mcp-auth 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2f3afa0eeb6e176bc47801df4caf7b5298646f86c53c2607b2ac28781abe1f83
-  data.tar.gz: 0bbb349fcb1ac5b8ad142946f742a1e75bb9ebdcf11f041f2c9eaf081b8b9d5f
+  metadata.gz: 4640ff06bc400ec8ec8b2869a90194a1ec6d89de1772ae23f4056cf4bfcb2d54
+  data.tar.gz: 7f55acb2a222a430ecc1552b9073b71613a6b52f506f15b54224cc71fef66e24
 SHA512:
-  metadata.gz: b51073154b563e332913f9a08773acd618858b9a6e067ddb4145ddc73a2a5da86c830c93b75a87fc496e6c7e35ac8e064f18cd3fbabec8920fb3f17dea5a8545
-  data.tar.gz: 2f003c85cfa923ea611550c0d2c0f7a86b7c8c7e98ec1d64d2de2c25e50a295b1577209ef3cc500f0168c53135de56763580c94e946d9a6e31c16c72f77f283d
+  metadata.gz: f7719d166eacb474ddd2769d4ea2dfeab40eea73592d5e284136f5036b06bb91bec299f6edf4527808ce0d5ec2cf5870e5a97c253bbb0f0a806851549f4c5306
+  data.tar.gz: cf4b4977f5d8613a3d1102961a38129de1b8a52966efe130adb2399e38c4e378714bc0487a666e77c01748a4af57864f2b8813ca43ed6e086b18969e27276306

data/CHANGELOG.md

@@ -7,6 +7,30 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.2.0] - 2026-05-25
+
+### Added
+- **RFC 9207** — `iss` parameter on authorization-error redirects (success
+  redirects already included it). Becomes a MUST in the MCP 2026-07-28
+  spec release candidate.
+- **RFC 7009** — `POST /oauth/revoke` now requires client authentication
+  (HTTP Basic or form body) and only revokes tokens owned by the
+  authenticated client. Honors the optional `token_type_hint` parameter.
+- **RFC 7662** — `POST /oauth/introspect` now requires client
+  authentication. Tokens not owned by the authenticated client are
+  reported as `{active: false}` to prevent token-scanning attacks.
+- Spec coverage for `revoke` + `introspect` endpoints (13 examples).
+
+### Changed
+- `revoke` and `introspect` now return HTTP 401 with
+  `{error: "invalid_client"}` when client authentication fails. Previously
+  they accepted unauthenticated requests. **This is a breaking change for
+  callers that did not authenticate** — update clients to send credentials
+  via HTTP Basic auth (preferred) or `client_id` + `client_secret` form
+  params.
+- `render_error` now accepts a `status:` keyword argument
+  (default `:bad_request`).
+
 ## [0.1.0] - 2025-01-10
 
 ### Added
@@ -39,5 +63,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Token audience validation to prevent confused deputy attacks
 - WWW-Authenticate header with resource metadata on 401 responses
 
-[Unreleased]: https://github.com/SerhiiBorozenets/mcp-auth/compare/v0.1.0...HEAD
+[Unreleased]: https://github.com/SerhiiBorozenets/mcp-auth/compare/v0.2.0...HEAD
+[0.2.0]: https://github.com/SerhiiBorozenets/mcp-auth/compare/v0.1.0...v0.2.0
 [0.1.0]: https://github.com/SerhiiBorozenets/mcp-auth/releases/tag/v0.1.0

data/app/controllers/mcp/auth/oauth_controller.rb

@@ -99,49 +99,38 @@ module Mcp
       end
 
       # RFC 7009: Token Revocation
+      # Requires client authentication; only revokes tokens that belong to the
+      # authenticated client (otherwise still returns 200 to avoid leaking which
+      # tokens exist — per RFC 7009 §2.2).
       def revoke
-        token = params[:token]
+        client = authenticate_client
+        return render_error('invalid_client', 'Client authentication failed', status: :unauthorized) unless client
 
+        token = params[:token]
         if token.blank?
           return render_error('invalid_request', 'Token parameter is required')
         end
 
-        # Try refresh token first
-        revoked = Services::TokenService.revoke_refresh_token(token)
-
-        # Try access token if not found
-        unless revoked
-          access_token = Mcp::Auth::AccessToken.find_by(token: token)
-          if access_token
-            access_token.destroy
-            revoked = true
-          end
-        end
+        revoked = revoke_token_for_client(token, client, hint: params[:token_type_hint])
 
-        # RFC 7009: Always return 200 OK
-        Rails.logger.info "[OAuth] Token revocation: #{revoked ? 'success' : 'not found'}"
+        # RFC 7009: Always return 200 OK regardless of whether the token was found.
+        Rails.logger.info "[OAuth] Token revocation by client=#{client.client_id}: #{revoked ? 'success' : 'not found / not owned'}"
         head :ok
       end
 
