@backstage/plugin-mcp-actions-backend 0.1.9-next.0 → 0.1.9

package/CHANGELOG.md

@@ -1,5 +1,30 @@
 # @backstage/plugin-mcp-actions-backend
 
+## 0.1.9
+
+### Patch Changes
+
+- 31de2c9: Added OAuth Protected Resource Metadata endpoint (`/.well-known/oauth-protected-resource`) per RFC 9728. This allows MCP clients to discover the authorization server for the resource.
+
+  Also enabled OAuth well-known endpoints when CIMD (Client ID Metadata Documents) is configured, not just when DCR is enabled.
+
+- 8148621: Moved `@backstage/backend-defaults` from `dependencies` to `devDependencies`.
+- 69d880e: Bump to latest zod to ensure it has the latest features
+- Updated dependencies
+  - @backstage/plugin-catalog-node@2.0.0
+  - @backstage/backend-plugin-api@1.7.0
+  - @backstage/catalog-client@1.13.0
+
+## 0.1.9-next.1
+
+### Patch Changes
+
+- 8148621: Moved `@backstage/backend-defaults` from `dependencies` to `devDependencies`.
+- Updated dependencies
+  - @backstage/plugin-catalog-node@2.0.0-next.1
+  - @backstage/catalog-client@1.12.2-next.0
+  - @backstage/backend-plugin-api@1.7.0-next.1
+
 ## 0.1.8-next.0
 
 ### Patch Changes

package/README.md

@@ -75,7 +75,7 @@ export const myPlugin = createBackendPlugin({
 
 When errors are thrown from MCP actions, the backend will handle and surface error message for any error from `@backstage/errors`. Unknown errors will be handled by `@modelcontextprotocol/sdk`'s default error handling, which may result in a generic `500 Server Error` being returned. As a result, we recommend using errors from `@backstage/errors` when applicable.
 
-See https://backstage.io/docs/reference/errors/ for a full list of supported errors.
+See https://backstage.io/api/stable/modules/_backstage_errors.html for a full list of supported errors.
 
 When writing MCP tools, use the appropriate error from `@backstage/errors` when applicable:
 

package/dist/plugin.cjs.js

@@ -53,9 +53,12 @@ const mcpPlugin = backendPluginApi.createBackendPlugin({
         router.use("/v1/sse", sseRouter);
         router.use("/v1", streamableRouter);
         httpRouter.use(router);
-        if (config.getOptionalBoolean(
+        const oauthEnabled = config.getOptionalBoolean(
           "auth.experimentalDynamicClientRegistration.enabled"
-        )) {
+        ) || config.getOptionalBoolean(
+          "auth.experimentalClientIdMetadataDocuments.enabled"
+        );
+        if (oauthEnabled) {
           rootRouter.use(
             "/.well-known/oauth-authorization-server",
             async (_, res) => {
@@ -66,6 +69,19 @@ const mcpPlugin = backendPluginApi.createBackendPlugin({
               res.json(await oidcResponse.json());
             }
           );
+          rootRouter.use(
+            "/.well-known/oauth-protected-resource",
+            async (_, res) => {
+              const [authBaseUrl, mcpBaseUrl] = await Promise.all([
+                discovery.getBaseUrl("auth"),
+                discovery.getBaseUrl("mcp-actions")
+              ]);
+              res.json({
+                resource: mcpBaseUrl,
+                authorization_servers: [authBaseUrl]
+              });
+            }
+          );
         }
       }
     });

