actionmcp 0.52.2 → 0.54.0

data/lib/action_mcp/oauth/provider.rb

@@ -0,0 +1,390 @@
+# frozen_string_literal: true
+
+require "securerandom"
+require "digest"
+require "base64"
+
+module ActionMCP
+  module OAuth
+    # OAuth 2.1 Provider implementation
+    # Handles authorization codes, access tokens, refresh tokens, and token validation
+    class Provider
+      class << self
+        # Generate authorization code for OAuth flow
+        # @param client_id [String] OAuth client identifier
+        # @param redirect_uri [String] Client redirect URI
+        # @param scope [String] Requested scope
+        # @param code_challenge [String] PKCE code challenge
+        # @param code_challenge_method [String] PKCE challenge method (S256, plain)
+        # @param user_id [String] User identifier
+        # @return [String] Authorization code
+        def generate_authorization_code(client_id:, redirect_uri:, scope:, code_challenge: nil, code_challenge_method: nil, user_id:)
+          # Validate scope
+          validate_scope(scope) if scope
+
+          code = SecureRandom.urlsafe_base64(32)
+
+          # Store authorization code with metadata
+          store_authorization_code(code, {
+            client_id: client_id,
+            redirect_uri: redirect_uri,
+            scope: scope,
+            code_challenge: code_challenge,
+            code_challenge_method: code_challenge_method,
+            user_id: user_id,
+            created_at: Time.current,
+            expires_at: 10.minutes.from_now
+          })
+
+          code
+        end
+
+        # Exchange authorization code for access token
+        # @param code [String] Authorization code
+        # @param client_id [String] OAuth client identifier
+        # @param client_secret [String] OAuth client secret (optional for public clients)
+        # @param redirect_uri [String] Client redirect URI
+        # @param code_verifier [String] PKCE code verifier
+        # @return [Hash] Token response with access_token, token_type, expires_in, scope
+        def exchange_code_for_token(code:, client_id:, client_secret: nil, redirect_uri:, code_verifier: nil)
+          # Retrieve and validate authorization code
+          code_data = retrieve_authorization_code(code)
+          raise InvalidGrantError, "Invalid authorization code" unless code_data
+          raise InvalidGrantError, "Authorization code expired" if code_data[:expires_at] < Time.current
+
+          # Validate client
+          validate_client(client_id, client_secret)
+
+          # Validate redirect URI matches
+          unless code_data[:redirect_uri] == redirect_uri
+            raise InvalidGrantError, "Redirect URI mismatch"
+          end
+
+          # Validate client ID matches
+          unless code_data[:client_id] == client_id
+            raise InvalidGrantError, "Client ID mismatch"
+          end
+
+          # Validate PKCE if challenge was provided during authorization
+          if code_data[:code_challenge]
+            validate_pkce(code_data[:code_challenge], code_data[:code_challenge_method], code_verifier)
+          end
+
+          # Generate access token
+          access_token = generate_access_token(
+            client_id: client_id,
+            scope: code_data[:scope],
+            user_id: code_data[:user_id]
+          )
+
+          # Generate refresh token if enabled
+          refresh_token = nil
+          if oauth_config["enable_refresh_tokens"]
+            refresh_token = generate_refresh_token(
+              client_id: client_id,
+              scope: code_data[:scope],
+              user_id: code_data[:user_id],
+              access_token: access_token
+            )
+          end
+
+          # Remove used authorization code
+          remove_authorization_code(code)
+
+          # Return token response
+          response = {
+            access_token: access_token,
+            token_type: "Bearer",
+            expires_in: token_expires_in,
+            scope: code_data[:scope]
+          }
+          response[:refresh_token] = refresh_token if refresh_token
+          response
+        end
+
+        # Refresh access token using refresh token
+        # @param refresh_token [String] Refresh token
+        # @param client_id [String] OAuth client identifier
+        # @param client_secret [String] OAuth client secret
+        # @param scope [String] Requested scope (optional, must be subset of original)
+        # @return [Hash] New token response
+        def refresh_access_token(refresh_token:, client_id:, client_secret: nil, scope: nil)
+          # Retrieve refresh token data
+          token_data = retrieve_refresh_token(refresh_token)
