npm - @inkeep/agents-manage-api - Versions diffs - 0.22.11 → 0.23.0 - Mend

@inkeep/agents-manage-api 0.22.11 → 0.23.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.cjs CHANGED Viewed

@@ -4534,8 +4534,16 @@ app19.route("/projects/:projectId/agent", agentFull_default);
 var routes_default = app19;
 var logger6 = agentsCore.getLogger("oauth-service");
 var pkceStore = /* @__PURE__ */ new Map();
-function storePKCEVerifier(state, codeVerifier, toolId, tenantId, projectId, clientId) {
-  pkceStore.set(state, { codeVerifier, toolId, tenantId, projectId, clientId });
+function storePKCEVerifier(state, codeVerifier, toolId, tenantId, projectId, clientInformation, metadata, resourceUrl) {
+  pkceStore.set(state, {
+    codeVerifier,
+    toolId,
+    tenantId,
+    projectId,
+    clientInformation,
+    metadata,
+    resourceUrl
+  });
   setTimeout(
     () => {
       pkceStore.delete(state);
@@ -4563,216 +4571,74 @@ var OAuthService = class {
     };
   }
   /**
-   * Initiate OAuth flow for an MCP tool
+   * Initiate OAuth flow for an MCP tool using MCP SDK
    */
   async initiateOAuthFlow(params) {
-    const { tool, tenantId, projectId, toolId, baseUrl } = params;
-    if (tool.config.type !== "mcp") {
-      throw new Error("OAuth is only supported for MCP tools");
-    }
-    const oAuthConfig = await agentsCore.discoverOAuthEndpoints(tool.config.mcp.server.url, logger6);
-    if (!oAuthConfig) {
-      throw new Error("OAuth not supported by this server");
-    }
-    const { codeVerifier, codeChallenge } = await this.generatePKCEInternal();
+    const { tenantId, projectId, toolId, mcpServerUrl, baseUrl } = params;
     const redirectBaseUrl = baseUrl || this.defaultConfig.redirectBaseUrl;
     const redirectUri = `${redirectBaseUrl}/oauth/callback`;
-    let clientId = this.defaultConfig.defaultClientId;
-    if (oAuthConfig.supportsDynamicRegistration && oAuthConfig.registrationUrl) {
-      clientId = await this.performDynamicClientRegistration(
-        oAuthConfig.registrationUrl,
-        redirectUri
-      );
-    }
     const state = `tool_${toolId}`;
-    const authUrl = this.buildAuthorizationUrl({
-      oAuthConfig,
-      clientId,
+    const authResult = await agentsCore.initiateMcpOAuthFlow({
+      mcpServerUrl,
       redirectUri,
       state,
-      codeChallenge,
-      resource: tool.config.mcp.server.url
+      clientName: this.defaultConfig.clientName,
+      clientUri: this.defaultConfig.clientUri,
+      logoUri: this.defaultConfig.logoUri,
+      defaultClientId: this.defaultConfig.defaultClientId,
+      logger: logger6
     });
-    storePKCEVerifier(state, codeVerifier, toolId, tenantId, projectId, clientId);
-    logger6.info({ toolId, oAuthConfig, tenantId, projectId }, "OAuth flow initiated successfully");
+    storePKCEVerifier(
+      state,
+      authResult.codeVerifier,
+      toolId,
+      tenantId,
+      projectId,
+      authResult.clientInformation,
+      authResult.metadata,
+      authResult.resourceUrl
+    );
+    logger6.info(
+      {
+        toolId,
+        authorizationUrl: authResult.authorizationUrl,
+        tenantId,
+        projectId,
+        scopes: authResult.scopes
+      },
+      "MCP OAuth flow initiated successfully"
+    );
     return {
-      redirectUrl: authUrl,
+      redirectUrl: authResult.authorizationUrl,
       state
     };
   }
   /**
-   * Exchange authorization code for access tokens
+   * Exchange authorization code for access tokens using MCP SDK with stored metadata
    */
   async exchangeCodeForTokens(params) {
-    const { code, codeVerifier, clientId, tool, baseUrl } = params;
-    if (tool.config.type !== "mcp") {
-      throw new Error("OAuth is only supported for MCP tools");
-    }
-    const oAuthConfig = await agentsCore.discoverOAuthEndpoints(tool.config.mcp.server.url, logger6);
-    if (!oAuthConfig?.tokenUrl) {
-      throw new Error("Could not discover OAuth token endpoint");
-    }
+    const { code, codeVerifier, clientInformation, metadata, resourceUrl, mcpServerUrl, baseUrl } = params;
     const redirectBaseUrl = baseUrl || this.defaultConfig.redirectBaseUrl;
     const redirectUri = `${redirectBaseUrl}/oauth/callback`;
-    let tokens;
-    try {
-      tokens = await this.exchangeWithOpenIdClient({
-        oAuthConfig,
-        clientId,
-        code,
-        codeVerifier,
-        redirectUri
-      });
-      logger6.info({ tokenType: tokens.token_type }, "Token exchange successful with openid-client");
-    } catch (error) {
-      logger6.warn(
-        { error: error instanceof Error ? error.message : error },
-        "openid-client failed, falling back to manual token exchange"
-      );
-      tokens = await this.exchangeManually({
-        oAuthConfig,
-        clientId,
-        code,
