@mcp-z/oauth-microsoft 1.0.0

package/dist/cjs/lib/token-verifier.d.cts

@@ -0,0 +1,44 @@
+/**
+ * DCR Token Verifier
+ *
+ * Validates bearer tokens by calling Authorization Server's verification endpoint.
+ * Implements proper AS/RS separation - Resource Server doesn't access token storage.
+ */
+import type { ProviderTokens } from '@mcp-z/oauth';
+/**
+ * Authentication information from token verification
+ */
+export interface AuthInfo {
+    /** Bearer access token */
+    token: string;
+    /** Client ID that owns the token */
+    clientId: string;
+    /** Granted scopes */
+    scopes: string[];
+    /** Token expiration timestamp (milliseconds since epoch) */
+    expiresAt: number;
+    /** Microsoft provider tokens (if available) */
+    providerTokens?: ProviderTokens;
+}
+/**
+ * DCR Token Verifier validates access tokens via Authorization Server
+ *
+ * This implements proper OAuth 2.0 architecture where the Resource Server
+ * (MCP server) validates tokens by calling the Authorization Server's
+ * verification endpoint rather than accessing token storage directly.
+ */
+export declare class DcrTokenVerifier {
+    private verifyUrl;
+    /**
+     * @param verifyUrl - Authorization Server's /oauth/verify endpoint URL
+     */
+    constructor(verifyUrl: string);
+    /**
+     * Verify an access token by calling the Authorization Server
+     *
+     * @param token - Bearer access token to validate
+     * @returns AuthInfo with token metadata and provider tokens
+     * @throws Error if token is invalid or verification fails
+     */
+    verifyAccessToken(token: string): Promise<AuthInfo>;
+}

package/dist/cjs/lib/token-verifier.d.ts

@@ -0,0 +1,44 @@
+/**
+ * DCR Token Verifier
+ *
+ * Validates bearer tokens by calling Authorization Server's verification endpoint.
+ * Implements proper AS/RS separation - Resource Server doesn't access token storage.
+ */
+import type { ProviderTokens } from '@mcp-z/oauth';
+/**
+ * Authentication information from token verification
+ */
+export interface AuthInfo {
+    /** Bearer access token */
+    token: string;
+    /** Client ID that owns the token */
+    clientId: string;
+    /** Granted scopes */
+    scopes: string[];
+    /** Token expiration timestamp (milliseconds since epoch) */
+    expiresAt: number;
+    /** Microsoft provider tokens (if available) */
+    providerTokens?: ProviderTokens;
+}
+/**
+ * DCR Token Verifier validates access tokens via Authorization Server
+ *
+ * This implements proper OAuth 2.0 architecture where the Resource Server
+ * (MCP server) validates tokens by calling the Authorization Server's
+ * verification endpoint rather than accessing token storage directly.
+ */
+export declare class DcrTokenVerifier {
+    private verifyUrl;
+    /**
+     * @param verifyUrl - Authorization Server's /oauth/verify endpoint URL
+     */
+    constructor(verifyUrl: string);
+    /**
+     * Verify an access token by calling the Authorization Server
+     *
+     * @param token - Bearer access token to validate
+     * @returns AuthInfo with token metadata and provider tokens
+     * @throws Error if token is invalid or verification fails
+     */
+    verifyAccessToken(token: string): Promise<AuthInfo>;
+}