+          raise InvalidGrantError, "Invalid refresh token" unless token_data
+          raise InvalidGrantError, "Refresh token expired" if token_data[:expires_at] < Time.current
+
+          # Validate client
+          validate_client(client_id, client_secret)
+
+          # Validate client ID matches
+          unless token_data[:client_id] == client_id
+            raise InvalidGrantError, "Client ID mismatch"
+          end
+
+          # Validate scope if provided
+          if scope
+            requested_scopes = scope.split(" ")
+            original_scopes = token_data[:scope].split(" ")
+            unless (requested_scopes - original_scopes).empty?
+              raise InvalidScopeError, "Requested scope exceeds original scope"
+            end
+          else
+            scope = token_data[:scope]
+          end
+
+          # Revoke old access token
+          revoke_access_token(token_data[:access_token]) if token_data[:access_token]
+
+          # Generate new access token
+          access_token = generate_access_token(
+            client_id: client_id,
+            scope: scope,
+            user_id: token_data[:user_id]
+          )
+
+          # Update refresh token with new access token
+          update_refresh_token(refresh_token, access_token)
+
+          {
+            access_token: access_token,
+            token_type: "Bearer",
+            expires_in: token_expires_in,
+            scope: scope
+          }
+        end
+
+        # Validate access token and return token info
+        # @param access_token [String] Access token to validate
+        # @return [Hash] Token info with active, client_id, scope, user_id, exp
+        def introspect_token(access_token)
+          token_data = retrieve_access_token(access_token)
+
+          unless token_data
+            return { active: false }
+          end
+
+          if token_data[:expires_at] < Time.current
+            remove_access_token(access_token)
+            return { active: false }
+          end
+
+          {
+            active: true,
+            client_id: token_data[:client_id],
+            scope: token_data[:scope],
+            user_id: token_data[:user_id],
+            exp: token_data[:expires_at].to_i,
+            iat: token_data[:created_at].to_i,
+            token_type: "Bearer"
+          }
+        end
+
+        # Revoke access or refresh token
+        # @param token [String] Token to revoke
+        # @param token_type_hint [String] Type hint: "access_token" or "refresh_token"
+        # @return [Boolean] True if token was revoked
+        def revoke_token(token, token_type_hint: nil)
+          revoked = false
+
+          # Try access token first if hint suggests it or no hint provided
+          if token_type_hint == "access_token" || token_type_hint.nil?
+            if retrieve_access_token(token)
+              revoke_access_token(token)
+              revoked = true
+            end
+          end
+
+          # Try refresh token if not revoked yet
+          if !revoked && (token_type_hint == "refresh_token" || token_type_hint.nil?)
+            if retrieve_refresh_token(token)
+              revoke_refresh_token(token)
+              revoked = true
+            end
+          end
+
+          revoked
+        end
+
+        # Client Credentials Grant (for server-to-server)
+        # @param client_id [String] OAuth client identifier
+        # @param client_secret [String] OAuth client secret
+        # @param scope [String] Requested scope
+        # @return [Hash] Token response
+        def client_credentials_grant(client_id:, client_secret:, scope: nil)
+          unless oauth_config["enable_client_credentials"]
+            raise UnsupportedGrantTypeError, "Client credentials grant not supported"
+          end
+
+          # Validate client credentials
+          validate_client(client_id, client_secret, require_secret: true)
+
+          # Validate scope
+          if scope
+            validate_scope(scope)
+          else
+            scope = default_scope
+          end
+
+          # Generate access token (no user context for client credentials)
+          access_token = generate_access_token(
+            client_id: client_id,
+            scope: scope,
+            user_id: nil
+          )
+
+          {
+            access_token: access_token,
+            token_type: "Bearer",
+            expires_in: token_expires_in,
+            scope: scope
+          }
+        end
+
+        private
+
+        def oauth_config
+          @oauth_config ||= ActionMCP.configuration.oauth_config || {}
+        end
+
+        def validate_client(client_id, client_secret, require_secret: false)