-        codeVerifier,
-        redirectUri
-      });
-      logger6.info({ tokenType: tokens.token_type }, "Manual token exchange successful");
-    }
-    return { tokens, oAuthConfig };
-  }
-  /**
-   * Perform dynamic client registration
-   */
-  async performDynamicClientRegistration(registrationUrl, redirectUri) {
-    logger6.info({ registrationUrl }, "Attempting dynamic client registration");
-    try {
-      const registrationResponse = await fetch(registrationUrl, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          Accept: "application/json"
-        },
-        body: JSON.stringify({
-          client_name: this.defaultConfig.clientName,
-          client_uri: this.defaultConfig.clientUri,
-          logo_uri: this.defaultConfig.logoUri,
-          redirect_uris: [redirectUri],
-          grant_types: ["authorization_code"],
-          response_types: ["code"],
-          token_endpoint_auth_method: "none",
-          // PKCE only, no client secret
-          application_type: "native"
-          // For PKCE flows
-        })
-      });
-      if (registrationResponse.ok) {
-        const registration = await registrationResponse.json();
-        logger6.info({ clientId: registration.client_id }, "Dynamic client registration successful");
-        return registration.client_id;
-      } else {
-        const errorText = await registrationResponse.text();
-        logger6.warn(
-          {
-            status: registrationResponse.status,
-            errorText
-          },
-          "Dynamic client registration failed, using default client_id"
-        );
-      }
-    } catch (regError) {
-      logger6.warn(
-        { error: regError },
-        "Dynamic client registration error, using default client_id"
-      );
-    }
-    return this.defaultConfig.defaultClientId;
-  }
-  /**
-   * Build authorization URL
-   */
-  buildAuthorizationUrl(params) {
-    const { oAuthConfig, clientId, redirectUri, state, codeChallenge, resource } = params;
-    const authUrl = new URL(oAuthConfig.authorizationUrl);
-    authUrl.searchParams.set("response_type", "code");
-    authUrl.searchParams.set("client_id", clientId);
-    authUrl.searchParams.set("redirect_uri", redirectUri);
-    authUrl.searchParams.set("state", state);
-    authUrl.searchParams.set("code_challenge", codeChallenge);
-    authUrl.searchParams.set("code_challenge_method", "S256");
-    authUrl.searchParams.set("resource", resource);
-    return authUrl.toString();
-  }
-  /**
-   * Exchange code using openid-client library
-   */
-  async exchangeWithOpenIdClient(params) {
-    const { oAuthConfig, clientId, code, codeVerifier, redirectUri } = params;
-    const oauth = await import('openid-client');
-    const tokenUrl = new URL(oAuthConfig.tokenUrl);
-    const oauthServerUrl = `${tokenUrl.protocol}//${tokenUrl.host}`;
-    logger6.info({ oauthServerUrl, clientId }, "Attempting openid-client discovery");
-    const config = await oauth.discovery(
-      new URL(oauthServerUrl),
-      clientId,
-      void 0
-      // No client secret for PKCE
-    );
-    const callbackUrl = new URL(
-      `${redirectUri}?${new URLSearchParams({ code, state: "unused" }).toString()}`
-    );
-    return await oauth.authorizationCodeGrant(config, callbackUrl, {
-      pkceCodeVerifier: codeVerifier
+    const tokens = await agentsCore.exchangeMcpAuthorizationCode({
+      mcpServerUrl,
+      metadata,
+      clientInformation,
+      authorizationCode: code,
+      codeVerifier,
+      redirectUri,
+      resourceUrl,
+      logger: logger6
     });
-  }
-  /**
-   * Internal PKCE generation
-   */
-  async generatePKCEInternal() {
-    const codeVerifier = Buffer.from(
-      Array.from(crypto.getRandomValues(new Uint8Array(32)))
-    ).toString("base64url");
-    const encoder = new TextEncoder();
-    const data = encoder.encode(codeVerifier);
-    const hash = await crypto.subtle.digest("SHA-256", data);
-    const codeChallenge = Buffer.from(hash).toString("base64url");
-    return { codeVerifier, codeChallenge };
-  }
-  /**
-   * Manual token exchange fallback
-   */
-  async exchangeManually(params) {
-    const { oAuthConfig, clientId, code, codeVerifier, redirectUri } = params;
-    logger6.info({ tokenUrl: oAuthConfig.tokenUrl }, "Attempting manual token exchange");
-    const tokenResponse = await fetch(oAuthConfig.tokenUrl, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-        Accept: "application/json"
+    logger6.info(
+      {
+        tokenType: tokens.token_type,
+        hasRefreshToken: !!tokens.refresh_token,
+        clientId: clientInformation.client_id
       },
-      body: new URLSearchParams({
-        grant_type: "authorization_code",
-        code,
-        redirect_uri: redirectUri,
-        client_id: clientId,
