change auth flow to use authroization server and

itsuki · itsuki · commit 3c69e5d80f8d · 2025-04-27T19:03:23.000+09:00
add function to discover protected resource metadata
diff --git a/src/client/auth.ts b/src/client/auth.ts
@@ -1,11 +1,11 @@
 import pkceChallenge from "pkce-challenge";
 import { LATEST_PROTOCOL_VERSION } from "../types.js";
-import type { OAuthClientMetadata, OAuthClientInformation, OAuthTokens, OAuthMetadata, OAuthClientInformationFull } from "../shared/auth.js";
-import { OAuthClientInformationFullSchema, OAuthMetadataSchema, OAuthTokensSchema } from "../shared/auth.js";
+import type { OAuthClientMetadata, OAuthClientInformation, OAuthTokens, OAuthMetadata, OAuthClientInformationFull, OAuthProtectedResourceMetadata } from "../shared/auth.js";
+import { OAuthClientInformationFullSchema, OAuthMetadataSchema, OAuthProtectedResourceMetadataSchema, OAuthTokensSchema } from "../shared/auth.js";
 
 /**
  * Implements an end-to-end OAuth client to be used with one MCP server.
- * 
+ *
  * This client relies upon a concept of an authorized "session," the exact
  * meaning of which is application-defined. Tokens, authorization codes, and
  * code verifiers should not cross different sessions.
@@ -32,7 +32,7 @@ export interface OAuthClientProvider {
    * If implemented, this permits the OAuth client to dynamically register with
    * the server. Client information saved this way should later be read via
    * `clientInformation()`.
-   * 
+   *
    * This method is not required to be implemented if client information is
    * statically known (e.g., pre-registered).
    */
@@ -78,14 +78,29 @@ export class UnauthorizedError extends Error {
 
 /**
  * Orchestrates the full auth flow with a server.
- * 
+ *
  * This can be used as a single entry point for all authorization functionality,
  * instead of linking together the other lower-level functions in this module.
  */
 export async function auth(
   provider: OAuthClientProvider,
-  { serverUrl, authorizationCode }: { serverUrl: string | URL, authorizationCode?: string }): Promise<AuthResult> {
-  const metadata = await discoverOAuthMetadata(serverUrl);
+  { resourceServerUrl, authorizationCode, authServerUrl }: { resourceServerUrl: string | URL, authorizationCode?: string, authServerUrl?: string | URL }): Promise<AuthResult> {
+
+    let authorizationServerUrl = authServerUrl
+
+  if (!authorizationServerUrl) {
+    const protectedResourceMetadata = await discoverOAuthProtectedResourceMetadata(resourceServerUrl);
+    if (protectedResourceMetadata.authorization_servers === undefined || protectedResourceMetadata.authorization_servers.length === 0) {
+      throw new Error("Server does not speicify any authorization servers.");
+    }
+    authorizationServerUrl = protectedResourceMetadata.authorization_servers[0];
+  }
+
+  if (!authorizationServerUrl) {
+    throw new Error("Server does not speicify any authorization servers.");
+  }
+
+  const metadata = await discoverOAuthMetadata(authorizationServerUrl);
 
   // Handle client registration if needed
   let clientInformation = await Promise.resolve(provider.clientInformation());
@@ -98,7 +113,7 @@ export async function auth(
       throw new Error("OAuth client information must be saveable for dynamic registration");
     }
 
-    const fullInformation = await registerClient(serverUrl, {
+    const fullInformation = await registerClient(authorizationServerUrl, {
       metadata,
       clientMetadata: provider.clientMetadata,
     });
@@ -110,7 +125,7 @@ export async function auth(
   // Exchange authorization code for tokens
   if (authorizationCode !== undefined) {
     const codeVerifier = await provider.codeVerifier();
-    const tokens = await exchangeAuthorization(serverUrl, {
+    const tokens = await exchangeAuthorization(authorizationServerUrl, {
       metadata,
       clientInformation,
       authorizationCode,
@@ -128,7 +143,7 @@ export async function auth(
   if (tokens?.refresh_token) {
     try {
       // Attempt to refresh the token
-      const newTokens = await refreshAuthorization(serverUrl, {
+      const newTokens = await refreshAuthorization(authorizationServerUrl, {
         metadata,
         clientInformation,
         refreshToken: tokens.refresh_token,
@@ -142,7 +157,7 @@ export async function auth(
   }
 
   // Start new authorization flow
-  const { authorizationUrl, codeVerifier } = await startAuthorization(serverUrl, {
+  const { authorizationUrl, codeVerifier } = await startAuthorization(authorizationServerUrl, {
     metadata,
     clientInformation,
     redirectUrl: provider.redirectUrl
@@ -153,17 +168,93 @@ export async function auth(
   return "REDIRECT";
 }
 
