llm-agents-php
diff --git a/‎src/Authorization/Contracts/ClientRepositoryInterface.php‎
Lines changed: 40 additions & 0 deletions b/‎src/Authorization/Contracts/ClientRepositoryInterface.php‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎src/Authorization/Contracts/ResourceServerInterface.php‎
Lines changed: 47 additions & 0 deletions b/‎src/Authorization/Contracts/ResourceServerInterface.php‎
Lines changed: 47 additions & 0 deletions
diff --git a/‎src/Authorization/Contracts/TokenRepositoryInterface.php‎
Lines changed: 33 additions & 0 deletions b/‎src/Authorization/Contracts/TokenRepositoryInterface.php‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎src/Authorization/Contracts/TokenValidatorInterface.php‎
Lines changed: 26 additions & 0 deletions b/‎src/Authorization/Contracts/TokenValidatorInterface.php‎
Lines changed: 26 additions & 0 deletions
diff --git a/‎src/Authorization/Discovery/DiscoveryEndpointHandler.php‎
Lines changed: 87 additions & 0 deletions b/‎src/Authorization/Discovery/DiscoveryEndpointHandler.php‎
Lines changed: 87 additions & 0 deletions
diff --git a/‎src/Authorization/Discovery/DiscoveryUriBuilder.php‎
Lines changed: 102 additions & 0 deletions b/‎src/Authorization/Discovery/DiscoveryUriBuilder.php‎
Lines changed: 102 additions & 0 deletions
@@ -0,0 +1,40 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Mcp\Server\Authorization\Contracts;
+
+use Mcp\Server\Authorization\Entities\Client;
+
+/**
+ * Client repository interface for managing OAuth clients
+ */
+interface ClientRepositoryInterface
+{
+    /**
+     * Store a client registration
+     */
+    public function storeClient(Client $client): void;
+    
+    /**
+     * Retrieve a client by its identifier
+     */
+    public function getClient(string $clientId): ?Client;
+    
+    /**
+     * Remove a client from storage
+     */
+    public function revokeClient(string $clientId): void;
+    
+    /**
+     * Check if a client exists
+     */
+    public function clientExists(string $clientId): bool;
+    
+    /**
+     * Get all registered clients
+     * 
+     * @return Client[]
+     */
+    public function getAllClients(): array;
+}
@@ -0,0 +1,47 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Mcp\Server\Authorization\Contracts;
+
+use Mcp\Server\Authorization\Entities\AccessToken;
+use Mcp\Server\Authorization\Exception\AuthorizationException;
+use Psr\Http\Message\ServerRequestInterface;
+
+/**
+ * Resource server interface for protecting MCP endpoints
+ */
+interface ResourceServerInterface
+{
+    /**
+     * Extract and validate access token from HTTP request
+     * 
+     * @throws AuthorizationException When authorization fails
+     */
+    public function validateRequest(ServerRequestInterface $request, string $expectedAudience): AccessToken;
+    
+    /**
+     * Generate Protected Resource Metadata per RFC 9728
+     */
+    public function getResourceMetadata(): array;
+    
+    /**
+     * Check if a request requires authorization
+     */
+    public function requiresAuthorization(ServerRequestInterface $request): bool;
+    
+    /**
+     * Create WWW-Authenticate response header per RFC 6750 and RFC 9728
+     */
+    public function createWwwAuthenticateHeader(?string $error = null, ?string $errorDescription = null): string;
+    
+    /**
+     * Generate OAuth 2.0 Authorization Server Metadata per RFC 8414
+     */
+    public function getAuthorizationServerMetadata(): array;
+    
+    /**
+     * Generate OpenID Connect Discovery metadata
+     */
+    public function getOpenIdConnectDiscoveryMetadata(): array;
+}
@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Mcp\Server\Authorization\Contracts;
+
+use Mcp\Server\Authorization\Entities\AccessToken;
+
+/**
+ * Token repository interface for storing and retrieving tokens
+ */
