@ai-sdk/mcp 1.0.46 → 1.0.48

package/CHANGELOG.md

@@ -1,5 +1,20 @@
 # @ai-sdk/mcp
 
+## 1.0.48
+
+### Patch Changes
+
+- 26d93a4: fix(mcp): add optional hook to validate authorization servers
+- 3c9ad04: fix(mcp): support official sdk protocol version negotiation
+- Updated dependencies [942f2f8]
+  - @ai-sdk/provider-utils@4.0.28
+
+## 1.0.47
+
+### Patch Changes
+
+- bf1d6bd: fix(mcp): prevent mcp oauth credential exfiltration during rediscovery
+
 ## 1.0.46
 
 ### Patch Changes

package/dist/index.d.mts

@@ -77,6 +77,8 @@ declare const OAuthTokensSchema: z.ZodObject<{
     expires_in: z.ZodOptional<z.ZodNumber>;
     scope: z.ZodOptional<z.ZodString>;
     refresh_token: z.ZodOptional<z.ZodString>;
+    authorization_server: z.ZodOptional<z.ZodString>;
+    token_endpoint: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
 declare const OAuthMetadataSchema: z.ZodObject<{
     issuer: z.ZodString;
@@ -116,6 +118,8 @@ declare const OAuthClientInformationSchema: z.ZodObject<{
     client_secret: z.ZodOptional<z.ZodString>;
     client_id_issued_at: z.ZodOptional<z.ZodNumber>;
     client_secret_expires_at: z.ZodOptional<z.ZodNumber>;
+    authorization_server: z.ZodOptional<z.ZodString>;
+    token_endpoint: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
 declare const OAuthClientMetadataSchema: z.ZodObject<{
     redirect_uris: z.ZodArray<z.ZodString>;
@@ -143,6 +147,10 @@ type AuthorizationServerMetadata = OAuthMetadata | OpenIdProviderDiscoveryMetada
 type OAuthClientMetadata = z.infer<typeof OAuthClientMetadataSchema>;
 
 type AuthResult = 'AUTHORIZED' | 'REDIRECT';
+interface OAuthAuthorizationServerInformation {
+    authorizationServerUrl: string;
+    tokenEndpoint: string;
+}
 interface OAuthClientProvider {
     /**
      * Returns current access token if present; undefined otherwise.
@@ -181,6 +189,13 @@ interface OAuthClientProvider {
     get clientMetadata(): OAuthClientMetadata;
     clientInformation(): OAuthClientInformation | undefined | Promise<OAuthClientInformation | undefined>;
     saveClientInformation?(clientInformation: OAuthClientInformation): void | Promise<void>;
+    authorizationServerInformation?(): OAuthAuthorizationServerInformation | undefined | Promise<OAuthAuthorizationServerInformation | undefined>;
+    saveAuthorizationServerInformation?(authorizationServerInformation: OAuthAuthorizationServerInformation): void | Promise<void>;
+    /**
+     * Validates an authorization server URL discovered from MCP protected resource
+     * metadata before the client fetches its OAuth metadata.
+     */
+    validateAuthorizationServerURL?(serverUrl: string | URL, authorizationServerUrl: string | URL): void | Promise<void>;
     state?(): string | Promise<string>;
     saveState?(state: string): void | Promise<void>;
     storedState?(): string | undefined | Promise<string | undefined>;
@@ -232,6 +247,10 @@ interface MCPTransport {
      * The protocol version negotiated during initialization.
      */
     protocolVersion?: string;
+    /**
+     * Set the protocol version negotiated during initialization.
+     */
+    setProtocolVersion?(version: string): void;
 }
 type MCPTransportConfig = {
     type: 'sse' | 'http';
@@ -561,4 +580,4 @@ interface MCPClient {
     close: () => Promise<void>;
 }
 
-export { type Configuration, type ElicitResult, ElicitResultSchema, type ElicitationRequest, ElicitationRequestSchema, type JSONRPCError, type JSONRPCMessage, type JSONRPCNotification, type JSONRPCRequest, type JSONRPCResponse, type ListToolsResult, type MCPClient, type ClientCapabilities as MCPClientCapabilities, type MCPClientConfig, type MCPTransport, type OAuthClientInformation, type OAuthClientMetadata, type OAuthClientProvider, type OAuthTokens, UnauthorizedError, auth, createMCPClient, type MCPClient as experimental_MCPClient, type ClientCapabilities as experimental_MCPClientCapabilities, type MCPClientConfig as experimental_MCPClientConfig, createMCPClient as experimental_createMCPClient };
+export { type Configuration, type ElicitResult, ElicitResultSchema, type ElicitationRequest, ElicitationRequestSchema, type JSONRPCError, type JSONRPCMessage, type JSONRPCNotification, type JSONRPCRequest, type JSONRPCResponse, type ListToolsResult, type MCPClient, type ClientCapabilities as MCPClientCapabilities, type MCPClientConfig, type MCPTransport, type OAuthAuthorizationServerInformation, type OAuthClientInformation, type OAuthClientMetadata, type OAuthClientProvider, type OAuthTokens, UnauthorizedError, auth, createMCPClient, type MCPClient as experimental_MCPClient, type ClientCapabilities as experimental_MCPClientCapabilities, type MCPClientConfig as experimental_MCPClientConfig, createMCPClient as experimental_createMCPClient };