package/dist/cjs/lib/token-verifier.js

@@ -0,0 +1,253 @@
+/**
+ * DCR Token Verifier
+ *
+ * Validates bearer tokens by calling Authorization Server's verification endpoint.
+ * Implements proper AS/RS separation - Resource Server doesn't access token storage.
+ */ "use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "DcrTokenVerifier", {
+    enumerable: true,
+    get: function() {
+        return DcrTokenVerifier;
+    }
+});
+function asyncGeneratorStep(gen, resolve, reject, _next, _throw, key, arg) {
+    try {
+        var info = gen[key](arg);
+        var value = info.value;
+    } catch (error) {
+        reject(error);
+        return;
+    }
+    if (info.done) {
+        resolve(value);
+    } else {
+        Promise.resolve(value).then(_next, _throw);
+    }
+}
+function _async_to_generator(fn) {
+    return function() {
+        var self = this, args = arguments;
+        return new Promise(function(resolve, reject) {
+            var gen = fn.apply(self, args);
+            function _next(value) {
+                asyncGeneratorStep(gen, resolve, reject, _next, _throw, "next", value);
+            }
+            function _throw(err) {
+                asyncGeneratorStep(gen, resolve, reject, _next, _throw, "throw", err);
+            }
+            _next(undefined);
+        });
+    };
+}
+function _class_call_check(instance, Constructor) {
+    if (!(instance instanceof Constructor)) {
+        throw new TypeError("Cannot call a class as a function");
+    }
+}
+function _instanceof(left, right) {
+    if (right != null && typeof Symbol !== "undefined" && right[Symbol.hasInstance]) {
+        return !!right[Symbol.hasInstance](left);
+    } else {
+        return left instanceof right;
+    }
+}
+function _ts_generator(thisArg, body) {
+    var f, y, t, _ = {
+        label: 0,
+        sent: function() {
+            if (t[0] & 1) throw t[1];
+            return t[1];
+        },
+        trys: [],
+        ops: []
+    }, g = Object.create((typeof Iterator === "function" ? Iterator : Object).prototype), d = Object.defineProperty;
+    return d(g, "next", {
+        value: verb(0)
+    }), d(g, "throw", {
+        value: verb(1)
+    }), d(g, "return", {
+        value: verb(2)
+    }), typeof Symbol === "function" && d(g, Symbol.iterator, {
+        value: function() {
+            return this;
+        }
+    }), g;
+    function verb(n) {
+        return function(v) {
+            return step([
+                n,
+                v
+            ]);
+        };
+    }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while(g && (g = 0, op[0] && (_ = 0)), _)try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [
+                op[0] & 2,
+                t.value
+            ];
+            switch(op[0]){
+                case 0:
+                case 1:
+                    t = op;
+                    break;
+                case 4:
+                    _.label++;
+                    return {
+                        value: op[1],
+                        done: false
+                    };
+                case 5:
+                    _.label++;
+                    y = op[1];
+                    op = [
+                        0
+                    ];
+                    continue;
+                case 7:
+                    op = _.ops.pop();
+                    _.trys.pop();
+                    continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) {
+                        _ = 0;
+                        continue;
+                    }
+                    if (op[0] === 3 && (!t || op[1] > t[0] && op[1] < t[3])) {
+                        _.label = op[1];
+                        break;
+                    }
+                    if (op[0] === 6 && _.label < t[1]) {
+                        _.label = t[1];
+                        t = op;
+                        break;
+                    }
+                    if (t && _.label < t[2]) {
+                        _.label = t[2];
+                        _.ops.push(op);
+                        break;
+                    }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop();
+                    continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) {
+            op = [
+                6,
+                e
+            ];
+            y = 0;
+        } finally{
+            f = t = 0;
+        }
+        if (op[0] & 5) throw op[1];
+        return {
+            value: op[0] ? op[1] : void 0,
+            done: true
+        };
+    }
+}
+var DcrTokenVerifier = /*#__PURE__*/ function() {
+    "use strict";
+    function DcrTokenVerifier(verifyUrl) {
+        _class_call_check(this, DcrTokenVerifier);
+        this.verifyUrl = verifyUrl;
+    }
+    var _proto = DcrTokenVerifier.prototype;
+    /**
+   * Verify an access token by calling the Authorization Server
+   *
+   * @param token - Bearer access token to validate
+   * @returns AuthInfo with token metadata and provider tokens
+   * @throws Error if token is invalid or verification fails
+   */ _proto.verifyAccessToken = function verifyAccessToken(token) {
+        return _async_to_generator(function() {
+            var response, errorMessage, _ref, _error_error_description, _$error, unused, authInfo, error;
+            return _ts_generator(this, function(_state) {
+                switch(_state.label){
+                    case 0:
+                        _state.trys.push([
+                            0,
+                            8,
+                            ,
+                            9
+                        ]);
+                        return [
+                            4,
+                            fetch(this.verifyUrl, {
+                                method: 'GET',
+                                headers: {
+                                    Authorization: "Bearer ".concat(token)
+                                }
+                            })
+                        ];
+                    case 1:
+                        response = _state.sent();
+                        if (!!response.ok) return [
+                            3,
+                            6
+                        ];
+                        errorMessage = 'Unknown error';
+                        _state.label = 2;
+                    case 2:
+                        _state.trys.push([
+                            2,
+                            4,
+                            ,
+                            5
+                        ]);
+                        return [
+                            4,
+                            response.json()
+                        ];
+                    case 3:
+                        _$error = _state.sent();
+                        errorMessage = (_ref = (_error_error_description = _$error.error_description) !== null && _error_error_description !== void 0 ? _error_error_description : _$error.error) !== null && _ref !== void 0 ? _ref : errorMessage;
+                        return [
+                            3,
+                            5
+                        ];
+                    case 4:
+                        unused = _state.sent();
+                        // Failed to parse error JSON, use status text
+                        errorMessage = response.statusText;
+                        return [
+                            3,
+                            5
+                        ];
+                    case 5:
+                        throw new Error("Token verification failed: ".concat(errorMessage));
+                    case 6:
+                        return [
+                            4,
+                            response.json()
+                        ];
+                    case 7:
+                        authInfo = _state.sent();
+                        return [
+                            2,
+                            authInfo
+                        ];
+                    case 8:
+                        error = _state.sent();
+                        if (_instanceof(error, Error)) {
+                            throw error;
+                        }
+                        throw new Error("Token verification failed: ".concat(String(error)));
+                    case 9:
+                        return [
+                            2
+                        ];
+                }
+            });
+        }).call(this);
+    };
+    return DcrTokenVerifier;
+}();
+/* CJS INTEROP */ if (exports.__esModule && exports.default) { try { Object.defineProperty(exports.default, '__esModule', { value: true }); for (var key in exports) { exports.default[key] = exports[key]; } } catch (_) {}; module.exports = exports.default; }