       # RFC 7662: Token Introspection
+      # Requires client authentication. Tokens not owned by the authenticated
+      # client are reported as `{active: false}` to prevent token-scanning.
       def introspect
-        token = params[:token]
+        client = authenticate_client
+        return render_error('invalid_client', 'Client authentication failed', status: :unauthorized) unless client
 
+        token = params[:token]
         if token.blank?
           return render json: { active: false }, content_type: 'application/json'
         end
 
-        # Try as JWT access token
-        payload = Services::TokenService.validate_access_token(token)
-
-        response = if payload
-                     build_access_token_introspection(payload)
-                   else
-                     # Try as refresh token
-                     refresh_data = Services::TokenService.validate_refresh_token(token)
-                     refresh_data ? build_refresh_token_introspection(refresh_data) : { active: false }
-                   end
-
+        response = introspect_token_for_client(token, client)
         render json: response, content_type: 'application/json'
       end
 
@@ -239,6 +228,8 @@ module Mcp
         redirect_uri = URI.parse(params[:redirect_uri])
         query_params = { error: error, error_description: description }
         query_params[:state] = params[:state] if params[:state]
+        # RFC 9207: iss MUST be included in authorization responses, including errors.
+        query_params[:iss] = authorization_server_url
 
         redirect_uri.query = URI.encode_www_form(query_params)
         redirect_to redirect_uri.to_s, allow_other_host: true
@@ -335,6 +326,71 @@ module Mcp
         }.compact
       end
 
+      # === Client Authentication (RFC 6749 §2.3, used by revoke + introspect) ===
+
+      # Accepts client credentials from either HTTP Basic auth or form params.
+      # Returns the OauthClient instance on success, nil on failure.
+      def authenticate_client
+        client_id, client_secret = extract_client_credentials
+        return nil if client_id.blank? || client_secret.blank?
+
+        client = Mcp::Auth::OauthClient.find_by(client_id: client_id)
+        return nil unless client
+        return nil unless ActiveSupport::SecurityUtils.secure_compare(client.client_secret.to_s, client_secret.to_s)
+
+        client
+      end
+
+      def extract_client_credentials
+        if (auth = request.authorization) && auth.start_with?('Basic ')
+          decoded = Base64.decode64(auth.split(' ', 2).last)
+          decoded.split(':', 2)
+        else
+          [params[:client_id], params[:client_secret]]
+        end
+      end
+
+      # RFC 7009: revoke token only if it belongs to the requesting client.
+      # token_type_hint is a hint, not a constraint — try both regardless.
+      def revoke_token_for_client(token, client, hint: nil)
+        if hint == 'refresh_token'
+          revoke_refresh_for_client(token, client) || revoke_access_for_client(token, client)
+        else
+          revoke_access_for_client(token, client) || revoke_refresh_for_client(token, client)
+        end
+      end
+
+      def revoke_access_for_client(token, client)
+        access_token = Mcp::Auth::AccessToken.find_by(token: token, client_id: client.client_id)
+        return false unless access_token
+
+        access_token.destroy
+        true
+      end
+
+      def revoke_refresh_for_client(token, client)
+        refresh_token = Mcp::Auth::RefreshToken.find_by(token: token, client_id: client.client_id)
+        return false unless refresh_token
+
+        refresh_token.destroy
+        true
+      end
+
+      # RFC 7662: only describe tokens owned by the authenticated client.
+      def introspect_token_for_client(token, client)
+        payload = Services::TokenService.validate_access_token(token)
+        if payload && payload[:client_id] == client.client_id
+          build_access_token_introspection(payload)
+        else
+          refresh_data = Services::TokenService.validate_refresh_token(token)
+          if refresh_data && refresh_data[:client_id] == client.client_id
+            build_refresh_token_introspection(refresh_data)
+          else
+            { active: false }
+          end
+        end
+      end
+
       # === Token Introspection ===
 
       def build_access_token_introspection(payload)
@@ -463,14 +519,14 @@ module Mcp
 
       # === Error Handling ===
 
-      def render_error(error, description)
+      def render_error(error, description, status: :bad_request)
         error_response = {
           error: error,
           error_description: description
         }
 
         Rails.logger.error "[OAuth] Error: #{error_response.inspect}"
-        render json: error_response, status: :bad_request, content_type: 'application/json'
+        render json: error_response, status: status, content_type: 'application/json'
       end
 
       def current_org

data/lib/mcp/auth/version.rb

@@ -2,6 +2,6 @@
 
 module Mcp
   module Auth
-    VERSION = "0.1.0"
+    VERSION = "0.2.0"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: mcp-auth
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Serhii Borozenets