package/dist/index.d.ts

@@ -77,6 +77,8 @@ declare const OAuthTokensSchema: z.ZodObject<{
     expires_in: z.ZodOptional<z.ZodNumber>;
     scope: z.ZodOptional<z.ZodString>;
     refresh_token: z.ZodOptional<z.ZodString>;
+    authorization_server: z.ZodOptional<z.ZodString>;
+    token_endpoint: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
 declare const OAuthMetadataSchema: z.ZodObject<{
     issuer: z.ZodString;
@@ -116,6 +118,8 @@ declare const OAuthClientInformationSchema: z.ZodObject<{
     client_secret: z.ZodOptional<z.ZodString>;
     client_id_issued_at: z.ZodOptional<z.ZodNumber>;
     client_secret_expires_at: z.ZodOptional<z.ZodNumber>;
+    authorization_server: z.ZodOptional<z.ZodString>;
+    token_endpoint: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
 declare const OAuthClientMetadataSchema: z.ZodObject<{
     redirect_uris: z.ZodArray<z.ZodString>;
@@ -143,6 +147,10 @@ type AuthorizationServerMetadata = OAuthMetadata | OpenIdProviderDiscoveryMetada
 type OAuthClientMetadata = z.infer<typeof OAuthClientMetadataSchema>;
 
 type AuthResult = 'AUTHORIZED' | 'REDIRECT';
+interface OAuthAuthorizationServerInformation {
+    authorizationServerUrl: string;
+    tokenEndpoint: string;
+}
 interface OAuthClientProvider {
     /**
      * Returns current access token if present; undefined otherwise.
@@ -181,6 +189,13 @@ interface OAuthClientProvider {
     get clientMetadata(): OAuthClientMetadata;
     clientInformation(): OAuthClientInformation | undefined | Promise<OAuthClientInformation | undefined>;
     saveClientInformation?(clientInformation: OAuthClientInformation): void | Promise<void>;
+    authorizationServerInformation?(): OAuthAuthorizationServerInformation | undefined | Promise<OAuthAuthorizationServerInformation | undefined>;
+    saveAuthorizationServerInformation?(authorizationServerInformation: OAuthAuthorizationServerInformation): void | Promise<void>;
+    /**
+     * Validates an authorization server URL discovered from MCP protected resource
+     * metadata before the client fetches its OAuth metadata.
+     */
+    validateAuthorizationServerURL?(serverUrl: string | URL, authorizationServerUrl: string | URL): void | Promise<void>;
     state?(): string | Promise<string>;
     saveState?(state: string): void | Promise<void>;
     storedState?(): string | undefined | Promise<string | undefined>;
@@ -232,6 +247,10 @@ interface MCPTransport {
      * The protocol version negotiated during initialization.
      */
     protocolVersion?: string;
+    /**
+     * Set the protocol version negotiated during initialization.
+     */
+    setProtocolVersion?(version: string): void;
 }
 type MCPTransportConfig = {
     type: 'sse' | 'http';
@@ -561,4 +580,4 @@ interface MCPClient {
     close: () => Promise<void>;
 }
 
-export { type Configuration, type ElicitResult, ElicitResultSchema, type ElicitationRequest, ElicitationRequestSchema, type JSONRPCError, type JSONRPCMessage, type JSONRPCNotification, type JSONRPCRequest, type JSONRPCResponse, type ListToolsResult, type MCPClient, type ClientCapabilities as MCPClientCapabilities, type MCPClientConfig, type MCPTransport, type OAuthClientInformation, type OAuthClientMetadata, type OAuthClientProvider, type OAuthTokens, UnauthorizedError, auth, createMCPClient, type MCPClient as experimental_MCPClient, type ClientCapabilities as experimental_MCPClientCapabilities, type MCPClientConfig as experimental_MCPClientConfig, createMCPClient as experimental_createMCPClient };
+export { type Configuration, type ElicitResult, ElicitResultSchema, type ElicitationRequest, ElicitationRequestSchema, type JSONRPCError, type JSONRPCMessage, type JSONRPCNotification, type JSONRPCRequest, type JSONRPCResponse, type ListToolsResult, type MCPClient, type ClientCapabilities as MCPClientCapabilities, type MCPClientConfig, type MCPTransport, type OAuthAuthorizationServerInformation, type OAuthClientInformation, type OAuthClientMetadata, type OAuthClientProvider, type OAuthTokens, UnauthorizedError, auth, createMCPClient, type MCPClient as experimental_MCPClient, type ClientCapabilities as experimental_MCPClientCapabilities, type MCPClientConfig as experimental_MCPClientConfig, createMCPClient as experimental_createMCPClient };