package/dist/plugin.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"plugin.cjs.js","sources":["../src/plugin.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport {\n  coreServices,\n  createBackendPlugin,\n} from '@backstage/backend-plugin-api';\nimport { json } from 'express';\nimport Router from 'express-promise-router';\nimport { McpService } from './services/McpService';\nimport { createStreamableRouter } from './routers/createStreamableRouter';\nimport { createSseRouter } from './routers/createSseRouter';\nimport {\n  actionsRegistryServiceRef,\n  actionsServiceRef,\n} from '@backstage/backend-plugin-api/alpha';\n\n/**\n * mcpPlugin backend plugin\n *\n * @public\n */\nexport const mcpPlugin = createBackendPlugin({\n  pluginId: 'mcp-actions',\n  register(env) {\n    env.registerInit({\n      deps: {\n        logger: coreServices.logger,\n        auth: coreServices.auth,\n        httpAuth: coreServices.httpAuth,\n        httpRouter: coreServices.httpRouter,\n        actions: actionsServiceRef,\n        registry: actionsRegistryServiceRef,\n        rootRouter: coreServices.rootHttpRouter,\n        discovery: coreServices.discovery,\n        config: coreServices.rootConfig,\n      },\n      async init({\n        actions,\n        logger,\n        httpRouter,\n        httpAuth,\n        rootRouter,\n        discovery,\n        config,\n      }) {\n        const mcpService = await McpService.create({\n          actions,\n        });\n\n        const sseRouter = createSseRouter({\n          mcpService,\n          httpAuth,\n        });\n\n        const streamableRouter = createStreamableRouter({\n          mcpService,\n          httpAuth,\n          logger,\n        });\n\n        const router = Router();\n        router.use(json());\n\n        router.use('/v1/sse', sseRouter);\n        router.use('/v1', streamableRouter);\n\n        httpRouter.use(router);\n\n        if (\n          config.getOptionalBoolean(\n            'auth.experimentalDynamicClientRegistration.enabled',\n          )\n        ) {\n          // This should be replaced with throwing a WWW-Authenticate header, but that doesn't seem to be supported by\n          // many of the MCP client as of yet. So this seems to be the oldest version of the spec thats implemented.\n          rootRouter.use(\n            '/.well-known/oauth-authorization-server',\n            async (_, res) => {\n              const authBaseUrl = await discovery.getBaseUrl('auth');\n              const oidcResponse = await fetch(\n                `${authBaseUrl}/.well-known/openid-configuration`,\n              );\n\n              res.json(await oidcResponse.json());\n            },\n          );\n        }\n      },\n    });\n  },\n});\n"],"names":["createBackendPlugin","coreServices","actionsServiceRef","actionsRegistryServiceRef","McpService","createSseRouter","createStreamableRouter","Router","json"],"mappings":";;;;;;;;;;;;;;AAkCO,MAAM,YAAYA,oCAAA,CAAoB;AAAA,EAC3C,QAAA,EAAU,aAAA;AAAA,EACV,SAAS,GAAA,EAAK;AACZ,IAAA,GAAA,CAAI,YAAA,CAAa;AAAA,MACf,IAAA,EAAM;AAAA,QACJ,QAAQC,6BAAA,CAAa,MAAA;AAAA,QACrB,MAAMA,6BAAA,CAAa,IAAA;AAAA,QACnB,UAAUA,6BAAA,CAAa,QAAA;AAAA,QACvB,YAAYA,6BAAA,CAAa,UAAA;AAAA,QACzB,OAAA,EAASC,uBAAA;AAAA,QACT,QAAA,EAAUC,+BAAA;AAAA,QACV,YAAYF,6BAAA,CAAa,cAAA;AAAA,QACzB,WAAWA,6BAAA,CAAa,SAAA;AAAA,QACxB,QAAQA,6BAAA,CAAa;AAAA,OACvB;AAAA,MACA,MAAM,IAAA,CAAK;AAAA,QACT,OAAA;AAAA,QACA,MAAA;AAAA,QACA,UAAA;AAAA,QACA,QAAA;AAAA,QACA,UAAA;AAAA,QACA,SAAA;AAAA,QACA;AAAA,OACF,EAAG;AACD,QAAA,MAAM,UAAA,GAAa,MAAMG,qBAAA,CAAW,MAAA,CAAO;AAAA,UACzC;AAAA,SACD,CAAA;AAED,QAAA,MAAM,YAAYC,+BAAA,CAAgB;AAAA,UAChC,UAAA;AAAA,UACA;AAAA,SACD,CAAA;AAED,QAAA,MAAM,mBAAmBC,6CAAA,CAAuB;AAAA,UAC9C,UAAA;AAAA,UACA,QAAA;AAAA,UACA;AAAA,SACD,CAAA;AAED,QAAA,MAAM,SAASC,8BAAA,EAAO;AACtB,QAAA,MAAA,CAAO,GAAA,CAAIC,cAAM,CAAA;AAEjB,QAAA,MAAA,CAAO,GAAA,CAAI,WAAW,SAAS,CAAA;AAC/B,QAAA,MAAA,CAAO,GAAA,CAAI,OAAO,gBAAgB,CAAA;AAElC,QAAA,UAAA,CAAW,IAAI,MAAM,CAAA;AAErB,QAAA,IACE,MAAA,CAAO,kBAAA;AAAA,UACL;AAAA,SACF,EACA;AAGA,UAAA,UAAA,CAAW,GAAA;AAAA,YACT,yCAAA;AAAA,YACA,OAAO,GAAG,GAAA,KAAQ;AAChB,cAAA,MAAM,WAAA,GAAc,MAAM,SAAA,CAAU,UAAA,CAAW,MAAM,CAAA;AACrD,cAAA,MAAM,eAAe,MAAM,KAAA;AAAA,gBACzB,GAAG,WAAW,CAAA,iCAAA;AAAA,eAChB;AAEA,cAAA,GAAA,CAAI,IAAA,CAAK,MAAM,YAAA,CAAa,IAAA,EAAM,CAAA;AAAA,YACpC;AAAA,WACF;AAAA,QACF;AAAA,MACF;AAAA,KACD,CAAA;AAAA,EACH;AACF,CAAC;;;;"}
+{"version":3,"file":"plugin.cjs.js","sources":["../src/plugin.ts"],"sourcesContent":["/*\n * Copyright 2025 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\nimport {\n  coreServices,\n  createBackendPlugin,\n} from '@backstage/backend-plugin-api';\nimport { json } from 'express';\nimport Router from 'express-promise-router';\nimport { McpService } from './services/McpService';\nimport { createStreamableRouter } from './routers/createStreamableRouter';\nimport { createSseRouter } from './routers/createSseRouter';\nimport {\n  actionsRegistryServiceRef,\n  actionsServiceRef,\n} from '@backstage/backend-plugin-api/alpha';\n\n/**\n * mcpPlugin backend plugin\n *\n * @public\n */\nexport const mcpPlugin = createBackendPlugin({\n  pluginId: 'mcp-actions',\n  register(env) {\n    env.registerInit({\n      deps: {\n        logger: coreServices.logger,\n        auth: coreServices.auth,\n        httpAuth: coreServices.httpAuth,\n        httpRouter: coreServices.httpRouter,\n        actions: actionsServiceRef,\n        registry: actionsRegistryServiceRef,\n        rootRouter: coreServices.rootHttpRouter,\n        discovery: coreServices.discovery,\n        config: coreServices.rootConfig,\n      },\n      async init({\n        actions,\n        logger,\n        httpRouter,\n        httpAuth,\n        rootRouter,\n        