actionmcp 0.71.1 → 0.80.0

data/lib/generators/action_mcp/install/templates/application_gateway.rb

@@ -1,40 +1,90 @@
 # frozen_string_literal: true
 
+# Application Gateway - configure your authentication identifiers here
+#
+# The Gateway reads from request.env keys set by upstream middleware
+# (like Warden, Devise, or custom auth middleware) through identifier classes.
+#
+# ActionMCP provides ready-to-use identifier examples for common authentication patterns.
+# You can use them directly or customize them for your needs.
+
 class ApplicationGateway < ActionMCP::Gateway
-  # Specify what attributes identify a connection
-  # Multiple identifiers can be used (e.g., user, account, organization)
-  identified_by :user
-
-  protected
-
-  # Override this method to implement your authentication logic
-  # Must return a hash with keys matching the identified_by attributes
-  # or raise ActionMCP::UnauthorizedError
-  def authenticate!
-    # Example using JWT:
-    token = extract_bearer_token
-    raise ActionMCP::UnauthorizedError, "Missing token" unless token
-
-    payload = ActionMCP::JwtDecoder.decode(token)
-    user = resolve_user(payload)
-
-    raise ActionMCP::UnauthorizedError, "Unauthorized" unless user
-
-    # Return a hash with all identified_by attributes
-    { user: user }
-  rescue ActionMCP::JwtDecoder::DecodeError => e
-    raise ActionMCP::UnauthorizedError, e.message
-  end
-
-  private
-
-  # Example method to resolve user from JWT payload
-  def resolve_user(payload)
-    return nil unless payload.is_a?(Hash)
-    user_id = payload["user_id"] || payload["sub"]
-    return nil unless user_id
-
-    # Replace with your User model lookup
-    User.find_by(id: user_id)
-  end
+  # Register your identifier classes in order of preference
+  # The first successful identifier will be used
+
+  # Option 1: Use built-in identifiers (recommended for common patterns)
+  # identified_by ActionMCP::GatewayIdentifiers::WardenIdentifier  # For Warden/Devise
+  # identified_by ActionMCP::GatewayIdentifiers::ApiKeyIdentifier  # For API key auth
+  # identified_by ActionMCP::GatewayIdentifiers::RequestEnvIdentifier  # For custom headers
+
+  # Option 2: Use multiple auth methods (tries in order)
+  # identified_by ActionMCP::GatewayIdentifiers::WardenIdentifier,
+  #               ActionMCP::GatewayIdentifiers::ApiKeyIdentifier
+
+  # Option 3: Create custom identifiers (see examples below)
+  # identified_by CustomUserIdentifier, CustomAdminIdentifier
 end
+
+# Custom identifier examples - uncomment and customize as needed:
+
+# Example: Custom Warden/Devise identifier
+# class CustomUserIdentifier < ActionMCP::GatewayIdentifier
+#   identifier :user
+#   authenticates :custom_warden
+#
+#   def resolve
+#     user = user_from_middleware
+#     raise Unauthorized, "No authenticated user found" unless user
+#
+#     # Add custom validation
+#     raise Unauthorized, "User account suspended" if user.suspended?
+#
+#     user
+#   end
+# end
+
+# Example: Custom API Key identifier with rate limiting
+# class CustomApiKeyIdentifier < ActionMCP::GatewayIdentifier
+#   identifier :user
+#   authenticates :custom_api_key
+#
+#   def resolve
+#     api_key = extract_api_key
+#     raise Unauthorized, "Missing API key" unless api_key
+#
+#     user = User.find_by(api_key: api_key)
+#     raise Unauthorized, "Invalid API key" unless user
+#
+#     # Add rate limiting check
+#     if rate_limited?(user)
+#       raise Unauthorized, "Rate limit exceeded"
+#     end
+#
+#     user
+#   end
+#
+#   private
+#
+#   def rate_limited?(user)
+#     # Implement your rate limiting logic
+#     false
+#   end
+# end
+
+# Example: Admin-only identifier
+# class AdminIdentifier < ActionMCP::GatewayIdentifier
+#   identifier :admin
+#   authenticates :admin_token
+#
+#   def resolve
+#     token = extract_bearer_token
+#     raise Unauthorized, "Missing admin token" unless token
+#
+#     admin = Admin.find_by(access_token: token)
+#     raise Unauthorized, "Invalid admin token" unless admin
+#
+#     raise Unauthorized, "Admin access revoked" unless admin.active?
+#
+#     admin
+#   end
+# end

