refactor: remove ClientAuthMiddleware and restructure OAuth handlers

Author: butschster

composer.json

@@ -5,10 +5,6 @@
   "type": "library",
   "license": "MIT",
   "authors": [
-    {
-      "name": "Kyrian Obikwelu",
-      "email": "koshnawaza@gmail.com"
-    },
     {
       "name": "Pavel Buchnev",
       "email": "butschster@gmail.com"

src/Authentication/Handler/MetadataHandler.php

@@ -6,6 +6,7 @@
 
 use Mcp\Server\Authentication\Dto\OAuthMetadata;
 use Mcp\Server\Authentication\Dto\OAuthProtectedResourceMetadata;
+use Mcp\Server\Authentication\Router\AuthRouterOptions;
 use Psr\Http\Message\ResponseFactoryInterface;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
@@ -23,6 +24,33 @@ public function __construct(
         private StreamFactoryInterface $streamFactory,
     ) {}
 
+    public static function create(
+        AuthRouterOptions $options,
+        ResponseFactoryInterface $responseFactory,
+        StreamFactoryInterface $streamFactory,
+    ): self {
+        $oauthMetadata = self::createOAuthMetadata($options);
+
+        // Create protected resource metadata
+        $protectedResourceMetadata = new OAuthProtectedResourceMetadata(
+            resource: $options->baseUrl ?? $oauthMetadata->getIssuer(),
+            authorizationServers: [$oauthMetadata->getIssuer()],
+            jwksUri: null,
+            scopesSupported: empty($options->scopesSupported) ? null : $options->scopesSupported,
+            bearerMethodsSupported: null,
+            resourceSigningAlgValuesSupported: null,
+            resourceName: $options->resourceName,
+            resourceDocumentation: $options->serviceDocumentationUrl,
+        );
+
+        return new self(
+            oauthMetadata: $oauthMetadata,
+            protectedResourceMetadata: $protectedResourceMetadata,
+            responseFactory: $responseFactory,
+            streamFactory: $streamFactory,
+        );
+    }
+
     public function handleOAuthMetadata(ServerRequestInterface $request): ResponseInterface
     {
         $json = \json_encode($this->oauthMetadata->jsonSerialize(), JSON_THROW_ON_ERROR);
@@ -46,4 +74,58 @@ public function handleProtectedResourceMetadata(ServerRequestInterface $request)
             ->withHeader('Cache-Control', 'public, max-age=3600')
             ->withBody($body);
     }
+
+    private static function createOAuthMetadata(AuthRouterOptions $options): OAuthMetadata
+    {
+        self::checkIssuerUrl($options->issuerUrl);
+
+        $baseUrl = $options->baseUrl ?? $options->issuerUrl;
+
+        return new OAuthMetadata(
+            issuer: $options->issuerUrl,
+            authorizationEndpoint: self::buildUrl('/oauth2/authorize', $baseUrl),
+            tokenEndpoint: self::buildUrl('/oauth2/token', $baseUrl),
+            responseTypesSupported: ['code'],
+            registrationEndpoint: self::buildUrl('/oauth2/register', $baseUrl),
+            scopesSupported: empty($options->scopesSupported) ? null : $options->scopesSupported,
+            responseModesSupported: null,
+            grantTypesSupported: ['authorization_code', 'refresh_token'],
+            tokenEndpointAuthMethodsSupported: ['client_secret_post'],
+            tokenEndpointAuthSigningAlgValuesSupported: null,
+            serviceDocumentation: $options->serviceDocumentationUrl,
+            revocationEndpoint: self::buildUrl('/oauth2/revoke', $baseUrl),
+            revocationEndpointAuthMethodsSupported: ['client_secret_post'],
+            revocationEndpointAuthSigningAlgValuesSupported: null,
+            introspectionEndpoint: null,
+            introspectionEndpointAuthMethodsSupported: null,
+            introspectionEndpointAuthSigningAlgValuesSupported: null,
+            codeChallengeMethodsSupported: ['S256'],
+        );
+    }
+
+    private static function checkIssuerUrl(string $issuer): void
+    {
+        $parsed = \parse_url($issuer);
+
+        // Technically RFC 8414 does not permit a localhost HTTPS exemption, but this is necessary for testing
+        if (
+            $parsed['scheme'] !== 'https' &&
+            !\in_array($parsed['host'] ?? '', ['localhost', '127.0.0.1'], true)
+        ) {
+            throw new \InvalidArgumentException('Issuer URL must be HTTPS');
+        }
+
+        if (isset($parsed['fragment'])) {
+            throw new \InvalidArgumentException("Issuer URL must not have a fragment: {$issuer}");
+        }
+
+        if (isset($parsed['query'])) {
+            throw new \InvalidArgumentException("Issuer URL must not have a query string: {$issuer}");
+        }
+    }
+
+    private static function buildUrl(string $path, string $baseUrl): string
+    {
+        return \rtrim($baseUrl, '/') . $path;
+    }
 }

