratePayload, RuleGeneratePayload, RuleStructuredOutputPayload
 from core.llm_generator.llm_generator import LLMGenerator
+from extensions.ext_database import db
 from graphon.model_runtime.entities.llm_entities import LLMMode
 from graphon.model_runtime.errors.invoke import InvokeError
 from libs.login import login_required
@ -159,8 +158,7 @@ class InstructionGenerateApi(Resource):
    @login_required
    @account_initialization_required
    @with_current_tenant_id
-    @with_session(write=False)
-    def post(self, session: Session, current_tenant_id: str):
+    def post(self, current_tenant_id: str):
        args = InstructionGeneratePayload.model_validate(console_ns.payload)
        providers: list[type[CodeNodeProvider]] = [Python3CodeProvider, JavascriptCodeProvider]
        code_provider: type[CodeNodeProvider] | None = next(
@ -170,10 +168,10 @@ class InstructionGenerateApi(Resource):
        try:
            # Generate from nothing for a workflow node
            if (args.current in (code_template, "")) and args.node_id != "":
-                app = session.get(App, args.flow_id)
+                app = db.session.get(App, args.flow_id)
                if not app:
                    return {"error": f"app {args.flow_id} not found"}, 400
-                workflow = WorkflowService().get_draft_workflow(app_model=app, session=session)
+                workflow = WorkflowService().get_draft_workflow(app_model=app)
                if not workflow:
                    return {"error": f"workflow {args.flow_id} not found"}, 400
                nodes: Sequence = workflow.graph_dict["nodes"]
--- a/api/controllers/console/workspace/tool_providers.py
+++ b/api/controllers/console/workspace/tool_providers.py
@ -209,6 +209,11 @@ class MCPProviderBasePayload(BaseModel):
    configuration: dict[str, Any] | None = Field(default_factory=dict)
    headers: dict[str, Any] | None = Field(default_factory=dict)
    authentication: dict[str, Any] | None = Field(default_factory=dict)
+    # M3 — user-identity forwarding (M2 backend already supports these on the
+    # service layer). Defaults preserve pre-M3 behavior for clients that don't
+    # send the fields yet.
+    forward_user_identity: bool = False
+    identity_mode: Literal["off", "idp_token"] = "off"


 class MCPProviderCreatePayload(MCPProviderBasePayload):
@ -985,6 +990,8 @@ class ToolProviderMCPApi(Resource):
                headers=payload.headers or {},
                configuration=configuration,
                authentication=authentication,
+                forward_user_identity=payload.forward_user_identity,
+                identity_mode=payload.identity_mode,
            )

        # 2) Try to fetch tools immediately after creation so they appear without a second save.
@ -1052,6 +1059,8 @@ class ToolProviderMCPApi(Resource):
                configuration=configuration,
                authentication=authentication,
                validation_result=validation_result,
+                forward_user_identity=payload.forward_user_identity,
+                identity_mode=payload.identity_mode,
            )

        return {"result": "success"}
--- a/api/core/entities/mcp_provider.py
+++ b/api/core/entities/mcp_provider.py
@ -3,7 +3,7 @@ from __future__ import annotations
 import json
 from datetime import datetime
 from enum import StrEnum
-from typing import TYPE_CHECKING, Any
+from typing import TYPE_CHECKING, Any, Literal
 from urllib.parse import urlparse

 from pydantic import BaseModel
@ -76,6 +76,14 @@ class MCPProviderEntity(BaseModel):
    created_at: datetime
    updated_at: datetime

+    # M2 — user-identity forwarding. When forward_user_identity is True AND
+    # identity_mode is "idp_token", the MCP tool runtime asks dify-enterprise
+    # to mint a fresh SSO id_token for the calling user and stamps it on the
+    # outbound MCP request as `Authorization: Bearer <token>`. Defaults keep
+    # pre-M2 providers unchanged (no forwarding).
+    forward_user_identity: bool = False
+    identity_mode: Literal["off", "idp_token"] = "off"
+
    @classmethod
    def from_db_model(cls, db_provider: MCPToolProvider) -> MCPProviderEntity:
        """Create entity from database model with decryption"""
@ -96,6 +104,8 @@ class MCPProviderEntity(BaseModel):
            icon=db_provider.icon or "",
            created_at=db_provider.created_at,
            updated_at=db_provider.updated_at,
+            forward_user_identity=db_provider.forward_user_identity,
+            identity_mode=db_provider.identity_mode,  # type: ignore[arg-type]
        )

    @property
@ -170,6 +180,8 @@ class MCPProviderEntity(BaseModel):
            "updated_at": int(self.updated_at.timestamp()),
            "label": I18nObject(en_US=self.name, zh_Hans=self.name).to_dict(),
            "description": I18nObject(en_US="", zh_Hans="").to_dict(),
+            "forward_user_identity": self.forward_user_identity,
+            "identity_mode": self.identity_mode,
        }

        # Add configuration
--- a/api/core/tools/entities/api_entities.py
+++ b/api/core/tools/entities/api_entities.py
@ -54,6 +54,14 @@ class ToolProviderApiEntity(BaseModel):
    configuration: MCPConfiguration | None = Field(
        default=None, description="The timeout and sse_read_timeout of the MCP tool"
    )
+    # M3 — user-identity forwarding flags. Round-tripped through the console
+    # API so the create/edit modal can hydrate the toggle state.
+    forward_user_identity: bool = Field(
+        default=False, description="Whether Dify forwards the calling user's SSO identity to this MCP server"
+    )
+    identity_mode: str = Field(
+        default="off", description="Identity-forwarding mechanism: 'off' or 'idp_token'"
+    )
    # Workflow
    workflow_app_id: str | None = Field(default=None, description="The app id of the workflow tool")