data/lib/generators/action_mcp/install/templates/mcp.yml

@@ -16,14 +16,6 @@ shared:
   # Server-specific session store type (falls back to session_store_type if not specified)
   # server_session_store_type: active_record
 
-  # OAuth configuration (if using OAuth authentication)
-  # oauth:
-  #   provider: "demo_oauth_provider"
-  #   scopes_supported: ["mcp:tools", "mcp:resources", "mcp:prompts"]
-  #   enable_dynamic_registration: true
-  #   enable_token_revocation: true
-  #   pkce_required: true
-  #   issuer_url: https://yourapp.com
 
   # MCP capability profiles
   profiles:
@@ -67,8 +59,8 @@ development:
 
 # Test environment
 test:
-  # JWT authentication for testing environment
-  authentication: ["jwt"]
+  # No authentication for testing environment
+  authentication: ["none"]
 
   # Test adapter for testing
   adapter: test
@@ -78,17 +70,8 @@ test:
 
 # Production environment
 production:
-  # Multiple authentication methods - try OAuth first, fallback to JWT
-  authentication: ["oauth", "jwt"]
-
-  # OAuth configuration for production
-  oauth:
-    provider: "application_oauth_provider"  # Your custom provider class
-    scopes_supported: ["mcp:tools", "mcp:resources", "mcp:prompts"]
-    enable_dynamic_registration: true
-    enable_token_revocation: true
-    pkce_required: true
-    issuer_url: https://yourapp.com
+  # Configure authentication methods for production (customize as needed)
+  authentication: ["none"]
 
   # Additional production profiles for external clients
   profiles:

data/lib/tasks/action_mcp_tasks.rake

@@ -175,7 +175,7 @@ namespace :action_mcp do
     # Authentication
     puts "\n\e[36mAuthentication:\e[0m"
     puts "  Methods: #{config.authentication_methods.join(', ')}"
-    if config.oauth_config && config.oauth_config.any?
+    if config.oauth_config&.any?
       puts "  OAuth Provider: #{config.oauth_config['provider']}"
       puts "  OAuth Scopes: #{config.oauth_config['scopes_supported']&.join(', ')}"
     end
@@ -236,7 +236,7 @@ namespace :action_mcp do
       total_sessions = ActionMCP::Session.count
       puts "  Total Sessions: #{total_sessions}"
 
-      if total_sessions > 0
+      if total_sessions.positive?
         # Sessions by status
         sessions_by_status = ActionMCP::Session.group(:status).count
         puts "  Sessions by Status:"
@@ -282,7 +282,7 @@ namespace :action_mcp do
         total_messages = ActionMCP::Session::Message.count
         puts "  Total Messages: #{total_messages}"
 
-        if total_messages > 0
+        if total_messages.positive?
           # Messages by direction
           messages_by_direction = ActionMCP::Session::Message.group(:direction).count
           puts "  Messages by Direction:"
@@ -291,7 +291,9 @@ namespace :action_mcp do
           end
 
           # Messages by type
-          messages_by_type = ActionMCP::Session::Message.group(:message_type).count.sort_by { |_type, count| -count }.first(10)
+          messages_by_type = ActionMCP::Session::Message.group(:message_type).count.sort_by do |_type, count|
+            -count
+          end.first(10)
           puts "  Top Message Types:"
           messages_by_type.each do |type, count|
             puts "    #{type}: #{count}"
@@ -316,7 +318,7 @@ namespace :action_mcp do
         total_events = ActionMCP::Session::SSEEvent.count
         puts "  Total SSE Events: #{total_events}"
 