-        code_verifier: codeVerifier
-        // PKCE verification
-      })
-    });
-    if (!tokenResponse.ok) {
-      const errorText = await tokenResponse.text();
-      logger6.error(
-        {
-          status: tokenResponse.status,
-          statusText: tokenResponse.statusText,
-          ...process.env.NODE_ENV === "development" && { errorText },
-          clientId,
-          tokenUrl: oAuthConfig.tokenUrl
-        },
-        "Token exchange failed"
-      );
-      throw new Error("Authentication failed. Please try again or contact support.");
-    }
-    return await tokenResponse.json();
+      "MCP token exchange successful"
+    );
+    return { tokens };
   }
 };
 var oauthService = new OAuthService();
@@ -4939,14 +4805,12 @@ app20.openapi(
         logger7.error({ toolId, tenantId, projectId }, "Tool not found for OAuth login");
         return c.text("Tool not found", 404);
       }
-      const credentialStores = c.get("credentialStores");
-      const mcpTool = await agentsCore.dbResultToMcpTool(tool, dbClient_default, credentialStores);
       const baseUrl = getBaseUrlFromRequest(c);
       const { redirectUrl } = await oauthService.initiateOAuthFlow({
-        tool: mcpTool,
         tenantId,
         projectId,
         toolId,
+        mcpServerUrl: tool.config.mcp.server.url,
         baseUrl
       });
       return c.redirect(redirectUrl, 302);
@@ -5015,7 +4879,15 @@ app20.openapi(
         });
         return c.html(expiredPage);
       }
-      const { codeVerifier, toolId, tenantId, projectId, clientId } = pkceData;
+      const {
+        codeVerifier,
+        toolId,
+        tenantId,
+        projectId,
+        clientInformation,
+        metadata,
+        resourceUrl
+      } = pkceData;
       const tool = await agentsCore.getToolById(dbClient_default)({
         scopes: { tenantId, projectId },
         toolId
@@ -5026,13 +4898,14 @@ app20.openapi(
       logger7.info({ toolId, tenantId, projectId }, "Processing OAuth callback");
       logger7.info({ toolId }, "Exchanging authorization code for access token");
       const credentialStores = c.get("credentialStores");
-      const mcpTool = await agentsCore.dbResultToMcpTool(tool, dbClient_default, credentialStores);
       const baseUrl = getBaseUrlFromRequest(c);
       const { tokens } = await oauthService.exchangeCodeForTokens({
         code,
         codeVerifier,
-        clientId,
-        tool: mcpTool,
+        clientInformation,
+        metadata,
+        resourceUrl,
+        mcpServerUrl: tool.config.mcp.server.url,
         baseUrl
       });
       logger7.info(
@@ -5041,39 +4914,23 @@ app20.openapi(
       );
       const credentialTokenKey = `oauth_token_${toolId}`;
       let newCredentialData;
-      if (process.env.NANGO_SECRET_KEY) {
-        const nangoStore = credentialStores.get("nango-default");
-        await nangoStore?.set(credentialTokenKey, JSON.stringify(tokens));
-        newCredentialData = {
-          id: agentsCore.generateIdFromName(mcpTool.name),
-          type: agentsCore.CredentialStoreType.nango,
-          credentialStoreId: "nango-default",
-          retrievalParams: {
-            connectionId: credentialTokenKey,
-            providerConfigKey: credentialTokenKey,
-            provider: "private-api-bearer",
-            authMode: "API_KEY"
-          }
-        };
-      } else {
-        const keychainStore = credentialStores.get("keychain-default");
-        if (keychainStore) {
-          try {
-            await keychainStore.set(credentialTokenKey, JSON.stringify(tokens));
-            newCredentialData = {
-              id: agentsCore.generateIdFromName(mcpTool.name),
-              type: agentsCore.CredentialStoreType.keychain,
-              credentialStoreId: "keychain-default",
-              retrievalParams: {
-                key: credentialTokenKey
-              }
-            };
-          } catch (error2) {
-            logger7.info(
-              { error: error2 instanceof Error ? error2.message : error2 },
-              "Keychain store not available."
-            );
-          }
+      const keychainStore = credentialStores.get("keychain-default");
+      if (keychainStore) {
+        try {
+          await keychainStore.set(credentialTokenKey, JSON.stringify(tokens));
+          newCredentialData = {
+            id: agentsCore.generateIdFromName(tool.name),
+            type: agentsCore.CredentialStoreType.keychain,
+            credentialStoreId: "keychain-default",
+            retrievalParams: {
+              key: credentialTokenKey
+            }
+          };
+        } catch (error2) {
+          logger7.info(
+            { error: error2 instanceof Error ? error2.message : error2 },
+            "Keychain store not available."