@ -92,6 +100,10 @@ class ToolProviderApiEntity(BaseModel):
                optional_fields.update(self.optional_field("is_dynamic_registration", self.is_dynamic_registration))
                optional_fields.update(self.optional_field("masked_headers", self.masked_headers))
                optional_fields.update(self.optional_field("original_headers", self.original_headers))
+                # M3 — forwarding flags. Always emit (False/"off" are valid
+                # values that the UI must hydrate, not skip).
+                optional_fields["forward_user_identity"] = self.forward_user_identity
+                optional_fields["identity_mode"] = self.identity_mode
            case ToolProviderType.WORKFLOW:
                optional_fields.update(self.optional_field("workflow_app_id", self.workflow_app_id))
            case _:
--- a/api/core/tools/mcp_tool/provider.py
+++ b/api/core/tools/mcp_tool/provider.py
@ -1,4 +1,4 @@
-from typing import Any, Self
+from typing import Any, Literal, Self

 from core.entities.mcp_provider import MCPProviderEntity
 from core.mcp.types import Tool as RemoteMCPTool
@ -28,6 +28,8 @@ class MCPToolProviderController(ToolProviderController):
        headers: dict[str, str] | None = None,
        timeout: float | None = None,
        sse_read_timeout: float | None = None,
+        forward_user_identity: bool = False,
+        identity_mode: Literal["off", "idp_token"] = "off",
    ):
        super().__init__(entity)
        self.entity: ToolProviderEntityWithPlugin = entity
@ -37,6 +39,8 @@ class MCPToolProviderController(ToolProviderController):
        self.headers = headers or {}
        self.timeout = timeout
        self.sse_read_timeout = sse_read_timeout
+        self.forward_user_identity = forward_user_identity
+        self.identity_mode: Literal["off", "idp_token"] = identity_mode

    @property
    def provider_type(self) -> ToolProviderType:
@ -105,6 +109,8 @@ class MCPToolProviderController(ToolProviderController):
            headers=entity.headers,
            timeout=entity.timeout,
            sse_read_timeout=entity.sse_read_timeout,
+            forward_user_identity=entity.forward_user_identity,
+            identity_mode=entity.identity_mode,
        )

    def _validate_credentials(self, user_id: str, credentials: dict[str, Any]):
@ -134,6 +140,8 @@ class MCPToolProviderController(ToolProviderController):
            headers=self.headers,
            timeout=self.timeout,
            sse_read_timeout=self.sse_read_timeout,
+            forward_user_identity=self.forward_user_identity,
+            identity_mode=self.identity_mode,
        )

    def get_tools(self) -> list[MCPTool]:
@ -151,6 +159,8 @@ class MCPToolProviderController(ToolProviderController):
                headers=self.headers,
                timeout=self.timeout,
                sse_read_timeout=self.sse_read_timeout,
+                forward_user_identity=self.forward_user_identity,
+                identity_mode=self.identity_mode,
            )
            for tool_entity in self.entity.tools
        ]
--- a/api/core/tools/mcp_tool/tool.py
+++ b/api/core/tools/mcp_tool/tool.py
@ -4,7 +4,7 @@ import base64
 import json
 import logging
 from collections.abc import Generator, Mapping
-from typing import Any, cast
+from typing import Any, Literal, cast

 from core.mcp.auth_client import MCPClientWithAuthRetry
 from core.mcp.error import MCPConnectionError
@ -38,6 +38,8 @@ class MCPTool(Tool):
        headers: dict[str, str] | None = None,
        timeout: float | None = None,
        sse_read_timeout: float | None = None,
+        forward_user_identity: bool = False,
+        identity_mode: Literal["off", "idp_token"] = "off",
    ):
        super().__init__(entity, runtime)
        self.tenant_id = tenant_id
@ -47,6 +49,8 @@ class MCPTool(Tool):
        self.headers = headers or {}
        self.timeout = timeout
        self.sse_read_timeout = sse_read_timeout
+        self.forward_user_identity = forward_user_identity
+        self.identity_mode: Literal["off", "idp_token"] = identity_mode
        self._latest_usage = LLMUsage.empty_usage()

    def tool_provider_type(self) -> ToolProviderType:
@ -60,7 +64,7 @@ class MCPTool(Tool):
        app_id: str | None = None,
        message_id: str | None = None,
    ) -> Generator[ToolInvokeMessage, None, None]:
-        result = self.invoke_remote_mcp_tool(tool_parameters)
+        result = self.invoke_remote_mcp_tool(tool_parameters, user_id=user_id, app_id=app_id)

        # Extract usage metadata from MCP protocol's _meta field
        self._latest_usage = self._derive_usage_from_result(result)
@ -234,6 +238,8 @@ class MCPTool(Tool):
            headers=self.headers,
            timeout=self.timeout,
            sse_read_timeout=self.sse_read_timeout,
+            forward_user_identity=self.forward_user_identity,
+            identity_mode=self.identity_mode,
        )

    def _handle_none_parameter(self, parameter: dict[str, Any]) -> dict[str, Any]:
@ -246,7 +252,12 @@ class MCPTool(Tool):
            if value is not None and not (isinstance(value, str) and value.strip() == "")
        }