-        if total_events > 0
+        if total_events.positive?
           # Recent events
           recent_events = ActionMCP::Session::SSEEvent.where("created_at > ?", 1.hour.ago).count
           puts "  SSE Events (Last Hour): #{recent_events}"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: actionmcp
 version: !ruby/object:Gem::Version
-  version: 0.71.1
+  version: 0.80.0
 platform: ruby
 authors:
 - Abdelkader Boudih
@@ -93,48 +93,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.6'
-- !ruby/object:Gem::Dependency
-  name: jwt
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.10'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.10'
-- !ruby/object:Gem::Dependency
-  name: omniauth
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.1'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.1'
-- !ruby/object:Gem::Dependency
-  name: omniauth-oauth2
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.7'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.7'
 - !ruby/object:Gem::Dependency
   name: ostruct
   requirement: !ruby/object:Gem::Requirement
@@ -149,34 +107,6 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
-  name: faraday
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.7'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '2.7'
-- !ruby/object:Gem::Dependency
-  name: pkce_challenge
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: json_schemer
   requirement: !ruby/object:Gem::Requirement
@@ -191,8 +121,9 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
-description: It offers base classes and helpers for creating MCP applications, making
-  it easier to integrate your Ruby/Rails application with the MCP standard
+description: A streamlined, production-focused toolkit for building MCP servers in
+  Rails applications. Provides essential base classes, authentication gateways, and
+  HTTP transport with minimal dependencies.
 email:
 - terminale@gmail.com
 executables:
@@ -204,13 +135,8 @@ files:
 - README.md
 - Rakefile
 - app/controllers/action_mcp/application_controller.rb
-- app/controllers/action_mcp/oauth/endpoints_controller.rb
-- app/controllers/action_mcp/oauth/metadata_controller.rb
-- app/controllers/action_mcp/oauth/registration_controller.rb
 - app/models/action_mcp.rb
 - app/models/action_mcp/application_record.rb
-- app/models/action_mcp/oauth_client.rb
-- app/models/action_mcp/oauth_token.rb
 - app/models/action_mcp/session.rb
 - app/models/action_mcp/session/message.rb
 - app/models/action_mcp/session/resource.rb
@@ -220,9 +146,8 @@ files:
 - app/models/concerns/mcp_message_inspect.rb
 - config/routes.rb
 - db/migrate/20250512154359_consolidated_migration.rb
-- db/migrate/20250608112101_add_oauth_to_sessions.rb
-- db/migrate/20250708105124_create_action_mcp_oauth_clients.rb
-- db/migrate/20250708105226_create_action_mcp_oauth_tokens.rb
+- db/migrate/20250715070713_add_consents_to_action_mcp_sess.rb
+- db/migrate/20250727000001_remove_oauth_support.rb
 - exe/actionmcp_cli
 - lib/action_mcp.rb
 - lib/action_mcp/base_response.rb
@@ -236,11 +161,8 @@ files:
 - lib/action_mcp/client/collection.rb
 - lib/action_mcp/client/elicitation.rb
 - lib/action_mcp/client/json_rpc_handler.rb
-- lib/action_mcp/client/jwt_client_provider.rb
 - lib/action_mcp/client/logging.rb
