refactor: streamline authentication classes and remove unused components

Author: butschster

src/Authentication/AuthInfo.php

@@ -4,6 +4,8 @@
 
 namespace Mcp\Server\Authentication;
 
+use Mcp\Server\Authentication\Dto\UserProfile;
+
 /**
  * Information about a validated access token, provided to request handlers.
  */
@@ -38,10 +40,7 @@ public function getExpiresAt(): ?int;
     public function getResource(): ?string;
 
     /**
-     * Additional data associated with the token.
-     * This field should be used for any additional data that needs to be attached to the auth info.
-     *
-     * @return array<string, mixed>
+     * The user profile associated with this token, if available.
      */
-    public function getExtra(): array;
+    public function getUserProfile(): ?UserProfile;
 }

src/Authentication/Contract/UserProviderInterface.php

@@ -0,0 +1,12 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Mcp\Server\Authentication\Contract;
+
+use Mcp\Server\Authentication\Dto\UserProfile;
+
+interface UserProviderInterface
+{
+    public function getUser(): ?UserProfile;
+}

src/Authentication/DefaultAuthInfo.php

@@ -4,22 +4,23 @@
 
 namespace Mcp\Server\Authentication;
 
+use Mcp\Server\Authentication\Dto\UserProfile;
+
 /**
  * Default implementation of AuthInfo.
  */
 final readonly class DefaultAuthInfo implements AuthInfo
 {
     /**
      * @param string[] $scopes
-     * @param array<string, mixed> $extra
      */
     public function __construct(
         private string $token,
         private string $clientId,
         private array $scopes,
+        private ?UserProfile $profile = null,
         private ?int $expiresAt = null,
         private ?string $resource = null,
-        private array $extra = [],
     ) {}
 
     public function getToken(): string
@@ -47,8 +48,8 @@ public function getResource(): ?string
         return $this->resource;
     }
 
-    public function getExtra(): array
+    public function getUserProfile(): ?UserProfile
     {
-        return $this->extra;
+        return $this->profile;
     }
 }

src/Authentication/Dto/OAuthMetadata.php

@@ -25,16 +25,16 @@
     public function __construct(
         public string $issuer,
         public string $authorizationEndpoint,
+        public string $registrationEndpoint,
+        public string $revocationEndpoint,
         public string $tokenEndpoint,
         public array $responseTypesSupported,
-        public ?string $registrationEndpoint = null,
         public ?array $scopesSupported = null,
         public ?array $responseModesSupported = null,
         public ?array $grantTypesSupported = null,
         public ?array $tokenEndpointAuthMethodsSupported = null,
         public ?array $tokenEndpointAuthSigningAlgValuesSupported = null,
         public ?string $serviceDocumentation = null,
-        public ?string $revocationEndpoint = null,
         public ?array $revocationEndpointAuthMethodsSupported = null,
         public ?array $revocationEndpointAuthSigningAlgValuesSupported = null,
         public ?string $introspectionEndpoint = null,
@@ -43,9 +43,35 @@ public function __construct(
         public ?array $codeChallengeMethodsSupported = null,
     ) {}
 
-    public function getIssuer(): string
+    public static function forProxy(string $issuer): self
     {
-        return $this->issuer;
+        return new self(
+            tokenEndpoint: \rtrim($issuer, '/') . '/oauth2/token',
+            authorizationEndpoint: \rtrim($issuer, '/') . '/oauth2/authorize',
+            registrationEndpoint: \rtrim($issuer, '/') . '/oauth2/register',
+            revocationEndpoint: \rtrim($issuer, '/') . '/oauth2/revoke',
+            responseTypesSupported: ['code'],
+            scopesSupported: ['read', 'write'],
+            grantTypesSupported: ['authorization_code', 'refresh_token'],
+            tokenEndpointAuthMethodsSupported: ['client_secret_post', 'client_secret_basic'],
+            codeChallengeMethodsSupported: ['S256'],
+        );
+    }
+
+    public static function forGithub(string $issuer): self
+    {
+        return new self(
+            issuer: $issuer,
+            authorizationEndpoint: 'https://github.com/login/oauth/authorize',
+            tokenEndpoint: 'https://github.com/login/oauth/access_token',
+            revocationEndpoint: 'https://github.com/login/oauth/revoke',
+            registrationEndpoint: 'https://github.com/login/oauth/register',
+            responseTypesSupported: ['code'],
+            scopesSupported: ['read', 'write'],
+            grantTypesSupported: ['authorization_code', 'refresh_token'],
+            tokenEndpointAuthMethodsSupported: ['client_secret_post', 'client_secret_basic'],
+            codeChallengeMethodsSupported: ['S256'],
+        );
     }
 
     public function jsonSerialize(): array

src/Authentication/Handler/MetadataHandler.php

@@ -4,7 +4,6 @@
 
 namespace Mcp\Server\Authentication\Handler;
 
-use JsonException;
 use Mcp\Server\Authentication\Dto\OAuthMetadata;
 use Mcp\Server\Authentication\Dto\OAuthProtectedResourceMetadata;
 use Psr\Http\Message\ResponseFactoryInterface;
@@ -25,7 +24,7 @@ public function __construct(
     ) {}
 
     /**
-     * @throws JsonException
+     * @throws \JsonException
      */
     public function handleOAuthMetadata(ServerRequestInterface $request): ResponseInterface
     {
@@ -40,7 +39,7 @@ public function handleOAuthMetadata(ServerRequestInterface $request): ResponseIn
     }
 