-    def invoke_remote_mcp_tool(self, tool_parameters: dict[str, Any]) -> CallToolResult:
+    def invoke_remote_mcp_tool(
+        self,
+        tool_parameters: dict[str, Any],
+        user_id: str | None = None,
+        app_id: str | None = None,
+    ) -> CallToolResult:
        headers = self.headers.copy() if self.headers else {}
        tool_parameters = self._handle_none_parameter(tool_parameters)

@ -271,6 +282,14 @@ class MCPTool(Tool):
                if tokens and tokens.access_token:
                    headers["Authorization"] = f"{tokens.token_type.capitalize()} {tokens.access_token}"

+        # User-identity forwarding: if enabled on this provider, ask the
+        # enterprise side to mint a fresh SSO id_token (audience-scoped to
+        # the MCP server's URL per RFC 8707) and stamp it as Authorization.
+        # This OVERRIDES any Authorization already on the request — the
+        # forwarded identity is what the MCP server should trust.
+        if self.forward_user_identity and self.identity_mode == "idp_token" and user_id:
+            self._inject_forwarded_identity(headers, user_id=user_id, app_id=app_id, audience=server_url)
+
        # Step 2: Session is now closed, perform network operations without holding database connection
        # MCPClientWithAuthRetry will create a new session lazily only if auth retry is needed
        try:
@ -286,3 +305,31 @@ class MCPTool(Tool):
            raise ToolInvokeError(f"Failed to connect to MCP server: {e}") from e
        except Exception as e:
            raise ToolInvokeError(f"Failed to invoke tool: {e}") from e
+
+    def _inject_forwarded_identity(
+        self,
+        headers: dict[str, str],
+        *,
+        user_id: str,
+        app_id: str | None,
+        audience: str,
+    ) -> None:
+        """Call the enterprise IssueMCPToken endpoint and stamp Authorization.
+
+        Errors are surfaced as ToolInvokeError so the workflow halts with a
+        clear message instead of silently dropping identity and hitting the
+        MCP server unauthenticated.
+        """
+        from services.enterprise.base import MCPTokenError
+        from services.enterprise.enterprise_service import EnterpriseService
+
+        try:
+            token, _expires_at = EnterpriseService.issue_mcp_token(
+                user_id=user_id,
+                tenant_id=self.tenant_id,
+                app_id=app_id,
+                audience=audience,
+            )
+        except MCPTokenError as e:
+            raise ToolInvokeError(f"Failed to obtain forwarded identity token: {e}") from e
+        headers["Authorization"] = f"Bearer {token}"
--- a/api/migrations/versions/2026_05_29_1500-3df4dbcc1e21_add_identity_mode_to_mcp_tool_provider.py
+++ b/api/migrations/versions/2026_05_29_1500-3df4dbcc1e21_add_identity_mode_to_mcp_tool_provider.py
@ -0,0 +1,56 @@
+"""add identity mode to mcp tool provider
+
+Revision ID: 3df4dbcc1e21
+Revises: 7885bd53f9a9
+Create Date: 2026-05-29 15:00:00.000000
+
+Adds two columns to `tool_mcp_providers` that drive the M2 MCP user-identity
+forwarding feature:
+
+  * `forward_user_identity` (bool, default false) — master switch per provider.
+  * `identity_mode` (string, default "off") — which forwarding mechanism to use:
+        "off"       — no header forwarded (default; pre-M2 behaviour).
+        "idp_token" — call dify-enterprise /inner/api/mcp/issue-token, stamp
+                      the returned id_token on the outbound MCP request as
+                      `Authorization: Bearer <token>`.
+
+The columns are filled with safe defaults for existing rows so older providers
+keep their current behaviour (no identity forwarding) until an admin opts in.
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+import models as models
+
+# revision identifiers, used by Alembic.
+revision = "3df4dbcc1e21"
+down_revision = "7885bd53f9a9"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.add_column(
+        "tool_mcp_providers",
+        sa.Column(
+            "forward_user_identity",
+            sa.Boolean(),
+            nullable=False,
+            server_default=sa.text("false"),
+        ),
+    )
+    op.add_column(
+        "tool_mcp_providers",
+        sa.Column(
+            "identity_mode",
+            sa.String(length=32),
+            nullable=False,
+            server_default=sa.text("'off'"),
+        ),
+    )
+
+
+def downgrade():
+    op.drop_column("tool_mcp_providers", "identity_mode")
+    op.drop_column("tool_mcp_providers", "forward_user_identity")
--- a/api/models/tools.py
+++ b/api/models/tools.py
@ -343,6 +343,21 @@ class MCPToolProvider(TypeBase):
    # encrypted headers for MCP server requests
    encrypted_headers: Mapped[str | None] = mapped_column(LongText, nullable=True, default=None)

+    # M2 (MCP user-identity forwarding) — master switch per provider. When True
+    # AND identity_mode is "idp_token", workflows that invoke tools on this
+    # provider will have the caller's SSO id_token stamped on the outbound
+    # request as `Authorization: Bearer …`. Off by default so existing
+    # providers retain pre-M2 behaviour.
+    forward_user_identity: Mapped[bool] = mapped_column(
+        sa.Boolean, nullable=False, server_default=sa.text("false"), default=False
+    )
+    # M2 — which identity-forwarding mechanism to use. Reserved values:
+    #   "off"       — no forwarding (default).
+    #   "idp_token" — forward a Bearer id_token minted by dify-enterprise.
+    identity_mode: Mapped[str] = mapped_column(
+        sa.String(32), nullable=False, server_default=sa.text("'off'"), default="off"
+    )
+
    def load_user(self) -> Account | None:
        return db.session.scalar(select(Account).where(Account.id == self.user_id))

