Documentation
¶
Overview ¶
Package mcpoauth implements the MCP OAuth 2.1 Authorization Code + PKCE flow for CLI clients.
It covers three responsibilities the golang.org/x/oauth2 package does not:
Server metadata discovery (RFC 8414): fetches /.well-known/oauth-authorization-server to locate the authorization and token endpoints.
Dynamic client registration (RFC 7591): registers a new OAuth client with the authorization server on first use.
Local callback server: starts a temporary localhost HTTP server to receive the authorization code redirect, then shuts it down.
golang.org/x/oauth2 handles PKCE, token exchange, token refresh, and the Transport RoundTripper.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func StartCallbackServer ¶
StartCallbackServer binds a local HTTP listener on the given port (or a random port if port == 0) and returns the listener, its redirect URI, and a channel that will receive exactly one CallbackResult when the browser redirects to it.
The caller is responsible for closing the listener when done.
Types ¶
type CallbackResult ¶
CallbackResult is the outcome of the local callback server.
type ClientRegistration ¶
type ClientRegistration struct {
ClientID string `json:"client_id"`
ClientSecret string `json:"client_secret,omitempty"` // absent for public clients
}
ClientRegistration is the result of a successful dynamic client registration.
func RegisterClient ¶
func RegisterClient(ctx context.Context, registrationEndpoint, clientName, redirectURI string) (*ClientRegistration, error)
RegisterClient performs RFC 7591 Dynamic Client Registration against the given endpoint. It registers a public client (no secret) suitable for a native CLI application.
If registrationEndpoint is empty the caller must supply a clientID directly.
type KVStore ¶
type KVStore interface {
GetKV(ctx context.Context, key string, out interface{}) error
SetKV(ctx context.Context, key string, value json.RawMessage) error
DeleteKV(ctx context.Context, key string) error
}
KVStore is the minimal interface needed from runtimetypes.Store. Using a narrow interface avoids importing runtimetypes in this package.
type ServerMetadata ¶
type ServerMetadata struct {
Issuer string `json:"issuer"`
AuthorizationEndpoint string `json:"authorization_endpoint"`
TokenEndpoint string `json:"token_endpoint"`
RegistrationEndpoint string `json:"registration_endpoint"`
ScopesSupported []string `json:"scopes_supported"`
CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported"`
TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported"`
}
ServerMetadata holds the subset of RFC 8414 fields we need.
func DiscoverAuthServer ¶
func DiscoverAuthServer(ctx context.Context, mcpServerURL string) (*ServerMetadata, error)
DiscoverAuthServer fetches the OAuth 2.0 Authorization Server Metadata (RFC 8414) for the given MCP server URL.
It first tries the well-known URL derived from the server's base origin, then falls back to conventional endpoint paths if the server returns 404.
func (*ServerMetadata) SupportsS256 ¶
func (m *ServerMetadata) SupportsS256() bool
SupportsS256 reports whether the server advertises S256 PKCE support. If the field is absent we assume yes (most modern servers support it).
type TokenStore ¶
type TokenStore interface {
GetOAuthToken(ctx context.Context, serverName string) (*oauth2.Token, error)
SetOAuthToken(ctx context.Context, serverName string, t *oauth2.Token) error
DeleteOAuthToken(ctx context.Context, serverName string) error
GetClientRegistration(ctx context.Context, serverName string) (*ClientRegistration, error)
SetClientRegistration(ctx context.Context, serverName string, reg *ClientRegistration) error
}
TokenStore is the persistence layer for OAuth tokens. Implemented by the KV store adapter in localtools/kvtokenstore.go.
func NewKVTokenStore ¶
func NewKVTokenStore(kv KVStore) TokenStore
NewKVTokenStore returns a TokenStore backed by the provided KVStore.
Source Files