feat: integrate OAuth token introspection and userinfo handling

Author: butschster

src/Authentication/Contract/TokenIntrospectionClientInterface.php

@@ -0,0 +1,27 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Mcp\Server\Authentication\Contract;
+
+/**
+ * HTTP client interface for OAuth token introspection.
+ */
+interface TokenIntrospectionClientInterface
+{
+    /**
+     * Introspect a token using RFC 7662 endpoint.
+     *
+     * @return array<string, mixed>
+     * @throws \RuntimeException if introspection fails
+     */
+    public function introspectToken(string $token, string $introspectionUrl, ?array $headers = null): array;
+
+    /**
+     * Get user info from OAuth userinfo endpoint.
+     *
+     * @return array<string, mixed>
+     * @throws \RuntimeException if userinfo request fails
+     */
+    public function getUserInfo(string $token, string $userinfoUrl): array;
+}

src/Authentication/Dto/UserProfile.php

@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Mcp\Server\Authentication\Dto;
+
+/**
+ * Normalized user profile across OAuth providers.
+ */
+final readonly class UserProfile implements \JsonSerializable
+{
+    /**
+     * @param array<string, mixed> $extra Provider-specific additional data
+     */
+    public function __construct(
+        public string|int $sub,
+        public ?string $preferredUsername = null,
+        public ?string $name = null,
+        public ?string $email = null,
+        public ?bool $emailVerified = null,
+        public ?string $givenName = null,
+        public ?string $familyName = null,
+        public ?string $picture = null,
+        public array $extra = [],
+    ) {}
+
+    public function jsonSerialize(): array
+    {
+        return \array_filter([
+            'sub' => $this->sub,
+            'preferred_username' => $this->preferredUsername,
+            'name' => $this->name,
+            'email' => $this->email,
+            'email_verified' => $this->emailVerified,
+            'given_name' => $this->givenName,
+            'family_name' => $this->familyName,
+            'picture' => $this->picture,
+            'extra' => $this->extra,
+        ], static fn($value) => $value !== null && $value !== [] && $value !== '');
+    }
+}

src/Authentication/Handler/MetadataHandler.php

@@ -4,9 +4,9 @@
 
 namespace Mcp\Server\Authentication\Handler;
 
+use JsonException;
 use Mcp\Server\Authentication\Dto\OAuthMetadata;
 use Mcp\Server\Authentication\Dto\OAuthProtectedResourceMetadata;
-use Mcp\Server\Authentication\Router\AuthRouterOptions;
 use Psr\Http\Message\ResponseFactoryInterface;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
@@ -24,36 +24,12 @@ public function __construct(
         private StreamFactoryInterface $streamFactory,
     ) {}
 
-    public static function create(
-        AuthRouterOptions $options,
-        ResponseFactoryInterface $responseFactory,
-        StreamFactoryInterface $streamFactory,
-    ): self {
-        $oauthMetadata = self::createOAuthMetadata($options);
-
-        // Create protected resource metadata
-        $protectedResourceMetadata = new OAuthProtectedResourceMetadata(
-            resource: $options->baseUrl ?? $oauthMetadata->getIssuer(),
-            authorizationServers: [$oauthMetadata->getIssuer()],
-            jwksUri: null,
-            scopesSupported: empty($options->scopesSupported) ? null : $options->scopesSupported,
-            bearerMethodsSupported: null,
-            resourceSigningAlgValuesSupported: null,
-            resourceName: $options->resourceName,
-            resourceDocumentation: $options->serviceDocumentationUrl,
-        );
-
-        return new self(
-            oauthMetadata: $oauthMetadata,
-            protectedResourceMetadata: $protectedResourceMetadata,
-            responseFactory: $responseFactory,
-            streamFactory: $streamFactory,
-        );
-    }
-
+    /**
+     * @throws JsonException
+     */
     public function handleOAuthMetadata(ServerRequestInterface $request): ResponseInterface
     {
-        $json = \json_encode($this->oauthMetadata->jsonSerialize(), JSON_THROW_ON_ERROR);
+        $json = \json_encode($this->oauthMetadata->jsonSerialize(), \JSON_THROW_ON_ERROR);
         $body = $this->streamFactory->createStream($json);
 
         return $this->responseFactory
@@ -63,9 +39,12 @@ public function handleOAuthMetadata(ServerRequestInterface $request): ResponseIn
             ->withBody($body);
     }
 