--- a/api/services/enterprise/base.py
+++ b/api/services/enterprise/base.py
@ -12,8 +12,33 @@ from services.errors.enterprise import (
    EnterpriseAPIForbiddenError,
    EnterpriseAPINotFoundError,
    EnterpriseAPIUnauthorizedError,
+    EnterpriseServiceError,
 )

+
+# M2 — IssueMCPToken specific errors. Co-located here (rather than in
+# services/errors/enterprise.py) because services.enterprise.base is part of
+# the leaf-mounted file set the local dev override applies; the errors module
+# stays at the EE image's baked-in version.
+class MCPTokenError(EnterpriseServiceError):
+    """Generic failure of the IssueMCPToken RPC."""
+
+
+class MCPNoRefreshTokenError(MCPTokenError):
+    """The user has no stored SSO refresh_token on the enterprise side.
+    The workflow should ask them to re-authenticate."""
+
+    def __init__(self, description: str = ""):
+        super().__init__(description, status_code=428)
+
+
+class MCPIdentityRefreshError(MCPTokenError):
+    """The enterprise side tried to refresh the user's SSO refresh_token
+    against the IdP and failed (revoked/expired/IdP error)."""
+
+    def __init__(self, description: str = ""):
+        super().__init__(description, status_code=401)
+
 logger = logging.getLogger(__name__)


--- a/api/services/enterprise/enterprise_service.py
+++ b/api/services/enterprise/enterprise_service.py
@ -11,7 +11,16 @@ from pydantic import BaseModel, ConfigDict, Field, model_validator

 from configs import dify_config
 from extensions.ext_redis import redis_client
-from services.enterprise.base import EnterpriseRequest
+from services.enterprise.base import (
+    EnterpriseRequest,
+    MCPIdentityRefreshError,
+    MCPNoRefreshTokenError,
+    MCPTokenError,
+)
+from services.errors.enterprise import (
+    EnterpriseAPIError,
+    EnterpriseAPIUnauthorizedError,
+)

 if TYPE_CHECKING:
    from services.feature_service import LicenseStatus
@ -121,6 +130,62 @@ class EnterpriseService:
    def get_workspace_info(cls, tenant_id: str):
        return EnterpriseRequest.send_request("GET", f"/workspace/{tenant_id}/info")

+    @classmethod
+    def issue_mcp_token(
+        cls,
+        user_id: str,
+        tenant_id: str,
+        app_id: str | None,
+        audience: str,
+    ) -> tuple[str, int]:
+        """Mint a short-lived SSO id_token (or OAuth2 access_token) representing
+        the calling Dify user, audience-scoped to the given MCP server identifier.
+
+        Used by MCPTool.invoke_remote_mcp_tool to stamp `Authorization: Bearer
+        <token>` on outbound MCP requests when the provider has
+        forward_user_identity=True and identity_mode="idp_token".
+
+        Returns:
+            (token, expires_at_unix_seconds)
+
+        Raises:
+            MCPNoRefreshTokenError: user has no stored SSO refresh_token on the
+                enterprise side; surface to the workflow as "please log in via SSO".
+            MCPIdentityRefreshError: enterprise tried to refresh against the IdP
+                and the IdP rejected (revoked/expired session).
+            MCPTokenError: any other failure of the enterprise endpoint.
+        """
+        try:
+            response = EnterpriseRequest.send_request(
+                "POST",
+                "/mcp/issue-token",
+                json={
+                    "user_id": user_id,
+                    "tenant_id": tenant_id,
+                    "app_id": app_id or "",
+                    "audience": audience,
+                },
+            )
+        except EnterpriseAPIUnauthorizedError as e:
+            # Enterprise side returns 401 when the IdP rejected the refresh.
+            raise MCPIdentityRefreshError(str(e) or "identity refresh failed; please re-authenticate") from e
+        except EnterpriseAPIError as e:
+            # Map the 428 PreconditionRequired we emit on no-stored-refresh-token.
+            if getattr(e, "status_code", None) == 428:
+                raise MCPNoRefreshTokenError(
+                    str(e) or "user has no stored SSO refresh token; please re-authenticate"
+                ) from e
+            raise MCPTokenError(f"issue_mcp_token failed: {e}") from e
+
+        if not isinstance(response, dict):
+            raise MCPTokenError("invalid response shape from enterprise /mcp/issue-token")
+
+        token = response.get("token")
+        expires_at = response.get("expires_at")
+        if not token or not isinstance(token, str) or not isinstance(expires_at, int):
+            raise MCPTokenError(f"missing token/expires_at in enterprise response: {response}")
+        return token, expires_at
+
    @classmethod
    def initiate_device_flow_sso(cls, signed_state: str) -> dict:
        return EnterpriseRequest.send_request(
--- a/api/services/tools/mcp_tools_manage_service.py
+++ b/api/services/tools/mcp_tools_manage_service.py
@ -4,7 +4,7 @@ import logging
 from collections.abc import Mapping
 from datetime import datetime
 from enum import StrEnum
-from typing import Any
+from typing import Any, Literal
 from urllib.parse import urlparse