package/dist/index.js

@@ -342,15 +342,6 @@ var import_pkce_challenge = __toESM(require("pkce-challenge"));
 
 // src/tool/oauth-types.ts
 var import_v43 = require("zod/v4");
-var OAuthTokensSchema = import_v43.z.object({
-  access_token: import_v43.z.string(),
-  id_token: import_v43.z.string().optional(),
-  // Optional for OAuth 2.1, but necessary in OpenID Connect
-  token_type: import_v43.z.string(),
-  expires_in: import_v43.z.number().optional(),
-  scope: import_v43.z.string().optional(),
-  refresh_token: import_v43.z.string().optional()
-}).strip();
 var SafeUrlSchema = import_v43.z.string().url().superRefine((val, ctx) => {
   if (!URL.canParse(val)) {
     ctx.addIssue({
@@ -367,6 +358,17 @@ var SafeUrlSchema = import_v43.z.string().url().superRefine((val, ctx) => {
   },
   { message: "URL cannot use javascript:, data:, or vbscript: scheme" }
 );
+var OAuthTokensSchema = import_v43.z.object({
+  access_token: import_v43.z.string(),
+  id_token: import_v43.z.string().optional(),
+  // Optional for OAuth 2.1, but necessary in OpenID Connect
+  token_type: import_v43.z.string(),
+  expires_in: import_v43.z.number().optional(),
+  scope: import_v43.z.string().optional(),
+  refresh_token: import_v43.z.string().optional(),
+  authorization_server: SafeUrlSchema.optional(),
+  token_endpoint: SafeUrlSchema.optional()
+}).strip();
 var OAuthProtectedResourceMetadataSchema = import_v43.z.object({
   resource: import_v43.z.string().url(),
   authorization_servers: import_v43.z.array(SafeUrlSchema).optional(),
@@ -419,7 +421,9 @@ var OAuthClientInformationSchema = import_v43.z.object({
   client_id: import_v43.z.string(),
   client_secret: import_v43.z.string().optional(),
   client_id_issued_at: import_v43.z.number().optional(),
-  client_secret_expires_at: import_v43.z.number().optional()
+  client_secret_expires_at: import_v43.z.number().optional(),
+  authorization_server: SafeUrlSchema.optional(),
+  token_endpoint: SafeUrlSchema.optional()
 }).strip();
 var OAuthClientMetadataSchema = import_v43.z.object({
   redirect_uris: import_v43.z.array(SafeUrlSchema),
@@ -524,6 +528,106 @@ var UnauthorizedError = class extends Error {
     this.name = "UnauthorizedError";
   }
 };
+function normalizeUrl(url) {
+  return new URL(url).href;
+}
+function createAuthorizationServerInformation(authorizationServerUrl, metadata) {
+  return {
+    authorizationServerUrl: normalizeUrl(authorizationServerUrl),
+    tokenEndpoint: normalizeUrl(
+      (metadata == null ? void 0 : metadata.token_endpoint) ? new URL(metadata.token_endpoint) : new URL("/token", authorizationServerUrl)
+    )
+  };
+}
+function addAuthorizationServerInformationToTokens(tokens, authorizationServerInformation) {
+  return {
+    ...tokens,
+    authorization_server: authorizationServerInformation.authorizationServerUrl,
+    token_endpoint: authorizationServerInformation.tokenEndpoint
+  };
+}
+function addAuthorizationServerInformationToClientInformation(clientInformation, authorizationServerInformation) {
+  return {
+    ...clientInformation,
+    authorization_server: authorizationServerInformation.authorizationServerUrl,
+    token_endpoint: authorizationServerInformation.tokenEndpoint
+  };
+}
+function getAuthorizationServerInformationFromCredentials(credentials) {
+  if (!(credentials == null ? void 0 : credentials.authorization_server) || !credentials.token_endpoint) {
+    return void 0;
+  }
+  return {
+    authorizationServerUrl: normalizeUrl(credentials.authorization_server),
+    tokenEndpoint: normalizeUrl(credentials.token_endpoint)
+  };
+}
+async function getStoredAuthorizationServerInformation({
+  provider,
+  clientInformation,
+  tokens
+}) {
+  var _a3;
+  const tokenAuthorizationServerInformation = getAuthorizationServerInformationFromCredentials(tokens);
+  if (tokenAuthorizationServerInformation) {
+    return tokenAuthorizationServerInformation;
+  }
+  const providerAuthorizationServerInformation = await ((_a3 = provider.authorizationServerInformation) == null ? void 0 : _a3.call(provider));
+  if (providerAuthorizationServerInformation) {
+    return {
+      authorizationServerUrl: normalizeUrl(