+          # This should be implemented by the application
+          # For now, we'll use a simple validation approach
+          provider_class = oauth_config["provider"]
+          if provider_class && provider_class.respond_to?(:validate_client)
+            provider_class.validate_client(client_id, client_secret)
+          elsif require_secret && client_secret.nil?
+            raise InvalidClientError, "Client authentication required"
+          end
+          # Default: allow any client for development
+        end
+
+        def validate_pkce(code_challenge, method, code_verifier)
+          raise InvalidGrantError, "Code verifier required" unless code_verifier
+
+          case method
+          when "S256"
+            expected_challenge = Base64.urlsafe_encode64(
+              Digest::SHA256.digest(code_verifier), padding: false
+            )
+            unless code_challenge == expected_challenge
+              raise InvalidGrantError, "Invalid code verifier"
+            end
+          when "plain"
+            unless oauth_config["allow_plain_pkce"]
+              raise InvalidGrantError, "Plain PKCE not allowed"
+            end
+            unless code_challenge == code_verifier
+              raise InvalidGrantError, "Invalid code verifier"
+            end
+          else
+            raise InvalidGrantError, "Unsupported code challenge method"
+          end
+        end
+
+        def validate_scope(scope)
+          supported_scopes = oauth_config["scopes_supported"] || [ "mcp:tools", "mcp:resources", "mcp:prompts" ]
+          requested_scopes = scope.split(" ")
+          unsupported = requested_scopes - supported_scopes
+          if unsupported.any?
+            raise InvalidScopeError, "Unsupported scopes: #{unsupported.join(', ')}"
+          end
+        end
+
+        def default_scope
+          oauth_config["default_scope"] || "mcp:tools mcp:resources mcp:prompts"
+        end
+
+        def generate_access_token(client_id:, scope:, user_id:)
+          token = SecureRandom.urlsafe_base64(32)
+
+          store_access_token(token, {
+            client_id: client_id,
+            scope: scope,
+            user_id: user_id,
+            created_at: Time.current,
+            expires_at: token_expires_in.seconds.from_now
+          })
+
+          token
+        end
+
+        def generate_refresh_token(client_id:, scope:, user_id:, access_token:)
+          token = SecureRandom.urlsafe_base64(32)
+
+          store_refresh_token(token, {
+            client_id: client_id,
+            scope: scope,
+            user_id: user_id,
+            access_token: access_token,
+            created_at: Time.current,
+            expires_at: refresh_token_expires_in.seconds.from_now
+          })
+
+          token
+        end
+
+        def token_expires_in
+          oauth_config["access_token_expires_in"] || 3600 # 1 hour
+        end
+
+        def refresh_token_expires_in
+          oauth_config["refresh_token_expires_in"] || 7.days.to_i # 1 week
+        end
+
+        # Storage methods - these delegate to a configurable storage backend
+        def storage
+          @storage ||= begin
+            storage_class = oauth_config["storage"] || "ActionMCP::OAuth::MemoryStorage"
+            storage_class = storage_class.constantize if storage_class.is_a?(String)
+            storage_class.new
+          end
+        end
+
+        def store_authorization_code(code, data)
+          storage.store_authorization_code(code, data)
+        end
+
+        def retrieve_authorization_code(code)
+          storage.retrieve_authorization_code(code)
+        end
+
+        def remove_authorization_code(code)
+          storage.remove_authorization_code(code)
+        end
+
+        def store_access_token(token, data)
+          storage.store_access_token(token, data)
+        end
+
+        def retrieve_access_token(token)
+          storage.retrieve_access_token(token)
+        end
+
+        def remove_access_token(token)
+          storage.remove_access_token(token)
+        end
+
+        def revoke_access_token(token)
+          storage.remove_access_token(token)
+        end
+
+        def store_refresh_token(token, data)
+          storage.store_refresh_token(token, data)
+        end
+
+        def retrieve_refresh_token(token)
+          storage.retrieve_refresh_token(token)
+        end
+
+        def update_refresh_token(token, new_access_token)
+          storage.update_refresh_token(token, new_access_token)
+        end
+
+        def revoke_refresh_token(token)
+          storage.remove_refresh_token(token)
+        end
+      end
+    end
+  end
+end