package/dist/cjs/lib/token-verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["/Users/kevin/Dev/Projects/ai/mcp-z/oauth/oauth-microsoft/src/lib/token-verifier.ts"],"sourcesContent":["/**\n * DCR Token Verifier\n *\n * Validates bearer tokens by calling Authorization Server's verification endpoint.\n * Implements proper AS/RS separation - Resource Server doesn't access token storage.\n */\n\nimport type { ProviderTokens } from '@mcp-z/oauth';\n\n/**\n * Authentication information from token verification\n */\nexport interface AuthInfo {\n  /** Bearer access token */\n  token: string;\n\n  /** Client ID that owns the token */\n  clientId: string;\n\n  /** Granted scopes */\n  scopes: string[];\n\n  /** Token expiration timestamp (milliseconds since epoch) */\n  expiresAt: number;\n\n  /** Microsoft provider tokens (if available) */\n  providerTokens?: ProviderTokens;\n}\n\n/**\n * DCR Token Verifier validates access tokens via Authorization Server\n *\n * This implements proper OAuth 2.0 architecture where the Resource Server\n * (MCP server) validates tokens by calling the Authorization Server's\n * verification endpoint rather than accessing token storage directly.\n */\nexport class DcrTokenVerifier {\n  private verifyUrl: string;\n\n  /**\n   * @param verifyUrl - Authorization Server's /oauth/verify endpoint URL\n   */\n  constructor(verifyUrl: string) {\n    this.verifyUrl = verifyUrl;\n  }\n\n  /**\n   * Verify an access token by calling the Authorization Server\n   *\n   * @param token - Bearer access token to validate\n   * @returns AuthInfo with token metadata and provider tokens\n   * @throws Error if token is invalid or verification fails\n   */\n  async verifyAccessToken(token: string): Promise<AuthInfo> {\n    try {\n      const response = await fetch(this.verifyUrl, {\n        method: 'GET',\n        headers: {\n          Authorization: `Bearer ${token}`,\n        },\n      });\n\n      if (!response.ok) {\n        let errorMessage = 'Unknown error';\n        try {\n          const error = await response.json();\n          errorMessage = (error as { error_description?: string; error?: string }).error_description ?? (error as { error?: string }).error ?? errorMessage;\n        } catch {\n          // Failed to parse error JSON, use status text\n          errorMessage = response.statusText;\n        }\n        throw new Error(`Token verification failed: ${errorMessage}`);\n      }\n\n      const authInfo = (await response.json()) as AuthInfo;\n      return authInfo;\n    } catch (error) {\n      if (error instanceof Error) {\n        throw error;\n      }\n      throw new Error(`Token verification failed: ${String(error)}`);\n    }\n  }\n}\n"],"names":["DcrTokenVerifier","verifyUrl","verifyAccessToken","token","response","errorMessage","error","authInfo","fetch","method","headers","Authorization","ok","json","error_description","statusText","Error","String"],"mappings":"AAAA;;;;;CAKC;;;;+BA+BYA;;;eAAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAN,IAAA,AAAMA,iCAAN;;aAAMA,iBAMCC,SAAiB;gCANlBD;QAOT,IAAI,CAACC,SAAS,GAAGA;;iBAPRD;IAUX;;;;;;GAMC,GACD,OAAME,iBA6BL,GA7BD,SAAMA,kBAAkBC,KAAa;;gBAE3BC,UAQAC,cAGa,MAAA,0BADTC,iBASJC,UAECD;;;;;;;;;;wBArBU;;4BAAME,MAAM,IAAI,CAACP,SAAS,EAAE;gCAC3CQ,QAAQ;gCACRC,SAAS;oCACPC,eAAe,AAAC,UAAe,OAANR;gCAC3B;4BACF;;;wBALMC,WAAW;6BAOb,CAACA,SAASQ,EAAE,EAAZ;;;;wBACEP,eAAe;;;;;;;;;wBAEH;;4BAAMD,SAASS,IAAI;;;wBAA3BP,UAAQ;wBACdD,gBAAe,QAAA,2BAAA,AAACC,QAAyDQ,iBAAiB,cAA3E,sCAAA,2BAA+E,AAACR,QAA6BA,KAAK,cAAlH,kBAAA,OAAsHD;;;;;;;wBAErI,8CAA8C;wBAC9CA,eAAeD,SAASW,UAAU;;;;;;wBAEpC,MAAM,IAAIC,MAAM,AAAC,8BAA0C,OAAbX;;wBAG9B;;4BAAMD,SAASS,IAAI;;;wBAA/BN,WAAY;wBAClB;;4BAAOA;;;wBACAD;wBACP,IAAIA,AAAK,YAALA,OAAiBU,QAAO;4BAC1B,MAAMV;wBACR;wBACA,MAAM,IAAIU,MAAM,AAAC,8BAA2C,OAAdC,OAAOX;;;;;;;QAEzD;;WA9CWN"}