 from pydantic import BaseModel, Field
@ -136,6 +136,8 @@ class MCPToolManageService:
        configuration: MCPConfiguration,
        authentication: MCPAuthentication | None = None,
        headers: dict[str, str] | None = None,
+        forward_user_identity: bool = False,
+        identity_mode: Literal["off", "idp_token"] = "off",
    ) -> ToolProviderApiEntity:
        """Create a new MCP provider."""
        # Validate URL format
@ -171,6 +173,8 @@ class MCPToolManageService:
            sse_read_timeout=configuration.sse_read_timeout,
            encrypted_headers=encrypted_headers,
            encrypted_credentials=encrypted_credentials,
+            forward_user_identity=forward_user_identity,
+            identity_mode=identity_mode,
        )

        self._session.add(mcp_tool)
@ -194,6 +198,8 @@ class MCPToolManageService:
        configuration: MCPConfiguration,
        authentication: MCPAuthentication | None = None,
        validation_result: ServerUrlValidationResult | None = None,
+        forward_user_identity: bool | None = None,
+        identity_mode: Literal["off", "idp_token"] | None = None,
    ) -> None:
        """
        Update an MCP provider.
@ -255,6 +261,14 @@ class MCPToolManageService:
            if authentication and authentication.client_id:
                mcp_provider.encrypted_credentials = self._process_credentials(authentication, mcp_provider, tenant_id)

+            # Update user-identity forwarding settings if provided.
+            # None means "leave unchanged" so this stays backwards-compatible
+            # with existing callers that don't know about M2.
+            if forward_user_identity is not None:
+                mcp_provider.forward_user_identity = forward_user_identity
+            if identity_mode is not None:
+                mcp_provider.identity_mode = identity_mode
+
            # Flush changes to database
            self._session.flush()

--- a/api/services/workflow_service.py
+++ b/api/services/workflow_service.py
@ -140,21 +140,14 @@ class WorkflowService:
        )
        return db.session.execute(stmt).scalar_one()

-    def get_draft_workflow(
-        self, app_model: App, workflow_id: str | None = None, session: Session | None = None
-    ) -> Workflow | None:
+    def get_draft_workflow(self, app_model: App, workflow_id: str | None = None) -> Workflow | None:
        """
        Get draft workflow
-
-        When ``session`` is provided, reuse it so callers that already hold a
-        Session avoid checking out an extra request-scoped ``db.session``
-        connection. Falls back to ``db.session`` for backward compatibility.
        """
        if workflow_id:
-            return self.get_published_workflow_by_id(app_model, workflow_id, session=session)
+            return self.get_published_workflow_by_id(app_model, workflow_id)
        # fetch draft workflow by app_model
-        bind = session if session is not None else db.session
-        workflow = bind.scalar(
+        workflow = db.session.scalar(
            select(Workflow)
            .where(
                Workflow.tenant_id == app_model.tenant_id,
--- a/api/tests/unit_tests/controllers/console/app/test_app_response_models.py
+++ b/api/tests/unit_tests/controllers/console/app/test_app_response_models.py
@ -7,7 +7,6 @@ from importlib import util
 from pathlib import Path
 from types import ModuleType, SimpleNamespace
 from typing import Any
-from unittest.mock import MagicMock

 import pytest
 from flask.views import MethodView
@ -19,15 +18,6 @@ if not hasattr(builtins, "MethodView"):
    builtins.MethodView = MethodView  # type: ignore[attr-defined]


-def _unwrap(func):
-    bound_self = getattr(func, "__self__", None)
-    while hasattr(func, "__wrapped__"):
-        func = func.__wrapped__
-    if bound_self is not None:
-        return func.__get__(bound_self, bound_self.__class__)
-    return func
-
-
@pytest.fixture(scope="module")
 def app_module():
    module_name = "controllers.console.app.app"
@ -405,46 +395,3 @@ def test_app_pagination_aliases_per_page_and_has_next(app_models):
    assert len(serialized["data"]) == 2
    assert serialized["data"][0]["icon_url"] == "signed:first-icon"
    assert serialized["data"][1]["icon_url"] is None
-
-
-def test_app_list_uses_injected_session_for_draft_workflows(app, app_module, monkeypatch):
-    api = app_module.AppListApi()
-    method = _unwrap(api.get)
-    current_user = SimpleNamespace(id="user-1")
-    app_item = SimpleNamespace(
-        id="app-1",
-        name="Workflow App",
-        desc_or_prompt="Summary",
-        mode="workflow",
-        mode_compatible_with_agent="workflow",
-    )
-    app_pagination = SimpleNamespace(page=1, per_page=20, total=1, has_next=False, items=[app_item])
-    workflow = SimpleNamespace(
-        id="workflow-1",
-        app_id="app-1",
-        walk_nodes=lambda: iter([("trigger-1", {"type": "trigger-webhook"})]),
-    )
-    session = MagicMock()
-    session.execute.return_value.scalars.return_value.all.return_value = [workflow]
-    scoped_session = SimpleNamespace(execute=MagicMock(side_effect=AssertionError("db.session should not be used")))
-
-    monkeypatch.setattr(app_module, "current_account_with_tenant", lambda: (current_user, "tenant-1"))
-    monkeypatch.setattr(
-        app_module,
-        "AppService",
-        lambda: SimpleNamespace(get_paginate_apps=lambda *_args, **_kwargs: app_pagination),
-    )
-    monkeypatch.setattr(
-        app_module,
-        "FeatureService",
-        SimpleNamespace(get_system_features=lambda: SimpleNamespace(webapp_auth=SimpleNamespace(enabled=False))),
-    )
-    monkeypatch.setattr(app_module, "db", SimpleNamespace(session=scoped_session))
-
-    with app.test_request_context("/console/api/apps?page=1&limit=20", method="GET"):
-        response, status = method(session)
-
-    assert status == 200
-    assert response["data"][0]["has_draft_trigger"] is True
-    session.execute.assert_called_once()
-    scoped_session.execute.assert_not_called()
--- a/api/tests/unit_tests/controllers/console/app/test_generator_api.py
+++ b/api/tests/unit_tests/controllers/console/app/test_generator_api.py
@ -1,7 +1,6 @@
 from __future__ import annotations