 - lib/action_mcp/client/messaging.rb
-- lib/action_mcp/client/oauth_client_provider.rb
-- lib/action_mcp/client/oauth_client_provider/memory_storage.rb
 - lib/action_mcp/client/prompt_book.rb
 - lib/action_mcp/client/prompts.rb
 - lib/action_mcp/client/request_timeouts.rb
@@ -271,25 +193,19 @@ files:
 - lib/action_mcp/filtered_logger.rb
 - lib/action_mcp/gateway.rb
 - lib/action_mcp/gateway_identifier.rb
+- lib/action_mcp/gateway_identifiers.rb
+- lib/action_mcp/gateway_identifiers/api_key_identifier.rb
+- lib/action_mcp/gateway_identifiers/devise_identifier.rb
+- lib/action_mcp/gateway_identifiers/request_env_identifier.rb
+- lib/action_mcp/gateway_identifiers/warden_identifier.rb
 - lib/action_mcp/gem_version.rb
 - lib/action_mcp/instrumentation/controller_runtime.rb
 - lib/action_mcp/instrumentation/instrumentation.rb
 - lib/action_mcp/instrumentation/resource_instrumentation.rb
 - lib/action_mcp/integer_array.rb
 - lib/action_mcp/json_rpc_handler_base.rb
-- lib/action_mcp/jwt_decoder.rb
-- lib/action_mcp/jwt_identifier.rb
 - lib/action_mcp/log_subscriber.rb
 - lib/action_mcp/logging.rb
-- lib/action_mcp/none_identifier.rb
-- lib/action_mcp/o_auth_identifier.rb
-- lib/action_mcp/oauth.rb
-- lib/action_mcp/oauth/active_record_storage.rb
-- lib/action_mcp/oauth/error.rb
-- lib/action_mcp/oauth/memory_storage.rb
-- lib/action_mcp/oauth/middleware.rb
-- lib/action_mcp/oauth/provider.rb
-- lib/action_mcp/omniauth/mcp_strategy.rb
 - lib/action_mcp/prompt.rb
 - lib/action_mcp/prompt_response.rb
 - lib/action_mcp/prompts_registry.rb
@@ -303,6 +219,8 @@ files:
 - lib/action_mcp/server.rb
 - lib/action_mcp/server/active_record_session_store.rb
 - lib/action_mcp/server/base_messaging.rb
+- lib/action_mcp/server/base_session.rb
+- lib/action_mcp/server/base_session_store.rb
 - lib/action_mcp/server/capabilities.rb
 - lib/action_mcp/server/configuration.rb
 - lib/action_mcp/server/elicitation.rb
@@ -310,11 +228,10 @@ files:
 - lib/action_mcp/server/error_handling.rb
 - lib/action_mcp/server/handlers/prompt_handler.rb
 - lib/action_mcp/server/handlers/resource_handler.rb
+- lib/action_mcp/server/handlers/router.rb
 - lib/action_mcp/server/handlers/tool_handler.rb
 - lib/action_mcp/server/json_rpc_handler.rb
-- lib/action_mcp/server/memory_session.rb
-- lib/action_mcp/server/messaging.rb
-- lib/action_mcp/server/notifications.rb
+- lib/action_mcp/server/messaging_service.rb
 - lib/action_mcp/server/prompts.rb
 - lib/action_mcp/server/registry_management.rb
 - lib/action_mcp/server/resources.rb
@@ -344,6 +261,8 @@ files:
 - lib/action_mcp/uri_ambiguity_checker.rb
 - lib/action_mcp/version.rb
 - lib/actionmcp.rb
+- lib/generators/action_mcp/identifier/identifier_generator.rb
+- lib/generators/action_mcp/identifier/templates/identifier.rb.erb
 - lib/generators/action_mcp/install/install_generator.rb
 - lib/generators/action_mcp/install/templates/application_gateway.rb
 - lib/generators/action_mcp/install/templates/application_mcp_prompt.rb
@@ -381,6 +300,5 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 rubygems_version: 3.6.9
 specification_version: 4
-summary: Provides essential tooling for building Model Context Protocol (MCP) capable
-  servers
+summary: Lightweight Model Context Protocol (MCP) server toolkit for Ruby/Rails
 test_files: []