src/Authentication/Handler/TokenHandler.php

@@ -5,6 +5,7 @@
 namespace Mcp\Server\Authentication\Handler;
 
 use Mcp\Server\Authentication\Contract\OAuthServerProviderInterface;
+use Mcp\Server\Authentication\Dto\OAuthClientInformation;
 use Mcp\Server\Authentication\Error\InvalidClientError;
 use Mcp\Server\Authentication\Error\InvalidGrantError;
 use Mcp\Server\Authentication\Error\InvalidRequestError;
@@ -54,7 +55,9 @@ public function handle(ServerRequestInterface $request): ResponseInterface
             return match ($params['grant_type']) {
                 'authorization_code' => $this->handleAuthorizationCodeGrant($client, $params, $response),
                 'refresh_token' => $this->handleRefreshTokenGrant($client, $params, $response),
-                default => throw new UnsupportedGrantTypeError('The grant type is not supported by this authorization server'),
+                default => throw new UnsupportedGrantTypeError(
+                    'The grant type is not supported by this authorization server',
+                ),
             };
         } catch (OAuthError $e) {
             return $this->createErrorResponse($e);
@@ -66,7 +69,7 @@ public function handle(ServerRequestInterface $request): ResponseInterface
     }
 
     private function handleAuthorizationCodeGrant(
-        $client,
+        OAuthClientInformation $client,
         array $params,
         ResponseInterface $response,
     ): ResponseInterface {
@@ -111,8 +114,11 @@ private function handleAuthorizationCodeGrant(
             ->withBody($body);
     }
 
-    private function handleRefreshTokenGrant($client, array $params, ResponseInterface $response): ResponseInterface
-    {
+    private function handleRefreshTokenGrant(
+        OAuthClientInformation $client,
+        array $params,
+        ResponseInterface $response,
+    ): ResponseInterface {
         if (empty($params['refresh_token'])) {
             throw new InvalidRequestError('Missing refresh_token parameter');
         }

src/Authentication/Middleware/ClientAuthMiddleware.php

@@ -4,22 +4,22 @@
 
 namespace Mcp\Server\Authentication\Router;
 
-use Mcp\Server\Authentication\Contract\OAuthServerProviderInterface;
-
 /**
  * Configuration for OAuth router.
  */
 final readonly class AuthRouterOptions
 {
     /**
      * @param string[] $scopesSupported
+     * @param string[] $requiredScopes
      */
     public function __construct(
-        public OAuthServerProviderInterface $provider,
         public string $issuerUrl,
         public ?string $baseUrl = null,
         public ?string $serviceDocumentationUrl = null,
         public array $scopesSupported = [],
         public ?string $resourceName = null,
+        public array $requiredScopes = [],
+        public ?string $resourceMetadataUrl = null,
     ) {}
 }