 from types import SimpleNamespace
-from unittest.mock import MagicMock

 import pytest

@ -25,17 +24,10 @@ def _model_config_payload():

 def _install_workflow_service(monkeypatch: pytest.MonkeyPatch, workflow):
    class _Service:
-        app_model = None
-        session = None
-
-        def get_draft_workflow(self, app_model, session=None):
-            self.app_model = app_model
-            self.session = session
+        def get_draft_workflow(self, app_model):
            return workflow

-    service = _Service()
-    monkeypatch.setattr(generator_module, "WorkflowService", lambda: service)
-    return service
+    monkeypatch.setattr(generator_module, "WorkflowService", lambda: _Service())


 def test_rule_generate_success(app, monkeypatch: pytest.MonkeyPatch) -> None:
@ -76,8 +68,7 @@ def test_instruction_generate_app_not_found(app, monkeypatch: pytest.MonkeyPatch
    api = generator_module.InstructionGenerateApi()
    method = _unwrap(api.post)

-    session = MagicMock()
-    session.get.return_value = None
+    monkeypatch.setattr(generator_module.db, "session", SimpleNamespace(get=lambda *_args, **_kwargs: None))

    with app.test_request_context(
        "/console/api/instruction-generate",
@ -89,11 +80,10 @@ def test_instruction_generate_app_not_found(app, monkeypatch: pytest.MonkeyPatch
            "model_config": _model_config_payload(),
        },
    ):
-        response, status = method(session, "t1")
+        response, status = method("t1")

    assert status == 400
    assert response["error"] == "app app-1 not found"
-    session.get.assert_called_once_with(generator_module.App, "app-1")


 def test_instruction_generate_workflow_not_found(app, monkeypatch: pytest.MonkeyPatch) -> None:
@ -101,7 +91,7 @@ def test_instruction_generate_workflow_not_found(app, monkeypatch: pytest.Monkey
    method = _unwrap(api.post)

    app_model = SimpleNamespace(id="app-1")
-    session = SimpleNamespace(get=lambda *_args, **_kwargs: app_model)
+    monkeypatch.setattr(generator_module.db, "session", SimpleNamespace(get=lambda *_args, **_kwargs: app_model))
    _install_workflow_service(monkeypatch, workflow=None)

    with app.test_request_context(
@ -114,7 +104,7 @@ def test_instruction_generate_workflow_not_found(app, monkeypatch: pytest.Monkey
            "model_config": _model_config_payload(),
        },
    ):
-        response, status = method(session, "t1")
+        response, status = method("t1")

    assert status == 400
    assert response["error"] == "workflow app-1 not found"
@ -125,7 +115,7 @@ def test_instruction_generate_node_missing(app, monkeypatch: pytest.MonkeyPatch)
    method = _unwrap(api.post)

    app_model = SimpleNamespace(id="app-1")
-    session = SimpleNamespace(get=lambda *_args, **_kwargs: app_model)
+    monkeypatch.setattr(generator_module.db, "session", SimpleNamespace(get=lambda *_args, **_kwargs: app_model))

    workflow = SimpleNamespace(graph_dict={"nodes": []})
    _install_workflow_service(monkeypatch, workflow=workflow)
@ -140,7 +130,7 @@ def test_instruction_generate_node_missing(app, monkeypatch: pytest.MonkeyPatch)
            "model_config": _model_config_payload(),
        },
    ):
-        response, status = method(session, "t1")
+        response, status = method("t1")

    assert status == 400
    assert response["error"] == "node node-1 not found"
@ -151,7 +141,7 @@ def test_instruction_generate_code_node(app, monkeypatch: pytest.MonkeyPatch) ->
    method = _unwrap(api.post)

    app_model = SimpleNamespace(id="app-1")
-    session = SimpleNamespace(get=lambda *_args, **_kwargs: app_model)
+    monkeypatch.setattr(generator_module.db, "session", SimpleNamespace(get=lambda *_args, **_kwargs: app_model))

    workflow = SimpleNamespace(
        graph_dict={
@ -160,7 +150,7 @@ def test_instruction_generate_code_node(app, monkeypatch: pytest.MonkeyPatch) ->
            ]
        }
    )
-    workflow_service = _install_workflow_service(monkeypatch, workflow=workflow)
+    _install_workflow_service(monkeypatch, workflow=workflow)
    monkeypatch.setattr(generator_module.LLMGenerator, "generate_code", lambda **_kwargs: {"code": "x"})