     /**
-     * @throws JsonException
+     * @throws \JsonException
      */
     public function handleProtectedResourceMetadata(ServerRequestInterface $request): ResponseInterface
     {

src/Authentication/Provider/GenericTokenVerifier.php

@@ -159,19 +159,13 @@ private function createAuthInfo(string $token, array $tokenData, UserProfile $us
         // Extract resource/audience
         $resource = $tokenData['aud'] ?? $tokenData['resource'] ?? null;
 
-        // Combine all extra data
-        $extra = \array_merge(
-            ['user_profile' => $userProfile->jsonSerialize()],
-            $tokenData,
-        );
-
         return new DefaultAuthInfo(
             token: $token,
             clientId: (string)$clientId,
             scopes: $scopes,
+            profile: $userProfile,
             expiresAt: $expiresAt,
             resource: $resource,
-            extra: $extra,
         );
     }
 }

src/Authentication/Provider/InMemoryUserProvider.php

@@ -0,0 +1,21 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Mcp\Server\Authentication\Provider;
+
+use Mcp\Server\Authentication\AuthInfo;
+use Mcp\Server\Authentication\Contract\UserProviderInterface;
+use Mcp\Server\Authentication\Dto\UserProfile;
+
+final readonly class InMemoryUserProvider implements UserProviderInterface
+{
+    public function __construct(
+        private ?AuthInfo $authInfo = null,
+    ) {}
+
+    public function getUser(): ?UserProfile
+    {
+        return $this->authInfo?->getUserProfile();
+    }
+}

src/Authentication/Router/McpAuthMetadataRouter.php

@@ -46,62 +46,70 @@ public function process(
         $method = $request->getMethod();
 
         // Handle OAuth endpoints (no authentication required for these)
-        $oauthResponse = match ([$path, $method]) {
-            ['/.well-known/mcp-oauth-metadata', 'GET'] => $this->metadataHandler->handleOAuthMetadata($request),
+        $oauthResponse = match (true) {
+            [$path, $method] === [
+                '/.well-known/mcp-oauth-metadata',
+                'GET',
+            ] => $this->metadataHandler->handleOAuthMetadata($request),
             \str_starts_with(
                 $path,
                 '/.well-known/oauth-protected-resource',
             ) && $method === 'GET' => $this->metadataHandler->handleProtectedResourceMetadata(
                 $request,
             ),
-            ['/.well-known/oauth-authorization-server', 'GET'] => $this->metadataHandler->handleOAuthMetadata(
+            \str_starts_with(
+                $path,
+                '/.well-known/oauth-authorization-server',
+            ) && $method === 'GET' => $this->metadataHandler->handleOAuthMetadata(
                 $request,
             ),
-            ['/oauth2/authorize', 'GET'] => $this->authorizeHandler->handle($request),
-            ['/oauth2/token', 'POST'] => $this->tokenHandler->handle($request),
-            ['/oauth2/revoke', 'POST'] => $this->revokeHandler->handle($request),
-            ['/oauth2/register', 'POST'] => $this->registerHandler->handle($request),
+            [$path, $method] == ['/oauth2/authorize', 'GET'] => $this->authorizeHandler->handle($request),
+            [$path, $method] == ['/oauth2/token', 'POST'] => $this->tokenHandler->handle($request),
+            [$path, $method] == ['/oauth2/revoke', 'POST'] => $this->revokeHandler->handle($request),
+            [$path, $method] == ['/oauth2/register', 'POST'] => $this->registerHandler->handle($request),
             default => null,
         };
 
         if ($oauthResponse !== null) {
             return $oauthResponse;
         }
 
-        // For all other requests, require authentication if token verifier is configured
-        if ($this->tokenVerifier !== null) {
-            try {
+        try {
+            // For all other requests, require authentication if token verifier is configured
+            if ($this->tokenVerifier !== null) {
                 $authInfo = $this->extractAndVerifyToken($request);
 
                 // Check required scopes
-                if (!empty($this->requiredScopes)) {
-                    $this->validateScopes($authInfo->getScopes(), $this->requiredScopes);
-                }
+                if ($authInfo !== null) {
+                    if (!empty($this->requiredScopes)) {
+                        $this->validateScopes($authInfo->getScopes(), $this->requiredScopes);
+                    }
 
-                // Add authenticated user to request attributes
-                $request = $request->withAttribute('auth', $authInfo);
-            } catch (InvalidTokenError) {
-                return $this->createAuthErrorResponse(401, 'invalid_token', 'Authentication required');
-            } catch (InsufficientScopeError $e) {
-                return $this->createAuthErrorResponse(403, 'insufficient_scope', $e->getMessage());
+                    // Add authenticated user to request attributes
+                    $request = $request->withAttribute('auth', $authInfo);
+                }
             }
-        }
 
-        return $handler->handle($request);
+            return $handler->handle($request);
+        } catch (InvalidTokenError $e) {
+            return $this->createAuthErrorResponse(401, 'invalid_token', 'Authentication required');
+        } catch (InsufficientScopeError $e) {
+            return $this->createAuthErrorResponse(403, 'insufficient_scope', $e->getMessage());
+        }
     }
 
-    private function extractAndVerifyToken(ServerRequestInterface $request): AuthInfo
+    private function extractAndVerifyToken(ServerRequestInterface $request): ?AuthInfo
     {
         // Extract Bearer token from Authorization header
         $authHeader = $request->getHeaderLine('Authorization');
         if (!$authHeader || !\str_starts_with(\strtolower($authHeader), 'bearer ')) {
-            throw new InvalidTokenError('Missing or invalid Authorization header');
+            return null;
         }
 
         $token = \substr($authHeader, 7); // Remove "Bearer " prefix
 
         if (empty($token)) {
-            throw new InvalidTokenError('Empty bearer token');
+            return null;
         }
 
         // Verify token