+    /**
+     * @throws JsonException
+     */
     public function handleProtectedResourceMetadata(ServerRequestInterface $request): ResponseInterface
     {
-        $json = \json_encode($this->protectedResourceMetadata->jsonSerialize(), JSON_THROW_ON_ERROR);
+        $json = \json_encode($this->protectedResourceMetadata->jsonSerialize(), \JSON_THROW_ON_ERROR);
         $body = $this->streamFactory->createStream($json);
 
         return $this->responseFactory
@@ -74,58 +53,4 @@ public function handleProtectedResourceMetadata(ServerRequestInterface $request)
             ->withHeader('Cache-Control', 'public, max-age=3600')
             ->withBody($body);
     }
-
-    private static function createOAuthMetadata(AuthRouterOptions $options): OAuthMetadata
-    {
-        self::checkIssuerUrl($options->issuerUrl);
-
-        $baseUrl = $options->baseUrl ?? $options->issuerUrl;
-
-        return new OAuthMetadata(
-            issuer: $options->issuerUrl,
-            authorizationEndpoint: self::buildUrl('/oauth2/authorize', $baseUrl),
-            tokenEndpoint: self::buildUrl('/oauth2/token', $baseUrl),
-            responseTypesSupported: ['code'],
-            registrationEndpoint: self::buildUrl('/oauth2/register', $baseUrl),
-            scopesSupported: empty($options->scopesSupported) ? null : $options->scopesSupported,
-            responseModesSupported: null,
-            grantTypesSupported: ['authorization_code', 'refresh_token'],
-            tokenEndpointAuthMethodsSupported: ['client_secret_post'],
-            tokenEndpointAuthSigningAlgValuesSupported: null,
-            serviceDocumentation: $options->serviceDocumentationUrl,
-            revocationEndpoint: self::buildUrl('/oauth2/revoke', $baseUrl),
-            revocationEndpointAuthMethodsSupported: ['client_secret_post'],
-            revocationEndpointAuthSigningAlgValuesSupported: null,
-            introspectionEndpoint: null,
-            introspectionEndpointAuthMethodsSupported: null,
-            introspectionEndpointAuthSigningAlgValuesSupported: null,
-            codeChallengeMethodsSupported: ['S256'],
-        );
-    }
-
-    private static function checkIssuerUrl(string $issuer): void
-    {
-        $parsed = \parse_url($issuer);
-
-        // Technically RFC 8414 does not permit a localhost HTTPS exemption, but this is necessary for testing
-        if (
-            $parsed['scheme'] !== 'https' &&
-            !\in_array($parsed['host'] ?? '', ['localhost', '127.0.0.1'], true)
-        ) {
-            throw new \InvalidArgumentException('Issuer URL must be HTTPS');
-        }
-
-        if (isset($parsed['fragment'])) {
-            throw new \InvalidArgumentException("Issuer URL must not have a fragment: {$issuer}");
-        }
-
-        if (isset($parsed['query'])) {
-            throw new \InvalidArgumentException("Issuer URL must not have a query string: {$issuer}");
-        }
-    }
-
-    private static function buildUrl(string $path, string $baseUrl): string
-    {
-        return \rtrim($baseUrl, '/') . $path;
-    }
 }