data/lib/action_mcp/omniauth/mcp_strategy.rb

@@ -0,0 +1,176 @@
+# frozen_string_literal: true
+
+require "omniauth-oauth2"
+
+module ActionMCP
+  module Omniauth
+    # MCP-specific Omniauth strategy for OAuth 2.1 authentication
+    # This strategy integrates with ActionMCP's configuration system and provider interface
+    class MCPStrategy < ::OmniAuth::Strategies::OAuth2
+      # Strategy name used in configuration
+      option :name, "mcp"
+
+      # Default OAuth options with MCP-specific settings
+      option :client_options, {
+        authorize_url: "/oauth/authorize",
+        token_url: "/oauth/token",
+        auth_scheme: :request_body
+      }
+
+      # OAuth 2.1 compliance - PKCE is required
+      option :pkce, true
+
+      # Default scopes for MCP access
+      option :scope, "mcp:tools mcp:resources mcp:prompts"
+
+      # Use authorization code grant flow
+      option :response_type, "code"
+
+      # OAuth server metadata discovery
+      option :discovery, true
+
+      def initialize(app, *args, &block)
+        super
+
+        # Load configuration from ActionMCP if available
+        configure_from_mcp_config if defined?(ActionMCP)
+      end
+
+      # User info from OAuth token response or userinfo endpoint
+      def raw_info
+        @raw_info ||= begin
+          if options.userinfo_url
+            access_token.get(options.userinfo_url).parsed
+          else
+            # Extract user info from token response or use minimal info
+            token_response = access_token.token
+            {
+              "sub" => access_token.params["user_id"] || access_token.token,
+              "scope" => access_token.params["scope"] || options.scope
+            }
+          end
+        end
+      rescue ::OAuth2::Error => e
+        log(:error, "Failed to fetch user info: #{e.message}")
+        {}
+      end
+
+      # User ID for Omniauth
+      uid { raw_info["sub"] || raw_info["user_id"] }
+
+      # User info hash
+      info do
+        {
+          name: raw_info["name"],
+          email: raw_info["email"],
+          username: raw_info["username"] || raw_info["preferred_username"]
+        }
+      end
+
+      # Extra credentials and token info
+      extra do
+        {
+          "raw_info" => raw_info,
+          "scope" => access_token.params["scope"],
+          "token_type" => access_token.params["token_type"] || "Bearer"
+        }
+      end
+
+      # OAuth server metadata discovery
+      def discovery_info
+        @discovery_info ||= begin
+          if options.discovery && options.client_options.site
+            discovery_url = "#{options.client_options.site}/.well-known/oauth-authorization-server"
+            response = client.request(:get, discovery_url)
+            JSON.parse(response.body)
+          end
+        rescue StandardError => e
+          log(:warn, "OAuth discovery failed: #{e.message}")
+          {}
+        end
+      end
+
+      # Override client to use discovered endpoints if available
+      def client
+        @client ||= begin
+          if discovery_info.any?
+            options.client_options.merge!(
+              authorize_url: discovery_info["authorization_endpoint"],
+              token_url: discovery_info["token_endpoint"]
+            ) if discovery_info["authorization_endpoint"] && discovery_info["token_endpoint"]
+          end
+          super
+        end
+      end
+
+      # Token validation for API requests (not callback flow)
+      def self.validate_token(token, options = {})
+        strategy = new(nil, options)
+        strategy.validate_token(token)
+      end
+
+      def validate_token(token)
+        # Validate access token with OAuth server
+        return nil unless token
+
+        begin
+          response = client.request(:post, options.introspection_url || "/oauth/introspect", {
+            body: { token: token },
+            headers: { "Content-Type" => "application/x-www-form-urlencoded" }
+          })
+
+          token_info = JSON.parse(response.body)
+          return nil unless token_info["active"]
+
+          token_info
+        rescue StandardError => e
+          log(:error, "Token validation failed: #{e.message}")
+          nil
+        end
+      end
+
+      private
+
+      # Configure strategy from ActionMCP configuration
+      def configure_from_mcp_config
+        oauth_config = ActionMCP.configuration.oauth_config
+        return unless oauth_config.is_a?(Hash)
+
+        # Set client options from MCP config
+        if oauth_config["issuer_url"]
+          options.client_options[:site] = oauth_config["issuer_url"]
+        end
+
+        if oauth_config["client_id"]
+          options.client_id = oauth_config["client_id"]
+        end
+
+        if oauth_config["client_secret"]
+          options.client_secret = oauth_config["client_secret"]
+        end
+
+        if oauth_config["scopes_supported"]
+          options.scope = Array(oauth_config["scopes_supported"]).join(" ")
+        end
+
+        # Enable PKCE if required (OAuth 2.1 compliance)
+        if oauth_config["pkce_required"]
+          options.pkce = true
+        end
+
+        # Set userinfo endpoint if provided
+        if oauth_config["userinfo_endpoint"]
+          options.userinfo_url = oauth_config["userinfo_endpoint"]
+        end
+
+        # Set token introspection endpoint
+        if oauth_config["introspection_endpoint"]
+          options.introspection_url = oauth_config["introspection_endpoint"]
+        end
+      end
+    end
+  end
+end
+
+# Register the strategy with Omniauth
+OmniAuth.config.add_camelization "mcp", "MCP"