    with app.test_request_context(
@ -173,17 +163,14 @@ def test_instruction_generate_code_node(app, monkeypatch: pytest.MonkeyPatch) ->
            "model_config": _model_config_payload(),
        },
    ):
-        response = method(session, "t1")
+        response = method("t1")

    assert response == {"code": "x"}
-    assert workflow_service.app_model is app_model
-    assert workflow_service.session is session


 def test_instruction_generate_legacy_modify(app, monkeypatch: pytest.MonkeyPatch) -> None:
    api = generator_module.InstructionGenerateApi()
    method = _unwrap(api.post)
-    session = SimpleNamespace()

    monkeypatch.setattr(
        generator_module.LLMGenerator,
@ -202,7 +189,7 @@ def test_instruction_generate_legacy_modify(app, monkeypatch: pytest.MonkeyPatch
            "model_config": _model_config_payload(),
        },
    ):
-        response = method(session, "t1")
+        response = method("t1")

    assert response == {"instruction": "ok"}

@ -210,7 +197,6 @@ def test_instruction_generate_legacy_modify(app, monkeypatch: pytest.MonkeyPatch
 def test_instruction_generate_incompatible_params(app, monkeypatch: pytest.MonkeyPatch) -> None:
    api = generator_module.InstructionGenerateApi()
    method = _unwrap(api.post)
-    session = SimpleNamespace()

    with app.test_request_context(
        "/console/api/instruction-generate",
@ -223,7 +209,7 @@ def test_instruction_generate_incompatible_params(app, monkeypatch: pytest.Monke
            "model_config": _model_config_payload(),
        },
    ):
-        response, status = method(session, "t1")
+        response, status = method("t1")

    assert status == 400
    assert response["error"] == "incompatible parameters"
--- a/api/tests/unit_tests/services/test_workflow_service.py
+++ b/api/tests/unit_tests/services/test_workflow_service.py
@ -346,19 +346,6 @@ class TestWorkflowService:

        assert result == mock_workflow

-    def test_get_draft_workflow_uses_provided_session(self, workflow_service, mock_db_session):
-        """Test get_draft_workflow can reuse an injected SQLAlchemy session."""
-        app = TestWorkflowAssociatedDataFactory.create_app_mock()
-        mock_workflow = TestWorkflowAssociatedDataFactory.create_workflow_mock()
-        session = MagicMock()
-        session.scalar.return_value = mock_workflow
-
-        result = workflow_service.get_draft_workflow(app, session=session)
-
-        assert result == mock_workflow
-        session.scalar.assert_called_once()
-        mock_db_session.session.scalar.assert_not_called()
-
    def test_get_draft_workflow_returns_none(self, workflow_service, mock_db_session):
        """Test get_draft_workflow returns None when no draft exists."""
        app = TestWorkflowAssociatedDataFactory.create_app_mock()
@ -383,21 +370,6 @@ class TestWorkflowService:

        assert result == mock_workflow

-    def test_get_draft_workflow_with_workflow_id_reuses_provided_session(self, workflow_service):
-        """Test get_draft_workflow passes an injected session to published workflow lookup."""
-        app = TestWorkflowAssociatedDataFactory.create_app_mock()
-        workflow_id = "workflow-123"
-        session = MagicMock()
-        mock_workflow = TestWorkflowAssociatedDataFactory.create_workflow_mock(version="v1")
-
-        with patch.object(
-            workflow_service, "get_published_workflow_by_id", return_value=mock_workflow
-        ) as mock_get_published:
-            result = workflow_service.get_draft_workflow(app, workflow_id=workflow_id, session=session)
-
-        assert result == mock_workflow
-        mock_get_published.assert_called_once_with(app, workflow_id, session=session)
-
    # ==================== Get Published Workflow Tests ====================
    # These tests verify retrieval of published workflows (versioned snapshots)

--- a/web/app/components/tools/mcp/hooks/use-mcp-modal-form.ts
+++ b/web/app/components/tools/mcp/hooks/use-mcp-modal-form.ts
@ -54,6 +54,7 @@ type MCPModalFormState = {
  isDynamicRegistration: boolean
  clientID: string
  credentials: string
+  forwardUserIdentity: boolean
 }
 type MCPModalFormActions = {
  setUrl: (url: string) => void
@ -68,6 +69,7 @@ type MCPModalFormActions = {
  setIsDynamicRegistration: (value: boolean) => void
  setClientID: (id: string) => void
  setCredentials: (credentials: string) => void
+  setForwardUserIdentity: (value: boolean) => void
  handleUrlBlur: (url: string) => Promise<void>
  resetIcon: () => void
 }
@ -100,6 +102,11 @@ export const useMCPModalForm = (data?: ToolWithProvider) => {
  const [isDynamicRegistration, setIsDynamicRegistration] = useState(() => isCreate ? true : (data?.is_dynamic_registration ?? true))
  const [clientID, setClientID] = useState(() => data?.authentication?.client_id || '')
  const [credentials, setCredentials] = useState(() => data?.authentication?.client_secret || '')
+  // M3 — user-identity forwarding. Identity mode is implied by the toggle:
+  // off → "off", on → "idp_token" (only mode currently supported).
+  const [forwardUserIdentity, setForwardUserIdentity] = useState(
+    () => Boolean(data?.forward_user_identity),
+  )
  const handleUrlBlur = useCallback(async (urlValue: string) => {
    if (data)
      return
@ -163,6 +170,7 @@ export const useMCPModalForm = (data?: ToolWithProvider) => {
      isDynamicRegistration,
      clientID,
      credentials,
+      forwardUserIdentity,
    } satisfies MCPModalFormState,
    // Actions
    actions: {
@ -178,6 +186,7 @@ export const useMCPModalForm = (data?: ToolWithProvider) => {
      setIsDynamicRegistration,
      setClientID,
      setCredentials,
+      setForwardUserIdentity,
      handleUrlBlur,
      resetIcon,
    } satisfies MCPModalFormActions,
--- a/web/app/components/tools/mcp/modal.tsx
+++ b/web/app/components/tools/mcp/modal.tsx
@ -5,6 +5,7 @@ import type { ToolWithProvider } from '@/app/components/workflow/types'
 import type { AppIconType } from '@/types/app'
 import { Button } from '@langgenius/dify-ui/button'
 import { Dialog, DialogContent } from '@langgenius/dify-ui/dialog'
+import { Switch } from '@langgenius/dify-ui/switch'
 import { toast } from '@langgenius/dify-ui/toast'
 import { RiCloseLine, RiEditLine } from '@remixicon/react'
 import { useHover } from 'ahooks'
@ -39,6 +40,8 @@ type MCPModalConfirmPayload = {
    timeout: number
    sse_read_timeout: number
  }
+  forward_user_identity?: boolean
+  identity_mode?: 'off' | 'idp_token'
 }