+          );
         }
       }
       if (!newCredentialData) {

package/dist/index.js CHANGED Viewed

@@ -1,4 +1,4 @@
-import { loadEnvironmentFiles, getLogger, createDatabaseClient, commonGetErrorResponses, AgentListResponse, PaginationQueryParamsSchema, TenantProjectParamsSchema, listAgents, AgentResponse, TenantProjectIdParamsSchema, getAgentById, createApiError, ListResponseSchema, getAgentSubAgentInfos, SingleResponseSchema, TenantProjectAgentParamsSchema, AgentWithinContextOfProjectSchema, getFullAgentDefinition, AgentApiInsertSchema, createAgent, AgentApiUpdateSchema, updateAgent, ErrorResponseSchema, deleteAgent, createFullAgentServerSide, getFullAgent, updateFullAgentServerSide, deleteFullAgent, ApiKeyListResponse, listApiKeysPaginated, ApiKeyResponse, getApiKeyById, ApiKeyApiCreationResponseSchema, ApiKeyApiInsertSchema, generateApiKey, createApiKey, ApiKeyApiUpdateSchema, updateApiKey, deleteApiKey, ArtifactComponentListResponse, listArtifactComponentsPaginated, ArtifactComponentResponse, getArtifactComponentById, ArtifactComponentApiInsertSchema, validatePropsAsJsonSchema, createArtifactComponent, ArtifactComponentApiUpdateSchema, updateArtifactComponent, deleteArtifactComponent, ContextConfigListResponse, listContextConfigsPaginated, ContextConfigResponse, TenantProjectAgentIdParamsSchema, getContextConfigById, ContextConfigApiInsertSchema, createContextConfig, commonUpdateErrorResponses, ContextConfigApiUpdateSchema, updateContextConfig, commonDeleteErrorResponses, deleteContextConfig, CredentialStoreType, CredentialReferenceListResponse, listCredentialReferencesPaginated, CredentialReferenceApiSelectSchema, CredentialReferenceResponse, getCredentialReferenceWithTools, CredentialReferenceApiInsertSchema, createCredentialReference, CredentialReferenceApiUpdateSchema, updateCredentialReference, getCredentialReferenceById, getCredentialStoreLookupKeyFromRetrievalParams, deleteCredentialReference, DataComponentListResponse, listDataComponentsPaginated, DataComponentResponse, getDataComponent, DataComponentApiInsertSchema, createDataComponent, DataComponentApiUpdateSchema, updateDataComponent, deleteDataComponent, ExternalAgentListResponse, listExternalAgentsPaginated, ExternalAgentResponse, getExternalAgent, ExternalAgentApiInsertSchema, createExternalAgent, ExternalAgentApiUpdateSchema, updateExternalAgent, deleteExternalAgent, FunctionListResponse, listFunctions, FunctionResponse, getFunction, FunctionApiInsertSchema, upsertFunction, FunctionApiUpdateSchema, deleteFunction, FunctionToolApiSelectSchema, listFunctionTools, getFunctionToolById, FunctionToolApiInsertSchema, createFunctionTool, FunctionToolApiUpdateSchema, updateFunctionTool, deleteFunctionTool, ProjectListResponse, TenantParamsSchema, listProjectsPaginated, ProjectResponse, TenantIdParamsSchema, getProject, ProjectApiInsertSchema, createProject, ProjectApiUpdateSchema, updateProject, deleteProject, ArtifactComponentApiSelectSchema, getArtifactComponentsForAgent, getAgentsUsingArtifactComponent, SubAgentArtifactComponentApiInsertSchema, SubAgentArtifactComponentApiSelectSchema, getSubAgentById, isArtifactComponentAssociatedWithAgent, associateArtifactComponentWithAgent, RemovedResponseSchema, removeArtifactComponentFromAgent, ExistsResponseSchema, DataComponentApiSelectSchema, getDataComponentsForAgent, getAgentsUsingDataComponent, SubAgentDataComponentApiInsertSchema, SubAgentDataComponentApiSelectSchema, isDataComponentAssociatedWithAgent, associateDataComponentWithAgent, removeDataComponentFromAgent, SubAgentRelationApiSelectSchema, SubAgentRelationQuerySchema, getAgentRelationsBySource, getSubAgentRelationsByTarget, getExternalAgentRelations, listAgentRelations, getAgentRelationById, SubAgentRelationApiInsertSchema, validateExternalAgent, validateInternalSubAgent, createSubAgentRelation, SubAgentRelationApiUpdateSchema, updateAgentRelation, deleteSubAgentRelation, SubAgentListResponse, listSubAgentsPaginated, SubAgentResponse, SubAgentApiInsertSchema, createSubAgent, SubAgentApiUpdateSchema, updateSubAgent, deleteSubAgent, SubAgentToolRelationApiSelectSchema, getAgentToolRelationByAgent, getAgentToolRelationByTool, listAgentToolRelations, getAgentToolRelationById, getAgentsForTool, SubAgentToolRelationApiInsertSchema, createAgentToolRelation, SubAgentToolRelationApiUpdateSchema, updateAgentToolRelation, deleteAgentToolRelation, McpToolSchema, ToolStatusSchema, listTools, dbResultToMcpTool, getToolById, ToolApiInsertSchema, createTool, ToolApiUpdateSchema, updateTool, deleteTool, generateIdFromName, FullProjectDefinitionSchema, createFullProjectServerSide, getFullProject, updateFullProjectServerSide, deleteFullProject, createDefaultCredentialStores, CredentialStoreRegistry, discoverOAuthEndpoints, handleApiError } from '@inkeep/agents-core';