+        providerAuthorizationServerInformation.authorizationServerUrl
+      ),
+      tokenEndpoint: normalizeUrl(
+        providerAuthorizationServerInformation.tokenEndpoint
+      )
+    };
+  }
+  return getAuthorizationServerInformationFromCredentials(clientInformation);
+}
+async function saveAuthorizationServerInformation({
+  provider,
+  clientInformation,
+  authorizationServerInformation
+}) {
+  if (provider.saveAuthorizationServerInformation) {
+    await provider.saveAuthorizationServerInformation(
+      authorizationServerInformation
+    );
+    return true;
+  }
+  if (provider.saveClientInformation) {
+    await provider.saveClientInformation(
+      addAuthorizationServerInformationToClientInformation(
+        clientInformation,
+        authorizationServerInformation
+      )
+    );
+    return true;
+  }
+  return false;
+}
+function assertResourceMetadataUrlSameOrigin(serverUrl, resourceMetadataUrl) {
+  if (!resourceMetadataUrl) {
+    return;
+  }
+  const expectedOrigin = new URL(serverUrl).origin;
+  if (resourceMetadataUrl.origin !== expectedOrigin) {
+    throw new MCPClientOAuthError({
+      message: `OAuth protected resource metadata URL ${resourceMetadataUrl.href} must have the same origin as the MCP server URL ${expectedOrigin}`
+    });
+  }
+}
+function assertAuthorizationServerInformationMatches({
+  storedAuthorizationServerInformation,
+  currentAuthorizationServerInformation
+}) {
+  if (storedAuthorizationServerInformation.authorizationServerUrl !== currentAuthorizationServerInformation.authorizationServerUrl || storedAuthorizationServerInformation.tokenEndpoint !== currentAuthorizationServerInformation.tokenEndpoint) {
+    throw new MCPClientOAuthError({
+      message: "OAuth authorization server metadata does not match the metadata that issued the stored credentials"
+    });
+  }
+}
 function extractResourceMetadataUrl(response) {
   var _a3;
   const header = (_a3 = response.headers.get("www-authenticate")) != null ? _a3 : response.headers.get("WWW-Authenticate");
@@ -1001,8 +1105,10 @@ async function authInternal(provider, {
   resourceMetadataUrl,
   fetchFn
 }) {
+  var _a3, _b3;
   let resourceMetadata;
   let authorizationServerUrl;
+  assertResourceMetadataUrlSameOrigin(serverUrl, resourceMetadataUrl);
   try {
     resourceMetadata = await discoverOAuthProtectedResourceMetadata(
       serverUrl,
@@ -1022,12 +1128,18 @@ async function authInternal(provider, {
     provider,
     resourceMetadata
   );
+  await ((_a3 = provider.validateAuthorizationServerURL) == null ? void 0 : _a3.call(
+    provider,
+    serverUrl,
+    authorizationServerUrl
+  ));
   const metadata = await discoverAuthorizationServerMetadata(
     authorizationServerUrl,
     {
       fetchFn
     }
   );
+  const currentAuthorizationServerInformation = createAuthorizationServerInformation(authorizationServerUrl, metadata);
   let clientInformation = await Promise.resolve(provider.clientInformation());
   if (!clientInformation) {
     if (authorizationCode !== void 0) {
@@ -1045,8 +1157,11 @@ async function authInternal(provider, {
       clientMetadata: provider.clientMetadata,
       fetchFn
     });
-    await provider.saveClientInformation(fullInformation);
-    clientInformation = fullInformation;
+    clientInformation = addAuthorizationServerInformationToClientInformation(
+      fullInformation,
+      currentAuthorizationServerInformation
+    );
+    await provider.saveClientInformation(clientInformation);
   }
   if (authorizationCode !== void 0) {
     if (provider.storedState) {
@@ -1057,6 +1172,19 @@ async function authInternal(provider, {
         );
       }
     }
+    const storedAuthorizationServerInformation = await getStoredAuthorizationServerInformation({
+      provider,
+      clientInformation
+    });
+    if (!storedAuthorizationServerInformation) {
+      throw new MCPClientOAuthError({
+        message: "Stored OAuth authorization server metadata is required when exchanging an authorization code"
+      });
+    }
+    assertAuthorizationServerInformationMatches({
+      storedAuthorizationServerInformation,
