UNPKG

@kya-os/mcp-i

Version:

The TypeScript MCP framework with identity features built-in

github.com/modelcontextprotocol-identity/mcp-i

modelcontextprotocol-identity/mcp-i

160 lines (159 loc) 6.85 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.ProxyOAuthServerProvider = void 0; const memory_storage_1 = require("../storage/memory-storage"); class ProxyOAuthServerProvider { config; storage; constructor(config) { this.config = config; // fallback to memory storage // ideally this would be used in a development environment, could be set with a flag // since we are providing storage on Redis (to do) we may want to fallback to this in dev // does not scale to prod tho, so we should be validating that we prevent that from happening this.storage = config.storage || new memory_storage_1.MemoryOAuthStorage(); } // Expose config for router access get endpoints() { return this.config.endpoints; } async verifyAccessToken(token) { if (this.config.verifyAccessToken) { return await this.config.verifyAccessToken(token); } // Fallback to storage lookup or external verification const storedToken = await this.storage.tokens.getToken(token); if (storedToken) { return storedToken; } // If not found in storage, verify with external provider return await this.verifyTokenWithProvider(token); } async authorize(params) { const { client_id, redirect_uri, response_type, scope, state } = params; // Let Auth0 handle all client validation - just build the authorization URL const authUrl = new URL(this.config.endpoints.authorizationUrl); authUrl.searchParams.set("response_type", response_type); authUrl.searchParams.set("client_id", client_id); authUrl.searchParams.set("redirect_uri", redirect_uri); if (scope) { authUrl.searchParams.set("scope", scope); } else if (this.config.defaultScopes) { authUrl.searchParams.set("scope", this.config.defaultScopes.join(" ")); } if (state) { authUrl.searchParams.set("state", state); } return authUrl.toString(); } async token(params) { const { grant_type, client_id, client_secret, code, redirect_uri, refresh_token, } = params; try { // Forward token request to external provider (let Auth0 handle client validation) const response = await fetch(this.config.endpoints.tokenUrl, { method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded", Accept: "application/json", }, body: new URLSearchParams({ grant_type, client_id, ...(client_secret && { client_secret }), ...(code && { code }), ...(redirect_uri && { redirect_uri }), ...(refresh_token && { refresh_token }), }), }); const tokenData = await response.json(); if (!response.ok) { throw this.createOAuthError(tokenData.error || "server_error", tokenData.error_description || "Token exchange failed"); } // Store token in our storage if we have access_token if (tokenData.access_token) { const accessToken = { token: tokenData.access_token, clientId: client_id, scopes: tokenData.scope ? tokenData.scope.split(" ") : [], expiresAt: tokenData.expires_in ? new Date(Date.now() + tokenData.expires_in * 1000) : undefined, refreshToken: tokenData.refresh_token, }; await this.storage.tokens.saveToken(accessToken); } return tokenData; } catch (error) { if (error instanceof Error && error.message.includes("invalid_")) { throw error; } throw this.createOAuthError("server_error", "Failed to exchange token"); } } async revoke(params) { const { token, token_type_hint, client_id, client_secret } = params; // Remove from our storage first await this.storage.tokens.deleteToken(token); // If external provider supports revocation, forward the request if (this.config.endpoints.revocationUrl) { try { const response = await fetch(this.config.endpoints.revocationUrl, { method: "POST", headers: { "Content-Type": "application/x-www-form-urlencoded", Accept: "application/json", }, body: new URLSearchParams({ token, ...(token_type_hint && { token_type_hint }), ...(client_id && { client_id }), ...(client_secret && { client_secret }), }), }); if (!response.ok) { console.warn("Failed to revoke token with external provider:", response.statusText); } } catch (error) { console.warn("Error revoking token with external provider:", error); } } } async verifyTokenWithProvider(token) { // If external provider has a userinfo endpoint, we can use it to verify the token if (this.config.endpoints.userInfoUrl) { try { const response = await fetch(this.config.endpoints.userInfoUrl, { headers: { Authorization: `Bearer ${token}`, Accept: "application/json", }, }); if (response.ok) { // Token is valid, create a basic AccessToken object return { token, clientId: "external", // We might not know the exact client ID scopes: [], // We might not know the exact scopes }; } } catch (error) { console.warn("Error verifying token with external provider:", error); } } throw this.createOAuthError("invalid_token", "Token verification failed"); } createOAuthError(error, description) { const oauthError = { error, error_description: description, }; const errorObj = new Error(description || error); errorObj.oauth = oauthError; return errorObj; } } exports.ProxyOAuthServerProvider = ProxyOAuthServerProvider;