+import { loadEnvironmentFiles, getLogger, createDatabaseClient, commonGetErrorResponses, AgentListResponse, PaginationQueryParamsSchema, TenantProjectParamsSchema, listAgents, AgentResponse, TenantProjectIdParamsSchema, getAgentById, createApiError, ListResponseSchema, getAgentSubAgentInfos, SingleResponseSchema, TenantProjectAgentParamsSchema, AgentWithinContextOfProjectSchema, getFullAgentDefinition, AgentApiInsertSchema, createAgent, AgentApiUpdateSchema, updateAgent, ErrorResponseSchema, deleteAgent, createFullAgentServerSide, getFullAgent, updateFullAgentServerSide, deleteFullAgent, ApiKeyListResponse, listApiKeysPaginated, ApiKeyResponse, getApiKeyById, ApiKeyApiCreationResponseSchema, ApiKeyApiInsertSchema, generateApiKey, createApiKey, ApiKeyApiUpdateSchema, updateApiKey, deleteApiKey, ArtifactComponentListResponse, listArtifactComponentsPaginated, ArtifactComponentResponse, getArtifactComponentById, ArtifactComponentApiInsertSchema, validatePropsAsJsonSchema, createArtifactComponent, ArtifactComponentApiUpdateSchema, updateArtifactComponent, deleteArtifactComponent, ContextConfigListResponse, listContextConfigsPaginated, ContextConfigResponse, TenantProjectAgentIdParamsSchema, getContextConfigById, ContextConfigApiInsertSchema, createContextConfig, commonUpdateErrorResponses, ContextConfigApiUpdateSchema, updateContextConfig, commonDeleteErrorResponses, deleteContextConfig, CredentialStoreType, CredentialReferenceListResponse, listCredentialReferencesPaginated, CredentialReferenceApiSelectSchema, CredentialReferenceResponse, getCredentialReferenceWithTools, CredentialReferenceApiInsertSchema, createCredentialReference, CredentialReferenceApiUpdateSchema, updateCredentialReference, getCredentialReferenceById, getCredentialStoreLookupKeyFromRetrievalParams, deleteCredentialReference, DataComponentListResponse, listDataComponentsPaginated, DataComponentResponse, getDataComponent, DataComponentApiInsertSchema, createDataComponent, DataComponentApiUpdateSchema, updateDataComponent, deleteDataComponent, ExternalAgentListResponse, listExternalAgentsPaginated, ExternalAgentResponse, getExternalAgent, ExternalAgentApiInsertSchema, createExternalAgent, ExternalAgentApiUpdateSchema, updateExternalAgent, deleteExternalAgent, FunctionListResponse, listFunctions, FunctionResponse, getFunction, FunctionApiInsertSchema, upsertFunction, FunctionApiUpdateSchema, deleteFunction, FunctionToolApiSelectSchema, listFunctionTools, getFunctionToolById, FunctionToolApiInsertSchema, createFunctionTool, FunctionToolApiUpdateSchema, updateFunctionTool, deleteFunctionTool, ProjectListResponse, TenantParamsSchema, listProjectsPaginated, ProjectResponse, TenantIdParamsSchema, getProject, ProjectApiInsertSchema, createProject, ProjectApiUpdateSchema, updateProject, deleteProject, ArtifactComponentApiSelectSchema, getArtifactComponentsForAgent, getAgentsUsingArtifactComponent, SubAgentArtifactComponentApiInsertSchema, SubAgentArtifactComponentApiSelectSchema, getSubAgentById, isArtifactComponentAssociatedWithAgent, associateArtifactComponentWithAgent, RemovedResponseSchema, removeArtifactComponentFromAgent, ExistsResponseSchema, DataComponentApiSelectSchema, getDataComponentsForAgent, getAgentsUsingDataComponent, SubAgentDataComponentApiInsertSchema, SubAgentDataComponentApiSelectSchema, isDataComponentAssociatedWithAgent, associateDataComponentWithAgent, removeDataComponentFromAgent, SubAgentRelationApiSelectSchema, SubAgentRelationQuerySchema, getAgentRelationsBySource, getSubAgentRelationsByTarget, getExternalAgentRelations, listAgentRelations, getAgentRelationById, SubAgentRelationApiInsertSchema, validateExternalAgent, validateInternalSubAgent, createSubAgentRelation, SubAgentRelationApiUpdateSchema, updateAgentRelation, deleteSubAgentRelation, SubAgentListResponse, listSubAgentsPaginated, SubAgentResponse, SubAgentApiInsertSchema, createSubAgent, SubAgentApiUpdateSchema, updateSubAgent, deleteSubAgent, SubAgentToolRelationApiSelectSchema, getAgentToolRelationByAgent, getAgentToolRelationByTool, listAgentToolRelations, getAgentToolRelationById, getAgentsForTool, SubAgentToolRelationApiInsertSchema, createAgentToolRelation, SubAgentToolRelationApiUpdateSchema, updateAgentToolRelation, deleteAgentToolRelation, McpToolSchema, ToolStatusSchema, listTools, dbResultToMcpTool, getToolById, ToolApiInsertSchema, createTool, ToolApiUpdateSchema, updateTool, deleteTool, generateIdFromName, FullProjectDefinitionSchema, createFullProjectServerSide, getFullProject, updateFullProjectServerSide, deleteFullProject, createDefaultCredentialStores, CredentialStoreRegistry, initiateMcpOAuthFlow, exchangeMcpAuthorizationCode, handleApiError } from '@inkeep/agents-core';
 import { OpenAPIHono, createRoute, z as z$1 } from '@hono/zod-openapi';
 import { Hono } from 'hono';
 import { cors } from 'hono/cors';
@@ -4530,8 +4530,16 @@ app19.route("/projects/:projectId/agent", agentFull_default);
 var routes_default = app19;
 var logger6 = getLogger("oauth-service");
 var pkceStore = /* @__PURE__ */ new Map();