+interface TokenRepositoryInterface
+{
+    /**
+     * Store an access token
+     */
+    public function storeToken(AccessToken $token): void;
+    
+    /**
+     * Retrieve a token by its identifier
+     */
+    public function getToken(string $tokenId): ?AccessToken;
+    
+    /**
+     * Remove a token from storage
+     */
+    public function revokeToken(string $tokenId): void;
+    
+    /**
+     * Check if a token exists and is valid
+     */
+    public function isTokenValid(string $tokenId): bool;
+}
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Mcp\Server\Authorization\Contracts;
+
+use Mcp\Server\Authorization\Entities\AccessToken;
+use Mcp\Server\Authorization\Exception\InvalidTokenException;
+
+/**
+ * Token validator interface for JWT and other token formats
+ */
+interface TokenValidatorInterface
+{
+    /**
+     * Validate and parse an access token
+     *
+     * @throws InvalidTokenException When token is invalid, expired, or malformed
+     */
+    public function validateToken(string $token, string $expectedAudience): AccessToken;
+
+    /**
+     * Check if this validator supports the given token format
+     */
+    public function supports(string $token): bool;
+}
@@ -0,0 +1,87 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Mcp\Server\Authorization\Discovery;
+
+use Mcp\Server\Authorization\Contracts\ResourceServerInterface;
+
+/**
+ * Handles OAuth 2.1 discovery endpoint resolution and metadata generation
+ */
+final readonly class DiscoveryEndpointHandler
+{
+    public function __construct(
+        private ResourceServerInterface $resourceServer,
+        private DiscoveryUriBuilder $uriBuilder,
+    ) {}
+
+    /**
+     * Check if the request path matches any discovery endpoint
+     */
+    public function isDiscoveryEndpoint(string $path): bool
+    {
+        return $this->isOAuthAuthorizationServerEndpoint($path) ||
+               $this->isOpenIdConnectDiscoveryEndpoint($path) ||
+               $this->isProtectedResourceMetadataEndpoint($path);
+    }
+
+    /**
+     * Get metadata for the given discovery endpoint
+     */
+    public function getMetadataForPath(string $path): ?array
+    {
+        if ($this->isOAuthAuthorizationServerEndpoint($path)) {
+            return $this->resourceServer->getAuthorizationServerMetadata();
+        }
+
+        if ($this->isOpenIdConnectDiscoveryEndpoint($path)) {
+            return $this->resourceServer->getOpenIdConnectDiscoveryMetadata();
+        }
+
+        if ($this->isProtectedResourceMetadataEndpoint($path)) {
+            return $this->resourceServer->getResourceMetadata();
+        }
+
+        return null;
+    }
+
+    /**
+     * Get discovery URIs for a given issuer URL (for client implementation)
+     */
+    public function getDiscoveryUrisForIssuer(string $issuerUrl): array
+    {
+        return [
+            'oauth_authorization_server' => $this->uriBuilder->buildOAuthDiscoveryUris($issuerUrl),
+            'openid_connect_discovery' => $this->uriBuilder->buildOpenIdConnectDiscoveryUris($issuerUrl),
+        ];
+    }
+
+    /**
+     * Check if path is OAuth 2.0 Authorization Server Metadata endpoint
+     */
+    private function isOAuthAuthorizationServerEndpoint(string $path): bool
+    {
+        return $path === '/.well-known/oauth-authorization-server' ||
+               \str_starts_with($path, '/.well-known/oauth-authorization-server/');
+    }
+
+    /**
+     * Check if path is OpenID Connect Discovery endpoint
+     */
+    private function isOpenIdConnectDiscoveryEndpoint(string $path): bool
+    {
+        return $path === '/.well-known/openid-configuration' ||
+               \str_ends_with($path, '/.well-known/openid-configuration') ||
+               \str_starts_with($path, '/.well-known/openid-configuration/');
+    }
+
+    /**