data/lib/action_mcp/version.rb

@@ -2,7 +2,7 @@
 
 require_relative "gem_version"
 module ActionMCP
-  VERSION = "0.52.2"
+  VERSION = "0.54.0"
 
   class << self
     alias version gem_version

data/lib/action_mcp.rb

@@ -13,6 +13,10 @@ require "action_mcp/log_subscriber"
 require "action_mcp/engine"
 require "zeitwerk"
 
+# OAuth 2.1 support via Omniauth
+require "omniauth"
+require "omniauth-oauth2"
+
 lib = File.dirname(__FILE__)
 
 Zeitwerk::Loader.for_gem.tap do |loader|
@@ -25,8 +29,9 @@ Zeitwerk::Loader.for_gem.tap do |loader|
 
   loader.inflector.inflect("action_mcp" => "ActionMCP")
   loader.inflector.inflect("sse_client" => "SSEClient")
-  loader.inflector.inflect("sse_server" => "SSEServer")
   loader.inflector.inflect("sse_listener" => "SSEListener")
+  loader.inflector.inflect("oauth" => "OAuth")
+  loader.inflector.inflect("mcp_strategy" => "MCPStrategy")
 end.setup
 
 module ActionMCP

data/lib/generators/action_mcp/install/install_generator.rb

@@ -7,6 +7,8 @@ module ActionMcp
     class InstallGenerator < Rails::Generators::Base
       source_root File.expand_path("templates", __dir__)
 
+      desc "Install ActionMCP with base classes and configuration"
+
       def create_application_prompt_file
         template "application_mcp_prompt.rb", File.join("app/mcp/prompts", "application_mcp_prompt.rb")
       end
@@ -20,13 +22,42 @@ module ActionMcp
                  File.join("app/mcp/resource_templates", "application_mcp_res_template.rb")
       end
 
-      def create_mcp_profile_file
+      def create_mcp_configuration_file
         template "mcp.yml", File.join("config", "mcp.yml")
       end
 
       def create_application_gateway_file
         template "application_gateway.rb", File.join("app/mcp", "application_gateway.rb")
       end
+
+      def show_instructions
+        say ""
+        say "ActionMCP has been installed successfully!"
+        say ""
+        say "Files created:"
+        say "  - app/mcp/prompts/application_mcp_prompt.rb"
+        say "  - app/mcp/tools/application_mcp_tool.rb"
+        say "  - app/mcp/resource_templates/application_mcp_res_template.rb"
+        say "  - app/mcp/application_gateway.rb"
+        say "  - config/mcp.yml"
+        say ""
+        say "Configuration:"
+        say "  The mcp.yml file contains authentication, profiles, and adapter settings."
+        say "  You can customize authentication methods, OAuth settings, and PubSub adapters."
+        say ""
+        say "Available adapters:"
+        say "  - simple      : In-memory adapter for development"
+        say "  - test        : Test adapter for testing environments"
+        say "  - solid_cable : Database-backed adapter (requires solid_cable gem)"
+        say "  - redis       : Redis-backed adapter (requires redis gem)"
+        say ""
+        say "Next steps:"
+        say "  1. Generate your first tool: rails generate action_mcp:tool MyTool"
+        say "  2. Generate your first prompt: rails generate action_mcp:prompt MyPrompt"
+        say "  3. Generate your first resource template: rails generate action_mcp:resource_template MyResource"
+        say "  4. Start the MCP server: bundle exec rails s -c mcp.ru -p 62770"
+        say ""
+      end
     end
   end
 end