-function storePKCEVerifier(state, codeVerifier, toolId, tenantId, projectId, clientId) {
-  pkceStore.set(state, { codeVerifier, toolId, tenantId, projectId, clientId });
+function storePKCEVerifier(state, codeVerifier, toolId, tenantId, projectId, clientInformation, metadata, resourceUrl) {
+  pkceStore.set(state, {
+    codeVerifier,
+    toolId,
+    tenantId,
+    projectId,
+    clientInformation,
+    metadata,
+    resourceUrl
+  });
   setTimeout(
     () => {
       pkceStore.delete(state);
@@ -4559,216 +4567,74 @@ var OAuthService = class {
     };
   }
   /**
-   * Initiate OAuth flow for an MCP tool
+   * Initiate OAuth flow for an MCP tool using MCP SDK
    */
   async initiateOAuthFlow(params) {
-    const { tool, tenantId, projectId, toolId, baseUrl } = params;
-    if (tool.config.type !== "mcp") {
-      throw new Error("OAuth is only supported for MCP tools");
-    }
-    const oAuthConfig = await discoverOAuthEndpoints(tool.config.mcp.server.url, logger6);
-    if (!oAuthConfig) {
-      throw new Error("OAuth not supported by this server");
-    }
-    const { codeVerifier, codeChallenge } = await this.generatePKCEInternal();
+    const { tenantId, projectId, toolId, mcpServerUrl, baseUrl } = params;
     const redirectBaseUrl = baseUrl || this.defaultConfig.redirectBaseUrl;
     const redirectUri = `${redirectBaseUrl}/oauth/callback`;
-    let clientId = this.defaultConfig.defaultClientId;
-    if (oAuthConfig.supportsDynamicRegistration && oAuthConfig.registrationUrl) {
-      clientId = await this.performDynamicClientRegistration(
-        oAuthConfig.registrationUrl,
-        redirectUri
-      );
-    }
     const state = `tool_${toolId}`;
-    const authUrl = this.buildAuthorizationUrl({
-      oAuthConfig,
-      clientId,
+    const authResult = await initiateMcpOAuthFlow({
+      mcpServerUrl,
       redirectUri,
       state,
-      codeChallenge,
-      resource: tool.config.mcp.server.url
+      clientName: this.defaultConfig.clientName,
+      clientUri: this.defaultConfig.clientUri,
+      logoUri: this.defaultConfig.logoUri,
+      defaultClientId: this.defaultConfig.defaultClientId,
+      logger: logger6
     });
-    storePKCEVerifier(state, codeVerifier, toolId, tenantId, projectId, clientId);
-    logger6.info({ toolId, oAuthConfig, tenantId, projectId }, "OAuth flow initiated successfully");
+    storePKCEVerifier(
+      state,
+      authResult.codeVerifier,
+      toolId,
+      tenantId,
+      projectId,
+      authResult.clientInformation,
+      authResult.metadata,
+      authResult.resourceUrl
+    );
+    logger6.info(
+      {
+        toolId,
+        authorizationUrl: authResult.authorizationUrl,
+        tenantId,
+        projectId,
+        scopes: authResult.scopes
+      },
+      "MCP OAuth flow initiated successfully"
+    );
     return {
-      redirectUrl: authUrl,
+      redirectUrl: authResult.authorizationUrl,
       state
     };
   }
   /**
-   * Exchange authorization code for access tokens
+   * Exchange authorization code for access tokens using MCP SDK with stored metadata
    */
   async exchangeCodeForTokens(params) {
-    const { code, codeVerifier, clientId, tool, baseUrl } = params;
-    if (tool.config.type !== "mcp") {
-      throw new Error("OAuth is only supported for MCP tools");
-    }
-    const oAuthConfig = await discoverOAuthEndpoints(tool.config.mcp.server.url, logger6);
-    if (!oAuthConfig?.tokenUrl) {
-      throw new Error("Could not discover OAuth token endpoint");
-    }
+    const { code, codeVerifier, clientInformation, metadata, resourceUrl, mcpServerUrl, baseUrl } = params;
     const redirectBaseUrl = baseUrl || this.defaultConfig.redirectBaseUrl;
     const redirectUri = `${redirectBaseUrl}/oauth/callback`;
-    let tokens;
-    try {
-      tokens = await this.exchangeWithOpenIdClient({
-        oAuthConfig,
-        clientId,
-        code,
-        codeVerifier,
-        redirectUri
-      });
-      logger6.info({ tokenType: tokens.token_type }, "Token exchange successful with openid-client");
-    } catch (error) {
-      logger6.warn(
-        { error: error instanceof Error ? error.message : error },
-        "openid-client failed, falling back to manual token exchange"
-      );
-      tokens = await this.exchangeManually({
-        oAuthConfig,
-        clientId,
-        code,
-        codeVerifier,
-        redirectUri
-      });
-      logger6.info({ tokenType: tokens.token_type }, "Manual token exchange successful");
-    }
-    return { tokens, oAuthConfig };
-  }
-  /**
-   * Perform dynamic client registration
-   */
-  async performDynamicClientRegistration(registrationUrl, redirectUri) {
-    logger6.info({ registrationUrl }, "Attempting dynamic client registration");
-    try {
-      const registrationResponse = await fetch(registrationUrl, {
-        method: "POST",
-        headers: {
-          "Content-Type": "application/json",