+     * Check if path is Protected Resource Metadata endpoint
+     */
+    private function isProtectedResourceMetadataEndpoint(string $path): bool
+    {
+        return $path === '/.well-known/oauth-protected-resource' ||
+               \str_starts_with($path, '/.well-known/oauth-protected-resource/');
+    }
+}
@@ -0,0 +1,102 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Mcp\Server\Authorization\Discovery;
+
+/**
+ * Builds well-known discovery URIs per RFC 8414 and OpenID Connect Discovery
+ */
+final readonly class DiscoveryUriBuilder
+{
+    /**
+     * Build OAuth 2.0 Authorization Server Metadata URIs per RFC 8414
+     * 
+     * @return string[] Priority-ordered list of discovery URIs
+     */
+    public function buildOAuthDiscoveryUris(string $issuerUrl): array
+    {
+        $parsedUrl = parse_url($issuerUrl);
+        $baseUrl = $parsedUrl['scheme'] . '://' . $parsedUrl['host'];
+        
+        if (isset($parsedUrl['port']) && $parsedUrl['port'] !== 80 && $parsedUrl['port'] !== 443) {
+            $baseUrl .= ':' . $parsedUrl['port'];
+        }
+
+        $path = $parsedUrl['path'] ?? '';
+        $path = trim($path, '/');
+
+        $uris = [];
+
+        if (!empty($path)) {
+            // Path insertion method: https://auth.example.com/.well-known/oauth-authorization-server/tenant1
+            $uris[] = $baseUrl . '/.well-known/oauth-authorization-server/' . $path;
+        }
+
+        // Root method: https://auth.example.com/.well-known/oauth-authorization-server
+        $uris[] = $baseUrl . '/.well-known/oauth-authorization-server';
+
+        return $uris;
+    }
+
+    /**
+     * Build OpenID Connect Discovery URIs per OpenID Connect Discovery 1.0
+     * 
+     * @return string[] Priority-ordered list of discovery URIs
+     */
+    public function buildOpenIdConnectDiscoveryUris(string $issuerUrl): array
+    {
+        $parsedUrl = parse_url($issuerUrl);
+        $baseUrl = $parsedUrl['scheme'] . '://' . $parsedUrl['host'];
+        
+        if (isset($parsedUrl['port']) && $parsedUrl['port'] !== 80 && $parsedUrl['port'] !== 443) {
+            $baseUrl .= ':' . $parsedUrl['port'];
+        }
+
+        $path = $parsedUrl['path'] ?? '';
+        $path = trim($path, '/');
+
+        $uris = [];
+
+        if (!empty($path)) {
+            // Path insertion method: https://auth.example.com/.well-known/openid-configuration/tenant1
+            $uris[] = $baseUrl . '/.well-known/openid-configuration/' . $path;
+            
+            // Path appending method: https://auth.example.com/tenant1/.well-known/openid-configuration
+            $uris[] = $baseUrl . '/' . $path . '/.well-known/openid-configuration';
+        }
+
+        // Root method: https://auth.example.com/.well-known/openid-configuration
+        $uris[] = $baseUrl . '/.well-known/openid-configuration';
+
+        return $uris;
+    }
+
+    /**
+     * Build Protected Resource Metadata URIs per RFC 9728
+     * 
+     * @return string[] Priority-ordered list of discovery URIs
+     */
+    public function buildResourceMetadataUris(string $resourceUrl, ?string $specificPath = null): array
+    {
+        $parsedUrl = parse_url($resourceUrl);
+        $baseUrl = $parsedUrl['scheme'] . '://' . $parsedUrl['host'];
+        
+        if (isset($parsedUrl['port']) && $parsedUrl['port'] !== 80 && $parsedUrl['port'] !== 443) {
+            $baseUrl .= ':' . $parsedUrl['port'];
+        }
+
+        $uris = [];
+
+        if ($specificPath !== null) {
+            // Path-specific metadata
+            $cleanPath = trim($specificPath, '/');
+            $uris[] = $baseUrl . '/.well-known/oauth-protected-resource/' . $cleanPath;
+        }
+
+        // Root metadata
+        $uris[] = $baseUrl . '/.well-known/oauth-protected-resource';
+
+        return $uris;
+    }
+}