data/app/controllers/action_mcp/oauth/endpoints_controller.rb

@@ -1,264 +0,0 @@
-# frozen_string_literal: true
-
-require "ostruct"
-
-module ActionMCP
-  module OAuth
-    # OAuth 2.1 endpoints controller
-    # Handles authorization, token, introspection, and revocation endpoints
-    class EndpointsController < ActionController::Base
-      protect_from_forgery with: :null_session
-      before_action :check_oauth_enabled
-
-      # GET /oauth/authorize
-      # Authorization endpoint for OAuth 2.1 authorization code flow
-      def authorize
-        # Extract parameters
-        client_id = params[:client_id]
-        redirect_uri = params[:redirect_uri]
-        response_type = params[:response_type]
-        scope = params[:scope]
-        state = params[:state]
-        code_challenge = params[:code_challenge]
-        code_challenge_method = params[:code_challenge_method]
-
-        # Validate required parameters
-        if client_id.blank? || redirect_uri.blank? || response_type.blank?
-          return render_error("invalid_request", "Missing required parameters")
-        end
-
-        # Validate response type
-        unless response_type == "code"
-          return render_error("unsupported_response_type", "Only authorization code flow supported")
-        end
-
-        # Validate PKCE if required
-        if oauth_config["pkce_required"] && code_challenge.blank?
-          return render_error("invalid_request", "PKCE required")
-        end
-
-        # In a real implementation, this would show a consent page
-        # For now, we'll auto-approve for configured clients
-        if auto_approve_client?(client_id)
-          # Generate authorization code
-          user_id = current_user&.id || "anonymous"
-
-          begin
-            code = ActionMCP::OAuth::Provider.generate_authorization_code(
-              client_id: client_id,
-              redirect_uri: redirect_uri,
-              scope: scope || default_scope,
-              code_challenge: code_challenge,
-              code_challenge_method: code_challenge_method,
-              user_id: user_id
-            )
-
-            # Redirect back to client with authorization code
-            redirect_params = { code: code }
-            redirect_params[:state] = state if state
-            redirect_to "#{redirect_uri}?#{redirect_params.to_query}", allow_other_host: true
-          rescue ActionMCP::OAuth::Error => e
-            render_error(e.oauth_error_code, e.message)
-          end
-        else
-          # In production, show consent page
-          render_consent_page(client_id, redirect_uri, scope, state, code_challenge, code_challenge_method)
-        end
-      end
-
-      # POST /oauth/token
-      # Token endpoint for exchanging authorization codes and refreshing tokens
-      def token
-        grant_type = params[:grant_type]
-
-        case grant_type
-        when "authorization_code"
-          handle_authorization_code_grant
-        when "refresh_token"
-          handle_refresh_token_grant
-        when "client_credentials"
-          handle_client_credentials_grant
-        else
-          render_token_error("unsupported_grant_type", "Unsupported grant type")
-        end
-      rescue ActionMCP::OAuth::Error => e
-        render_token_error(e.oauth_error_code, e.message)
-      end
-
-      # POST /oauth/introspect
-      # Token introspection endpoint (RFC 7662)
-      def introspect
-        token = params[:token]
-        return render_introspection_error unless token
-
-        # Authenticate client for introspection
-        client_id, client_secret = extract_client_credentials
-        return render_introspection_error unless client_id
-
-        begin
-          token_info = ActionMCP::OAuth::Provider.introspect_token(token)
-          render json: token_info
-        rescue ActionMCP::OAuth::Error
-          render json: { active: false }
-        end
-      end
-
-      # POST /oauth/revoke
-      # Token revocation endpoint (RFC 7009)
-      def revoke
-        token = params[:token]
-        token_type_hint = params[:token_type_hint]
-
-        return head :bad_request unless token
-
-        # Authenticate client
-        client_id, client_secret = extract_client_credentials
-        return head :unauthorized unless client_id
-
-        begin
-          ActionMCP::OAuth::Provider.revoke_token(token, token_type_hint: token_type_hint)
-          head :ok
-        rescue ActionMCP::OAuth::Error
-          head :bad_request
-        end
-      end
-
-      private
-
-      def check_oauth_enabled