-          Accept: "application/json"
-        },
-        body: JSON.stringify({
-          client_name: this.defaultConfig.clientName,
-          client_uri: this.defaultConfig.clientUri,
-          logo_uri: this.defaultConfig.logoUri,
-          redirect_uris: [redirectUri],
-          grant_types: ["authorization_code"],
-          response_types: ["code"],
-          token_endpoint_auth_method: "none",
-          // PKCE only, no client secret
-          application_type: "native"
-          // For PKCE flows
-        })
-      });
-      if (registrationResponse.ok) {
-        const registration = await registrationResponse.json();
-        logger6.info({ clientId: registration.client_id }, "Dynamic client registration successful");
-        return registration.client_id;
-      } else {
-        const errorText = await registrationResponse.text();
-        logger6.warn(
-          {
-            status: registrationResponse.status,
-            errorText
-          },
-          "Dynamic client registration failed, using default client_id"
-        );
-      }
-    } catch (regError) {
-      logger6.warn(
-        { error: regError },
-        "Dynamic client registration error, using default client_id"
-      );
-    }
-    return this.defaultConfig.defaultClientId;
-  }
-  /**
-   * Build authorization URL
-   */
-  buildAuthorizationUrl(params) {
-    const { oAuthConfig, clientId, redirectUri, state, codeChallenge, resource } = params;
-    const authUrl = new URL(oAuthConfig.authorizationUrl);
-    authUrl.searchParams.set("response_type", "code");
-    authUrl.searchParams.set("client_id", clientId);
-    authUrl.searchParams.set("redirect_uri", redirectUri);
-    authUrl.searchParams.set("state", state);
-    authUrl.searchParams.set("code_challenge", codeChallenge);
-    authUrl.searchParams.set("code_challenge_method", "S256");
-    authUrl.searchParams.set("resource", resource);
-    return authUrl.toString();
-  }
-  /**
-   * Exchange code using openid-client library
-   */
-  async exchangeWithOpenIdClient(params) {
-    const { oAuthConfig, clientId, code, codeVerifier, redirectUri } = params;
-    const oauth = await import('openid-client');
-    const tokenUrl = new URL(oAuthConfig.tokenUrl);
-    const oauthServerUrl = `${tokenUrl.protocol}//${tokenUrl.host}`;
-    logger6.info({ oauthServerUrl, clientId }, "Attempting openid-client discovery");
-    const config = await oauth.discovery(
-      new URL(oauthServerUrl),
-      clientId,
-      void 0
-      // No client secret for PKCE
-    );
-    const callbackUrl = new URL(
-      `${redirectUri}?${new URLSearchParams({ code, state: "unused" }).toString()}`
-    );
-    return await oauth.authorizationCodeGrant(config, callbackUrl, {
-      pkceCodeVerifier: codeVerifier
+    const tokens = await exchangeMcpAuthorizationCode({
+      mcpServerUrl,
+      metadata,
+      clientInformation,
+      authorizationCode: code,
+      codeVerifier,
+      redirectUri,
+      resourceUrl,
+      logger: logger6
     });
-  }
-  /**
-   * Internal PKCE generation
-   */
-  async generatePKCEInternal() {
-    const codeVerifier = Buffer.from(
-      Array.from(crypto.getRandomValues(new Uint8Array(32)))
-    ).toString("base64url");
-    const encoder = new TextEncoder();
-    const data = encoder.encode(codeVerifier);
-    const hash = await crypto.subtle.digest("SHA-256", data);
-    const codeChallenge = Buffer.from(hash).toString("base64url");
-    return { codeVerifier, codeChallenge };
-  }
-  /**
-   * Manual token exchange fallback
-   */
-  async exchangeManually(params) {
-    const { oAuthConfig, clientId, code, codeVerifier, redirectUri } = params;
-    logger6.info({ tokenUrl: oAuthConfig.tokenUrl }, "Attempting manual token exchange");
-    const tokenResponse = await fetch(oAuthConfig.tokenUrl, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-        Accept: "application/json"
+    logger6.info(
+      {
+        tokenType: tokens.token_type,
+        hasRefreshToken: !!tokens.refresh_token,
+        clientId: clientInformation.client_id
       },
-      body: new URLSearchParams({
-        grant_type: "authorization_code",
-        code,
-        redirect_uri: redirectUri,
-        client_id: clientId,
-        code_verifier: codeVerifier
-        // PKCE verification
-      })
-    });
-    if (!tokenResponse.ok) {
-      const errorText = await tokenResponse.text();
-      logger6.error(
-        {
-          status: tokenResponse.status,
-          statusText: tokenResponse.statusText,
-          ...process.env.NODE_ENV === "development" && { errorText },
-          clientId,
-          tokenUrl: oAuthConfig.tokenUrl
-        },
-        "Token exchange failed"
-      );
-      throw new Error("Authentication failed. Please try again or contact support.");
-    }
-    return await tokenResponse.json();
+      "MCP token exchange successful"
+    );
+    return { tokens };