 type DuplicateAppModalProps = {
@ -110,6 +113,8 @@ const MCPModalContent: FC<MCPModalContentProps> = ({
        timeout: state.timeout || 30,
        sse_read_timeout: state.sseReadTimeout || 300,
      },
+      forward_user_identity: state.forwardUserIdentity,
+      identity_mode: state.forwardUserIdentity ? 'idp_token' : 'off',
    })
    if (isCreate)
      onHide()
@ -207,6 +212,23 @@ const MCPModalContent: FC<MCPModalContentProps> = ({
          )}
        </div>

+        {/* Forward user identity (M3 — enterprise SSO identity-forwarding) */}
+        <div>
+          <div className="mb-1 flex h-6 items-center">
+            <Switch
+              className="mr-2"
+              checked={state.forwardUserIdentity}
+              onCheckedChange={actions.setForwardUserIdentity}
+            />
+            <span className="system-sm-medium text-text-secondary">
+              {t('mcp.modal.forwardUserIdentity', { ns: 'tools' })}
+            </span>
+          </div>
+          <div className="body-xs-regular text-text-tertiary">
+            {t('mcp.modal.forwardUserIdentityTip', { ns: 'tools' })}
+          </div>
+        </div>
+
        {/* Auth Method Tabs */}
        <TabSlider
          className="w-full"
--- a/web/app/components/tools/types.ts
+++ b/web/app/components/tools/types.ts
@ -78,6 +78,9 @@ export type Collection = {
    timeout?: number
    sse_read_timeout?: number
  }
+  // M3 — user-identity forwarding (MCP)
+  forward_user_identity?: boolean
+  identity_mode?: 'off' | 'idp_token'
  // Workflow
  workflow_app_id?: string
 }
--- a/web/i18n/en-US/tools.json
+++ b/web/i18n/en-US/tools.json
@ -145,6 +145,8 @@
  "mcp.modal.timeout": "Timeout",
  "mcp.modal.timeoutPlaceholder": "30",
  "mcp.modal.title": "Add MCP Server (HTTP)",
+  "mcp.modal.forwardUserIdentity": "Forward user identity",
+  "mcp.modal.forwardUserIdentityTip": "Send the calling user's verified SSO identity to this MCP server as an Authorization Bearer token. Requires Dify Enterprise SSO.",
  "mcp.modal.useDynamicClientRegistration": "Use Dynamic Client Registration",
  "mcp.noConfigured": "Unconfigured",
  "mcp.noTools": "No tools available",
--- a/web/i18n/zh-Hans/tools.json
+++ b/web/i18n/zh-Hans/tools.json
@ -145,6 +145,8 @@
  "mcp.modal.timeout": "超时时间",
  "mcp.modal.timeoutPlaceholder": "30",
  "mcp.modal.title": "添加 MCP 服务 (HTTP)",
+  "mcp.modal.forwardUserIdentity": "转发用户身份",
+  "mcp.modal.forwardUserIdentityTip": "将调用用户的已验证 SSO 身份作为 Authorization Bearer token 转发到该 MCP 服务器。需要 Dify Enterprise SSO。",
  "mcp.modal.useDynamicClientRegistration": "使用动态客户端注册",
  "mcp.noConfigured": "未配置",
  "mcp.noTools": "没有可用的工具",
--- a/web/service/use-tools.ts
+++ b/web/service/use-tools.ts
@ -106,6 +106,8 @@ export const useCreateMCP = () => {
      timeout?: number
      sse_read_timeout?: number
      headers?: Record<string, string>
+      forward_user_identity?: boolean
+      identity_mode?: 'off' | 'idp_token'
    }) => {
      return post<ToolWithProvider>('workspaces/current/tool-provider/mcp', {
        body: {
@ -133,6 +135,8 @@ export const useUpdateMCP = ({
      timeout?: number
      sse_read_timeout?: number
      headers?: Record<string, string>
+      forward_user_identity?: boolean
+      identity_mode?: 'off' | 'idp_token'
    }) => {
      return put('workspaces/current/tool-provider/mcp', {
        body: {