discovery,\n        config,\n      }) {\n        const mcpService = await McpService.create({\n          actions,\n        });\n\n        const sseRouter = createSseRouter({\n          mcpService,\n          httpAuth,\n        });\n\n        const streamableRouter = createStreamableRouter({\n          mcpService,\n          httpAuth,\n          logger,\n        });\n\n        const router = Router();\n        router.use(json());\n\n        router.use('/v1/sse', sseRouter);\n        router.use('/v1', streamableRouter);\n\n        httpRouter.use(router);\n\n        const oauthEnabled =\n          config.getOptionalBoolean(\n            'auth.experimentalDynamicClientRegistration.enabled',\n          ) ||\n          config.getOptionalBoolean(\n            'auth.experimentalClientIdMetadataDocuments.enabled',\n          );\n\n        if (oauthEnabled) {\n          // OAuth Authorization Server Metadata (RFC 8414)\n          // This should be replaced with throwing a WWW-Authenticate header, but that doesn't seem to be supported by\n          // many of the MCP clients as of yet. So this seems to be the oldest version of the spec that's implemented.\n          rootRouter.use(\n            '/.well-known/oauth-authorization-server',\n            async (_, res) => {\n              const authBaseUrl = await discovery.getBaseUrl('auth');\n              const oidcResponse = await fetch(\n                `${authBaseUrl}/.well-known/openid-configuration`,\n              );\n              res.json(await oidcResponse.json());\n            },\n          );\n\n          // Protected Resource Metadata (RFC 9728)\n          // https://datatracker.ietf.org/doc/html/rfc9728\n          // This allows MCP clients to discover the authorization server for this resource\n          rootRouter.use(\n            '/.well-known/oauth-protected-resource',\n            async (_, res) => {\n              const [authBaseUrl, mcpBaseUrl] = await Promise.all([\n                discovery.getBaseUrl('auth'),\n                discovery.getBaseUrl('mcp-actions'),\n              ]);\n              res.json({\n                resource: mcpBaseUrl,\n                authorization_servers: [authBaseUrl],\n              });\n            },\n          );\n        }\n      },\n    });\n  },\n});\n"],"names":["createBackendPlugin","coreServices","actionsServiceRef","actionsRegistryServiceRef","McpService","createSseRouter","createStreamableRouter","Router","json"],"mappings":";;;;;;;;;;;;;;AAkCO,MAAM,YAAYA,oCAAA,CAAoB;AAAA,EAC3C,QAAA,EAAU,aAAA;AAAA,EACV,SAAS,GAAA,EAAK;AACZ,IAAA,GAAA,CAAI,YAAA,CAAa;AAAA,MACf,IAAA,EAAM;AAAA,QACJ,QAAQC,6BAAA,CAAa,MAAA;AAAA,QACrB,MAAMA,6BAAA,CAAa,IAAA;AAAA,QACnB,UAAUA,6BAAA,CAAa,QAAA;AAAA,QACvB,YAAYA,6BAAA,CAAa,UAAA;AAAA,QACzB,OAAA,EAASC,uBAAA;AAAA,QACT,QAAA,EAAUC,+BAAA;AAAA,QACV,YAAYF,6BAAA,CAAa,cAAA;AAAA,QACzB,WAAWA,6BAAA,CAAa,SAAA;AAAA,QACxB,QAAQA,6BAAA,CAAa;AAAA,OACvB;AAAA,MACA,MAAM,IAAA,CAAK;AAAA,QACT,OAAA;AAAA,QACA,MAAA;AAAA,QACA,UAAA;AAAA,QACA,QAAA;AAAA,QACA,UAAA;AAAA,QACA,SAAA;AAAA,QACA;AAAA,OACF,EAAG;AACD,QAAA,MAAM,UAAA,GAAa,MAAMG,qBAAA,CAAW,MAAA,CAAO;AAAA,UACzC;AAAA,SACD,CAAA;AAED,QAAA,MAAM,YAAYC,+BAAA,CAAgB;AAAA,UAChC,UAAA;AAAA,UACA;AAAA,SACD,CAAA;AAED,QAAA,MAAM,mBAAmBC,6CAAA,CAAuB;AAAA,UAC9C,UAAA;AAAA,UACA,QAAA;AAAA,UACA;AAAA,SACD,CAAA;AAED,QAAA,MAAM,SAASC,8BAAA,EAAO;AACtB,QAAA,MAAA,CAAO,GAAA,CAAIC,cAAM,CAAA;AAEjB,QAAA,MAAA,CAAO,GAAA,CAAI,WAAW,SAAS,CAAA;AAC/B,QAAA,MAAA,CAAO,GAAA,CAAI,OAAO,gBAAgB,CAAA;AAElC,QAAA,UAAA,CAAW,IAAI,MAAM,CAAA;AAErB,QAAA,MAAM,eACJ,MAAA,CAAO,kBAAA;AAAA,UACL;AAAA,aAEF,MAAA,CAAO,kBAAA;AAAA,UACL;AAAA,SACF;AAEF,QAAA,IAAI,YAAA,EAAc;AAIhB,UAAA,UAAA,CAAW,GAAA;AAAA,YACT,yCAAA;AAAA,YACA,OAAO,GAAG,GAAA,KAAQ;AAChB,cAAA,MAAM,WAAA,GAAc,MAAM,SAAA,CAAU,UAAA,CAAW,MAAM,CAAA;AACrD,cAAA,MAAM,eAAe,MAAM,KAAA;AAAA,gBACzB,GAAG,WAAW,CAAA,iCAAA;AAAA,eAChB;AACA,cAAA,GAAA,CAAI,IAAA,CAAK,MAAM,YAAA,CAAa,IAAA,EAAM,CAAA;AAAA,YACpC;AAAA,WACF;AAKA,UAAA,UAAA,CAAW,GAAA;AAAA,YACT,uCAAA;AAAA,YACA,OAAO,GAAG,GAAA,KAAQ;AAChB,cAAA,MAAM,CAAC,WAAA,EAAa,UAAU,CAAA,GAAI,MAAM,QAAQ,GAAA,CAAI;AAAA,gBAClD,SAAA,CAAU,WAAW,MAAM,CAAA;AAAA,gBAC3B,SAAA,CAAU,WAAW,aAAa;AAAA,eACnC,CAAA;AACD,cAAA,GAAA,CAAI,IAAA,CAAK;AAAA,gBACP,QAAA,EAAU,UAAA;AAAA,gBACV,qBAAA,EAAuB,CAAC,WAAW;AAAA,eACpC,CAAA;AAAA,YACH;AAAA,WACF;AAAA,QACF;AAAA,MACF;AAAA,KACD,CAAA;AAAA,EACH;AACF,CAAC;;;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-mcp-actions-backend",
-  "version": "0.1.9-next.0",
+  "version": "0.1.9",
   "backstage": {
     "role": "backend-plugin",
     "pluginId": "mcp-actions",
@@ -37,12 +37,11 @@
     "test": "backstage-cli package test"
   },
   "dependencies": {
-    "@backstage/backend-defaults": "0.15.2-next.1",
-    "@backstage/backend-plugin-api": "1.7.0-next.1",
-    "@backstage/catalog-client": "1.12.1",
-    "@backstage/errors": "1.2.7",
-    "@backstage/plugin-catalog-node": "1.21.0-next.0",
-    "@backstage/types": "1.2.2",
+    "@backstage/backend-plugin-api": "^1.7.0",
+    "@backstage/catalog-client": "^1.13.0",
+    "@backstage/errors": "^1.2.7",
+    "@backstage/plugin-catalog-node": "^2.0.0",
+    "@backstage/types": "^1.2.2",
     "@cfworker/json-schema": "^4.1.1",
     "@modelcontextprotocol/sdk": "^1.25.2",
     "express": "^4.22.0",
@@ -50,9 +49,12 @@
     "zod": "^3.25.76"
   },
   "devDependencies": {
-    "@backstage/backend-test-utils": "1.10.5-next.0",
-    "@backstage/cli": "0.35.4-next.1",
-    "@types/express": "^4.17.6"
+    "@backstage/backend-defaults": "^0.15.2",
+    "@backstage/backend-test-utils": "^1.11.0",
+    "@backstage/cli": "^0.35.4",
+    "@types/express": "^4.17.6",
+    "@types/supertest": "^2.0.8",
+    "supertest": "^7.0.0"
   },
   "typesVersions": {
     "*": {