src/Authentication/Provider/GenericTokenVerifier.php

@@ -0,0 +1,177 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Mcp\Server\Authentication\Provider;
+
+use Mcp\Server\Authentication\AuthInfo;
+use Mcp\Server\Authentication\Contract\OAuthTokenVerifierInterface;
+use Mcp\Server\Authentication\Contract\TokenIntrospectionClientInterface;
+use Mcp\Server\Authentication\DefaultAuthInfo;
+use Mcp\Server\Authentication\Dto\UserProfile;
+use Mcp\Server\Authentication\Error\InvalidTokenError;
+
+/**
+ * Generic OAuth token verifier supporting multiple providers.
+ */
+final readonly class GenericTokenVerifier implements OAuthTokenVerifierInterface
+{
+    public function __construct(
+        private TokenIntrospectionConfig $config,
+        private TokenIntrospectionClientInterface $client,
+    ) {}
+
+    /**
+     * @throws InvalidTokenError
+     */
+    public function verifyAccessToken(string $token): AuthInfo
+    {
+        // Verify token and get user profile
+        $tokenData = $this->verifyToken($token);
+        $userProfile = $this->getUserProfile($token, $tokenData);
+
+        // Create AuthInfo
+        return $this->createAuthInfo($token, $tokenData, $userProfile);
+    }
+
+    /**
+     * @return array<string, mixed>
+     * @throws InvalidTokenError
+     */
+    private function verifyToken(string $token): array
+    {
+        // Try introspection first if configured and enabled
+        if ($this->config->useIntrospection && $this->config->introspectionUrl !== null) {
+            try {
+                return $this->client->introspectToken(
+                    $token,
+                    $this->config->introspectionUrl,
+                    $this->config->headers,
+                );
+            } catch (\Throwable $e) {
+                // If introspection fails and we have userinfo URL, fall back to it
+                if ($this->config->userinfoUrl !== null) {
+                    // For userinfo-only flow, we'll get token info from the user profile
+                    return [];
+                }
+
+                throw $e;
+            }
+        }
+
+        // For providers without introspection, we'll validate through userinfo endpoint
+        if ($this->config->userinfoUrl !== null) {
+            // Token validation will happen when we call getUserInfo
+            return [];
+        }
+
+        throw new InvalidTokenError('No token verification endpoint configured');
+    }
+
+    private function getUserProfile(string $token, array $tokenData): UserProfile
+    {
+        if ($this->config->userinfoUrl === null) {
+            // Try to build user profile from introspection data
+            return $this->buildUserProfileFromIntrospection($tokenData);
+        }
+
+        // Get user info from userinfo endpoint
+        $userInfo = $this->client->getUserInfo($token, $this->config->userinfoUrl);
+
+        return $this->buildUserProfileFromUserInfo($userInfo);
+    }
+
+    private function buildUserProfileFromIntrospection(array $data): UserProfile
+    {
+        // Map introspection fields to standard profile fields
+        $mappedData = $this->mapFields($data, $this->config->userFieldMapping);
+
+        return new UserProfile(
+            sub: $mappedData['sub'] ?? $data['sub'] ?? 'unknown',
+            preferredUsername: $mappedData['preferred_username'] ?? $data['username'] ?? null,
+            name: $mappedData['name'] ?? $data['name'] ?? null,
+            email: $mappedData['email'] ?? $data['email'] ?? null,
+            emailVerified: $mappedData['email_verified'] ?? $data['email_verified'] ?? null,
+            givenName: $mappedData['given_name'] ?? $data['given_name'] ?? null,
+            familyName: $mappedData['family_name'] ?? $data['family_name'] ?? null,
+            picture: $mappedData['picture'] ?? $data['picture'] ?? null,
+            extra: $data,
+        );
+    }
+
+    private function buildUserProfileFromUserInfo(array $data): UserProfile
+    {
+        // Map provider fields to standard profile fields
+        $mappedData = $this->mapFields($data, $this->config->userFieldMapping);
+
+        return new UserProfile(
+            sub: $mappedData['sub'] ?? $data['id'] ?? (string)($data['user_id'] ?? 'unknown'),
+            preferredUsername: $mappedData['preferred_username'] ?? $data['login'] ?? $data['username'] ?? null,
+            name: $mappedData['name'] ?? $data['name'] ?? null,
+            email: $mappedData['email'] ?? $data['email'] ?? null,
+            emailVerified: $mappedData['email_verified'] ?? $data['email_verified'] ?? null,
+            givenName: $mappedData['given_name'] ?? $data['given_name'] ?? null,
+            familyName: $mappedData['family_name'] ?? $data['family_name'] ?? null,
+            picture: $mappedData['picture'] ?? $data['avatar_url'] ?? $data['picture'] ?? null,
+            extra: $data,
+        );
+    }
+
+    /**
+     * @param array<string, mixed> $data
+     * @param array<string, string> $mapping
+     * @return array<string, mixed>
+     */
+    private function mapFields(array $data, array $mapping): array
+    {
+        $mapped = [];
+
+        foreach ($mapping as $sourceField => $targetField) {
+            if (isset($data[$sourceField])) {
+                $mapped[$targetField] = $data[$sourceField];
+            }
+        }
+
+        return $mapped;
+    }
+
+    private function createAuthInfo(string $token, array $tokenData, UserProfile $userProfile): AuthInfo
+    {
+        // Extract client ID
+        $clientId = $tokenData['client_id'] ?? $tokenData['aud'] ?? $userProfile->sub;
+
+        // Extract scopes
+        $scopes = [];
+        if (isset($tokenData['scope'])) {
+            $scopes = \is_array($tokenData['scope'])
+                ? $tokenData['scope']
+                : \explode(' ', (string)$tokenData['scope']);
+        } elseif (isset($tokenData['scopes'])) {
+            $scopes = \is_array($tokenData['scopes']) ? $tokenData['scopes'] : [$tokenData['scopes']];
+        }
+
+        // Extract expiration
+        $expiresAt = $tokenData['exp'] ?? null;
+        if ($expiresAt !== null && !\is_int($expiresAt)) {
+            $expiresAt = (int)$expiresAt;
+        }
+
+        // Extract resource/audience
+        $resource = $tokenData['aud'] ?? $tokenData['resource'] ?? null;
+
+        // Combine all extra data
+        $extra = \array_merge(
+            ['user_profile' => $userProfile->jsonSerialize()],
+            $tokenData,
+        );
+
+        return new DefaultAuthInfo(
+            token: $token,
+            clientId: (string)$clientId,
+            scopes: $scopes,
+            expiresAt: $expiresAt,
+            resource: $resource,
+            extra: $extra,
+        );
+    }
+}

src/Authentication/Provider/ProxyClientsStore.php

@@ -16,6 +16,10 @@
  */
 final readonly class ProxyClientsStore implements OAuthRegisteredClientsStoreInterface
 {
+    /**
+     * @param callable(string $clientId):OAuthClientInformation|null $getClient
+     * @param non-empty-string|null $registrationUrl
+     */
     public function __construct(
         private \Closure $getClient,
         private ?string $registrationUrl,
@@ -46,7 +50,7 @@ public function registerClient(OAuthClientInformation $client): OAuthClientInfor
             throw new ServerError("Client registration failed: {$response->getStatusCode()}");
         }
 
-        $data = \json_decode((string) $response->getBody(), true);
+        $data = \json_decode((string)$response->getBody(), true);
         if (\json_last_error() !== JSON_ERROR_NONE) {
             throw new ServerError('Invalid JSON response from registration endpoint');
         }