   }
 };
 var oauthService = new OAuthService();
@@ -4935,14 +4801,12 @@ app20.openapi(
         logger7.error({ toolId, tenantId, projectId }, "Tool not found for OAuth login");
         return c.text("Tool not found", 404);
       }
-      const credentialStores = c.get("credentialStores");
-      const mcpTool = await dbResultToMcpTool(tool, dbClient_default, credentialStores);
       const baseUrl = getBaseUrlFromRequest(c);
       const { redirectUrl } = await oauthService.initiateOAuthFlow({
-        tool: mcpTool,
         tenantId,
         projectId,
         toolId,
+        mcpServerUrl: tool.config.mcp.server.url,
         baseUrl
       });
       return c.redirect(redirectUrl, 302);
@@ -5011,7 +4875,15 @@ app20.openapi(
         });
         return c.html(expiredPage);
       }
-      const { codeVerifier, toolId, tenantId, projectId, clientId } = pkceData;
+      const {
+        codeVerifier,
+        toolId,
+        tenantId,
+        projectId,
+        clientInformation,
+        metadata,
+        resourceUrl
+      } = pkceData;
       const tool = await getToolById(dbClient_default)({
         scopes: { tenantId, projectId },
         toolId
@@ -5022,13 +4894,14 @@ app20.openapi(
       logger7.info({ toolId, tenantId, projectId }, "Processing OAuth callback");
       logger7.info({ toolId }, "Exchanging authorization code for access token");
       const credentialStores = c.get("credentialStores");
-      const mcpTool = await dbResultToMcpTool(tool, dbClient_default, credentialStores);
       const baseUrl = getBaseUrlFromRequest(c);
       const { tokens } = await oauthService.exchangeCodeForTokens({
         code,
         codeVerifier,
-        clientId,
-        tool: mcpTool,
+        clientInformation,
+        metadata,
+        resourceUrl,
+        mcpServerUrl: tool.config.mcp.server.url,
         baseUrl
       });
       logger7.info(
@@ -5037,39 +4910,23 @@ app20.openapi(
       );
       const credentialTokenKey = `oauth_token_${toolId}`;
       let newCredentialData;
-      if (process.env.NANGO_SECRET_KEY) {
-        const nangoStore = credentialStores.get("nango-default");
-        await nangoStore?.set(credentialTokenKey, JSON.stringify(tokens));
-        newCredentialData = {
-          id: generateIdFromName(mcpTool.name),
-          type: CredentialStoreType.nango,
-          credentialStoreId: "nango-default",
-          retrievalParams: {
-            connectionId: credentialTokenKey,
-            providerConfigKey: credentialTokenKey,
-            provider: "private-api-bearer",
-            authMode: "API_KEY"
-          }
-        };
-      } else {
-        const keychainStore = credentialStores.get("keychain-default");
-        if (keychainStore) {
-          try {
-            await keychainStore.set(credentialTokenKey, JSON.stringify(tokens));
-            newCredentialData = {
-              id: generateIdFromName(mcpTool.name),
-              type: CredentialStoreType.keychain,
-              credentialStoreId: "keychain-default",
-              retrievalParams: {
-                key: credentialTokenKey
-              }
-            };
-          } catch (error2) {
-            logger7.info(
-              { error: error2 instanceof Error ? error2.message : error2 },
-              "Keychain store not available."
-            );
-          }
+      const keychainStore = credentialStores.get("keychain-default");
+      if (keychainStore) {
+        try {
+          await keychainStore.set(credentialTokenKey, JSON.stringify(tokens));
+          newCredentialData = {
+            id: generateIdFromName(tool.name),
+            type: CredentialStoreType.keychain,
+            credentialStoreId: "keychain-default",
+            retrievalParams: {
+              key: credentialTokenKey
+            }
+          };
+        } catch (error2) {
+          logger7.info(
+            { error: error2 instanceof Error ? error2.message : error2 },
+            "Keychain store not available."
+          );
         }
       }
       if (!newCredentialData) {

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@inkeep/agents-manage-api",
-  "version": "0.22.11",
+  "version": "0.23.0",
   "description": "Agents Manage API for Inkeep Agent Framework - handles CRUD operations and OAuth",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -13,8 +13,8 @@
     "@hono/node-server": "^1.14.3",
     "@hono/swagger-ui": "^0.5.1",
     "@hono/zod-openapi": "^1.0.2",
-    "@nangohq/node": "^0.66.0",
-    "@nangohq/types": "^0.66.0",
+    "@nangohq/node": "^0.69.3",
+    "@nangohq/types": "^0.69.3",
     "dotenv": "^17.2.1",
     "drizzle-orm": "^0.44.4",
     "hono": "^4.9.7",
@@ -23,7 +23,7 @@
     "openid-client": "^6.6.4",
     "pino": "^9.7.0",
     "zod": "^4.1.11",
-    "@inkeep/agents-core": "^0.22.11"
+    "@inkeep/agents-core": "^0.23.0"
   },
   "optionalDependencies": {
     "keytar": "^7.9.0"