+      currentAuthorizationServerInformation
+    });
     const codeVerifier2 = await provider.codeVerifier();
     const tokens2 = await exchangeAuthorization(authorizationServerUrl, {
       metadata,
@@ -1068,22 +1196,47 @@ async function authInternal(provider, {
       addClientAuthentication: provider.addClientAuthentication,
       fetchFn
     });
-    await provider.saveTokens(tokens2);
+    await provider.saveTokens(
+      addAuthorizationServerInformationToTokens(
+        tokens2,
+        currentAuthorizationServerInformation
+      )
+    );
     return "AUTHORIZED";
   }
   const tokens = await provider.tokens();
   if (tokens == null ? void 0 : tokens.refresh_token) {
-    try {
-      const newTokens = await refreshAuthorization(authorizationServerUrl, {
-        metadata,
-        clientInformation,
-        refreshToken: tokens.refresh_token,
-        resource,
-        addClientAuthentication: provider.addClientAuthentication,
-        fetchFn
+    const storedAuthorizationServerInformation = await getStoredAuthorizationServerInformation({
+      provider,
+      clientInformation,
+      tokens
+    });
+    if (storedAuthorizationServerInformation) {
+      assertAuthorizationServerInformationMatches({
+        storedAuthorizationServerInformation,
+        currentAuthorizationServerInformation
       });
-      await provider.saveTokens(newTokens);
-      return "AUTHORIZED";
+    } else {
+      await ((_b3 = provider.invalidateCredentials) == null ? void 0 : _b3.call(provider, "tokens"));
+    }
+    try {
+      if (storedAuthorizationServerInformation) {
+        const newTokens = await refreshAuthorization(authorizationServerUrl, {
+          metadata,
+          clientInformation,
+          refreshToken: tokens.refresh_token,
+          resource,
+          addClientAuthentication: provider.addClientAuthentication,
+          fetchFn
+        });
+        await provider.saveTokens(
+          addAuthorizationServerInformationToTokens(
+            newTokens,
+            currentAuthorizationServerInformation
+          )
+        );
+        return "AUTHORIZED";
+      }
     } catch (error) {
       if (
         // If this is a ServerError, or an unknown type, log it out and try to continue. Otherwise, escalate so we can fix things and retry.
@@ -1109,6 +1262,16 @@ async function authInternal(provider, {
       resource
     }
   );
+  const savedAuthorizationServerInformation = await saveAuthorizationServerInformation({
+    provider,
+    clientInformation,
+    authorizationServerInformation: currentAuthorizationServerInformation
+  });
+  if (!savedAuthorizationServerInformation) {
+    throw new MCPClientOAuthError({
+      message: "OAuth authorization server metadata must be saveable before starting authorization"
+    });
+  }
   await provider.saveCodeVerifier(codeVerifier);
   await provider.redirectToAuthorization(authorizationUrl);
   return "REDIRECT";
@@ -1130,6 +1293,9 @@ var SseMCPTransport = class {
     this.redirectMode = redirect;
     this.fetchFn = fetchFn != null ? fetchFn : globalThis.fetch;
   }
+  setProtocolVersion(version) {
+    this.protocolVersion = version;
+  }
   async commonHeaders(base) {
     var _a3;
     const headers = {
@@ -1345,6 +1511,9 @@ var HttpMCPTransport = class {
     this.redirectMode = redirect;
     this.fetchFn = fetchFn != null ? fetchFn : globalThis.fetch;
   }
+  setProtocolVersion(version) {
+    this.protocolVersion = version;
+  }
   async commonHeaders(base) {
     var _a3;
     const headers = {
@@ -1788,8 +1957,12 @@ var DefaultMCPClient = class {
       }
       this.serverCapabilities = result.capabilities;
       this._serverInfo = result.serverInfo;
+      if (this.transport.setProtocolVersion) {
+        this.transport.setProtocolVersion(result.protocolVersion);
+      } else {
+        this.transport.protocolVersion = result.protocolVersion;
+      }
       this._serverInstructions = result.instructions;
-      this.transport.protocolVersion = result.protocolVersion;
       await this.notification({
         method: "notifications/initialized"
       });