feat(server): lift framework-agnostic RS-auth helpers from /express#1973
Draft
felixweinberger wants to merge 4 commits intomainfrom
Draft
feat(server): lift framework-agnostic RS-auth helpers from /express#1973felixweinberger wants to merge 4 commits intomainfrom
felixweinberger wants to merge 4 commits intomainfrom
Conversation
…col/express Adds first-class (not deprecated) OAuth Resource-Server helpers to the Express adapter, restoring the v1 src/server/auth pieces that an MCP server needs when it delegates to an external Authorization Server: - requireBearerAuth: Express middleware that validates a Bearer token via a pluggable OAuthTokenVerifier, attaches AuthInfo to req.auth, and on failure emits RFC 6750 WWW-Authenticate challenges (with optional resource_metadata pointer per RFC 9728). - mcpAuthMetadataRouter: serves RFC 9728 Protected Resource Metadata at /.well-known/oauth-protected-resource[/<path>] and mirrors the AS metadata at /.well-known/oauth-authorization-server, with permissive CORS and a GET/OPTIONS allow-list. - getOAuthProtectedResourceMetadataUrl: builds the path-aware PRM URL for a given server URL. - OAuthTokenVerifier interface, plus metadataHandler / allowedMethods building blocks. Adapted to v2's single OAuthError + OAuthErrorCode (no per-code subclasses) and to types re-exported via @modelcontextprotocol/server. Adds cors as a runtime dependency and supertest as a dev dependency for the integration tests.
Moves OAuthTokenVerifier, buildWwwAuthenticateHeader, checkIssuerUrl, getOAuthProtectedResourceMetadataUrl, and a new buildProtectedResourceMetadata/ProtectedResourceMetadataOptions to @modelcontextprotocol/server. /express re-exports them for BC and now consumes them from /server, so /hono and /fastify can ship thin RS-auth adapters without duplicating the RFC 6750/9728 logic. Follow-up from #1907 (pcarleton review).
🦋 Changeset detectedLatest commit: b199bbf The changes in this PR will be included in the next version bump. This PR includes changesets to release 5 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
@modelcontextprotocol/client
@modelcontextprotocol/server
@modelcontextprotocol/express
@modelcontextprotocol/fastify
@modelcontextprotocol/hono
@modelcontextprotocol/node
commit: |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Lifts the framework-agnostic OAuth Resource-Server helpers from
@modelcontextprotocol/expressinto@modelcontextprotocol/serverso other adapter packages can share the RFC 6750/9728 logic.Stacks on #1907.
Motivation and Context
Follow-up from @pcarleton's #1907 review (#1907 (review)):
OAuthTokenVerifier,getOAuthProtectedResourceMetadataUrl,checkIssuerUrl, and theWWW-Authenticatebuilder have zero Express deps. Hoisting them to/serverlets/honoand/fastifyship thin RS-auth adapters without duplicating the RFC logic. It also gives #1908 (server-auth-legacy) a clean re-export target forOAuthTokenVerifierinstead of carrying its own copy.Moved to
@modelcontextprotocol/server(src/auth/resourceServer.ts):OAuthTokenVerifierinterfacebuildWwwAuthenticateHeader(was a private helper, now exported)checkIssuerUrl(was a private helper, now exported)getOAuthProtectedResourceMetadataUrlbuildProtectedResourceMetadata+ProtectedResourceMetadataOptions(new — extracted PRM-doc construction)/expressnow imports from/serverand re-exportsOAuthTokenVerifier/getOAuthProtectedResourceMetadataUrlfor backwards compatibility.requireBearerAuthandmcpAuthMetadataRouterstay in/express(they are Express-specific) but consume the lifted helpers./honoand/fastifyREADMEs note the helpers are now available for building adapters.How Has This Been Tested?
packages/server/test/auth/resourceServer.test.ts(10 cases) covering all four helpers./expressintegration tests (29/29) unchanged and passing —requireBearerAuthandmcpAuthMetadataRouterbehave identically.pnpm typecheck:all && lint:all && build:all && docs:checkclean.Breaking Changes
None.
/expressre-exports preserve existing import paths.Types of changes
Checklist
Additional context
Enables #1908 to drop its local
OAuthTokenVerifierand re-export from/serverinstead (separate worktree, not included here).