feat: allow OIDC configuration for OAuth server #585
Conversation
|
@joshcanhelp I've encountered this issue myself while integrating with my Authorization Server, so I appreciate the work on this - thanks! I have a quick question: As an MCP server developer (who doesn't control the MCP client and isn't using For me currently, the MCP client fails with a 404, and after this PR is merged, it seems like MCP server developer will need a way to instruct the MCP client to set Hope that makes sense. |
|
@shays10 - Happy to help! You can see what I'm doing in the Your reply says you don't control the client so that's going to make this challenging. What client are you using? Does it use this SDK? |
@joshcanhelp Ideally, and please correct me if I’m overlooking something, this should be client-agnostic. As a MCP server developer exposing the I can think of a couple of potential approaches, though I’m unsure of their validity:
I’m still wrapping my head around this, curious if this direction makes any sense. |
62f110d to
10959c2
Compare
|
@shays10 - We're kind of running into the problem with this not being spelled out in the spec. IMHO, both should be supported since they share the properties that make this work and they are there to direct clients on what to do. Best path forward here is to spell it out in the spec:
In the end, neither the MCP Client (Client going forward) nor the MCP Server (Server going forward) should care at all where the metadata is located. The Client checks the Server metadata, Server points to the Auth server, Client knows where to get metadata because of the spec, everything works. In short, I think your option 2 makes the most sense overall. I'm hoping this SDK can be updated for that to unblock those of us that need it, then it can make it in the spec. |
The MCP authorization spec relies on a specific metadata URL to be published by the authorization server, as described in RFC 8414. There is also a metadata endpoint that's used for OIDC discovery that has very similar information:
https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
It seems like either could be used for AS metadata, especially since the client could be trying to obtain an identity. I don't want to run afoul of the MCP spec but this seems like it serves the same purpose and would be a good stop-gap in case an identity provider does not publish the OAuth-specific endpoint.
Motivation and Context
I am using Auth0 as an identity provider and they publish the OIDC endpoint:
http://auth0.auth0.com/.well-known/openid-configuration
... but not the OAuth one:
https://auth0.auth0.com/.well-known/oauth-authorization-server
How Has This Been Tested?
npm testand I ran it locally using this:geelen/mcp-remote#102
Breaking Changes
The
OAuthClientProvider.useOidcProviderConfiguration()method should probably be a getter but that would make this breaking since you can't have an optional getter in TS. So, no, no breaking changes.Types of changes
Checklist
Additional context
The differences between the OpenID and OAuth metadata are minimal and are mainly things that the OpenID config has that the OAuth one doesn't (for Okta it's the
id_token_signing_alg_values_supported,jwks_uri, anduserinfo_endpointproperties). In other words, the OpenID one can be used as-is. Everything that is required for the OAuth metadata is also required for the OpenID one:issuerauthorization_endpointtoken_endpointresponse_types_supported