-        auth_methods = ActionMCP.configuration.authentication_methods
-        unless auth_methods&.include?("oauth")
-          head :not_found
-        end
-      end
-
-      def oauth_config
-        @oauth_config ||= ActionMCP.configuration.oauth_config || {}
-      end
-
-      def handle_authorization_code_grant
-        code = params[:code]
-        client_id = params[:client_id]
-        client_secret = params[:client_secret]
-        redirect_uri = params[:redirect_uri]
-        code_verifier = params[:code_verifier]
-
-        # Extract client credentials from Authorization header if not in params
-        if client_id.blank?
-          client_id, client_secret = extract_client_credentials
-        end
-
-        return render_token_error("invalid_request", "Missing required parameters") if code.blank? || client_id.blank?
-
-        token_response = ActionMCP::OAuth::Provider.exchange_code_for_token(
-          code: code,
-          client_id: client_id,
-          client_secret: client_secret,
-          redirect_uri: redirect_uri,
-          code_verifier: code_verifier
-        )
-
-        render json: token_response
-      end
-
-      def handle_refresh_token_grant
-        refresh_token = params[:refresh_token]
-        scope = params[:scope]
-
-        # Extract client credentials
-        client_id, client_secret = extract_client_credentials
-        client_id ||= params[:client_id]
-        client_secret ||= params[:client_secret]
-
-        return render_token_error("invalid_request", "Missing required parameters") if refresh_token.blank? || client_id.blank?
-
-        token_response = ActionMCP::OAuth::Provider.refresh_access_token(
-          refresh_token: refresh_token,
-          client_id: client_id,
-          client_secret: client_secret,
-          scope: scope
-        )
-
-        render json: token_response
-      end
-
-      def handle_client_credentials_grant
-        scope = params[:scope]
-
-        # Extract client credentials
-        client_id, client_secret = extract_client_credentials
-        client_id ||= params[:client_id]
-        client_secret ||= params[:client_secret]
-
-        return render_token_error("invalid_request", "Missing client credentials") if client_id.blank?
-
-        token_response = ActionMCP::OAuth::Provider.client_credentials_grant(
-          client_id: client_id,
-          client_secret: client_secret,
-          scope: scope
-        )
-
-        render json: token_response
-      end
-
-      def extract_client_credentials
-        auth_header = request.headers["Authorization"]
-        if auth_header&.start_with?("Basic ")
-          encoded = auth_header.split(" ", 2).last
-          decoded = Base64.decode64(encoded)
-          decoded.split(":", 2)
-        else
-          [ nil, nil ]
-        end
-      end
-
-      def auto_approve_client?(client_id)
-        # In development/testing, auto-approve known clients
-        # In production, this should check a proper client registry
-        Rails.env.development? || Rails.env.test? || oauth_config["auto_approve_clients"]&.include?(client_id)
-      end
-
-      def current_user
-        # This should be implemented by the application
-        # For now, return a default user for development
-        if Rails.env.development? || Rails.env.test?
-          OpenStruct.new(id: "dev_user", email: "dev@example.com")
-        else
-          # In production, this should integrate with your authentication system
-          nil
-        end
-      end
-
-      def default_scope
-        oauth_config["default_scope"] || "mcp:tools mcp:resources mcp:prompts"
-      end
-
-      def render_error(error_code, description)
-        render json: {
-          error: error_code,
-          error_description: description
-        }, status: :bad_request
-      end
-
-      def render_token_error(error_code, description)
-        render json: {
-          error: error_code,
-          error_description: description
-        }, status: :bad_request
-      end
-
-      def render_introspection_error
-        render json: { active: false }, status: :bad_request
-      end
-
-      def render_consent_page(client_id, redirect_uri, scope, state, code_challenge, code_challenge_method)
-        # In production, this would render a proper consent page
-        # For now, just auto-deny unknown clients
-        render json: {
-          error: "access_denied",
-          error_description: "User denied authorization"
-        }, status: :forbidden
-      end
-    end
-  end
-end