+/**
+ * Extract resource_metadata from response header.
+ */
+export function extractResourceMetadataUrl(res: Response): URL | undefined {
+
+  const authenticateHeader = res.headers.get("WWW-Authenticate");
+  if (!authenticateHeader) {
+    return undefined;
+  }
+
+  const [type, scheme] = authenticateHeader.split(' ');
+  if (type.toLowerCase() !== 'bearer' || !scheme) {
+    console.log("Invalid WWW-Authenticate header format, expected 'Bearer'");
+    return undefined;
+  }
+  const regex = /resource_metadata="([^"]*)"/;
+  const match = regex.exec(authenticateHeader);
+
+  if (!match) {
+    return undefined;
+  }
+
+  try {
+    return new URL(match[1]);
+  } catch(error) {
+    console.log("Invalid resource metadata url.");
+    return undefined;
+  }
+}
+
+/**
+ * Looks up RFC 9728 OAuth 2.0 Protected Resource Metadata.
+ *
+ * If the server returns a 404 for the well-known endpoint, this function will
+ * return `undefined`. Any other errors will be thrown as exceptions.
+ */
+export async function discoverOAuthProtectedResourceMetadata(
+  resourceServerUrl: string | URL,
+  opts?: { protocolVersion?: string, resourceMetadataUrl?: string | URL },
+): Promise<OAuthProtectedResourceMetadata> {
+
+  let url: URL
+  if (opts?.resourceMetadataUrl) {
+    url = new URL(opts?.resourceMetadataUrl);
+  } else {
+    url = new URL("/.well-known/oauth-protected-resource", resourceServerUrl);
+  }
+
+  let response: Response;
+  try {
+    response = await fetch(url, {
+      headers: {
+        "MCP-Protocol-Version": opts?.protocolVersion ?? LATEST_PROTOCOL_VERSION
+      }
+    });
+  } catch (error) {
+    // CORS errors come back as TypeError
+    if (error instanceof TypeError) {
+      response = await fetch(url);
+    } else {
+      throw error;
+    }
+  }
+
+  if (response.status === 404) {
+    throw new Error(`Resource server does not implement OAuth 2.0 Protected Resource Metadata.`);
+  }
+
+  if (!response.ok) {
+    throw new Error(
+      `HTTP ${response.status} trying to load well-known OAuth protected resource metadata.`,
+    );
+  }
+  return OAuthProtectedResourceMetadataSchema.parse(await response.json());
+}
+
 /**
  * Looks up RFC 8414 OAuth 2.0 Authorization Server Metadata.
  *
  * If the server returns a 404 for the well-known endpoint, this function will
  * return `undefined`. Any other errors will be thrown as exceptions.
  */
 export async function discoverOAuthMetadata(
-  serverUrl: string | URL,
+  authorizationServerUrl: string | URL,
   opts?: { protocolVersion?: string },
 ): Promise<OAuthMetadata | undefined> {
-  const url = new URL("/.well-known/oauth-authorization-server", serverUrl);
+  const url = new URL("/.well-known/oauth-authorization-server", authorizationServerUrl);
   let response: Response;
   try {
     response = await fetch(url, {
@@ -197,7 +288,7 @@ export async function discoverOAuthMetadata(
  * Begins the authorization flow with the given server, by generating a PKCE challenge and constructing the authorization URL.
  */
 export async function startAuthorization(
-  serverUrl: string | URL,
+  authorizationServerUrl: string | URL,
   {
     metadata,
     clientInformation,
@@ -230,7 +321,7 @@ export async function startAuthorization(
       );
     }
   } else {
-    authorizationUrl = new URL("/authorize", serverUrl);
+    authorizationUrl = new URL("/authorize", authorizationServerUrl);
   }
 
   // Generate PKCE challenge
@@ -254,7 +345,7 @@ export async function startAuthorization(
  * Exchanges an authorization code for an access token with the given server.
  */
 export async function exchangeAuthorization(
-  serverUrl: string | URL,
+  authorizationServerUrl: string | URL,
   {
     metadata,
     clientInformation,
@@ -284,7 +375,7 @@ export async function exchangeAuthorization(
       );
     }
   } else {
-    tokenUrl = new URL("/token", serverUrl);
+    tokenUrl = new URL("/token", authorizationServerUrl);
   }
 
   // Exchange code for tokens
@@ -319,7 +410,7 @@ export async function exchangeAuthorization(
  * Exchange a refresh token for an updated access token.
  */
 export async function refreshAuthorization(
-  serverUrl: string | URL,
+  authorizationServerUrl: string | URL,
   {
     metadata,
     clientInformation,
@@ -345,7 +436,7 @@ export async function refreshAuthorization(
       );
     }
   } else {
-    tokenUrl = new URL("/token", serverUrl);
+    tokenUrl = new URL("/token", authorizationServerUrl);
   }
 
   // Exchange refresh token
@@ -366,7 +457,7 @@ export async function refreshAuthorization(
     },
     body: params,
   });
-
+console.log(response)
   if (!response.ok) {
     throw new Error(`Token refresh failed: HTTP ${response.status}`);
   }
@@ -378,7 +469,7 @@ export async function refreshAuthorization(
  * Performs OAuth 2.0 Dynamic Client Registration according to RFC 7591.
  */
 export async function registerClient(
-  serverUrl: string | URL,
+  authorizationServerUrl: string | URL,
   {
     metadata,
     clientMetadata,
@@ -396,7 +487,7 @@ export async function registerClient(
 
     registrationUrl = new URL(metadata.registration_endpoint);
   } else {
-    registrationUrl = new URL("/register", serverUrl);
+    registrationUrl = new URL("/register", authorizationServerUrl);
   }
 
   const response = await fetch(registrationUrl, {