package/dist/cjs/package.json

@@ -0,0 +1 @@
+{ "type": "commonjs" }

package/dist/cjs/providers/dcr.d.cts

@@ -0,0 +1,110 @@
+/**
+ * DCR Provider - Stateless Dynamic Client Registration Provider
+ *
+ * Implements stateless provider pattern where provider tokens are received from
+ * token verification context rather than managed by the provider itself.
+ *
+ * Use case: MCP HTTP servers with DCR authentication where client manages tokens
+ * and provider only handles Microsoft Graph API calls with provided credentials.
+ */
+import type { ProviderTokens } from '@mcp-z/oauth';
+import type { Logger, MicrosoftAuthProvider } from '../types.js';
+/**
+ * DCR Provider configuration
+ */
+export interface DcrOAuthProviderConfig {
+    /** Microsoft application client ID */
+    clientId: string;
+    /** Microsoft application client secret (optional for public clients) */
+    clientSecret?: string;
+    /** Azure AD tenant ID */
+    tenantId: string;
+    /** OAuth scopes */
+    scope: string;
+    /** Custom token endpoint URL (for testing, defaults to Microsoft OAuth endpoint) */
+    tokenUrl?: string;
+    /** DCR token verification endpoint URL (e.g., http://localhost:3000/oauth/verify) */
+    verifyEndpoint: string;
+    /** Logger for auth operations */
+    logger: Logger;
+}
+/**
+ * DCR Provider - Stateless OAuth provider for Dynamic Client Registration
+ *
+ * Unlike LoopbackOAuthProvider which manages token storage, DcrOAuthProvider is stateless:
+ * - Receives provider tokens from verification context (HTTP bearer auth)
+ * - Creates auth providers on-demand from tokens
+ * - Handles token refresh using Microsoft OAuth
+ * - No token storage dependency
+ *
+ * Pattern:
+ * ```typescript
+ * const provider = new DcrOAuthProvider(config);
+ * const auth = provider.toAuthProvider(providerTokens);
+ * const accessToken = await auth.getAccessToken();
+ * ```
+ */
+export declare class DcrOAuthProvider {
+    private config;
+    private emailCache;
+    constructor(config: DcrOAuthProviderConfig);
+    /**
+     * Create Microsoft Graph auth provider from provider tokens
+     *
+     * This is the core stateless pattern - provider receives tokens from context
+     * (token verification, HTTP request) and creates auth provider on-demand.
+     *
+     * @param tokens - Provider tokens (Microsoft access/refresh tokens)
+     * @returns Microsoft Graph-compatible auth provider
+     */
+    toAuthProvider(tokens: ProviderTokens): MicrosoftAuthProvider;
+    /**
+     * Check if token is still valid (with 1 minute buffer)
+     */
+    private isTokenValid;
+    /**
+     * Refresh Microsoft access token using refresh token
+     *
+     * @param refreshToken - Microsoft refresh token
+     * @returns New provider tokens
+     */
+    refreshAccessToken(refreshToken: string): Promise<ProviderTokens>;
+    /**
+     * Get user email from Microsoft Graph API (with caching)
+     *
+     * @param tokens - Provider tokens to use for API call
+     * @returns User's email address
+     */
+    getUserEmail(tokens: ProviderTokens): Promise<string>;
+    /**
+     * Auth middleware for HTTP servers with DCR bearer auth
+     * Validates bearer tokens and enriches extra with provider tokens
+     *
+     * Pattern:
+     * ```typescript
+     * const provider = new DcrOAuthProvider({ ..., verifyEndpoint: 'http://localhost:3000/oauth/verify' });
+     * const middleware = provider.authMiddleware();
+     * const tools = toolFactories.map(f => f()).map(middleware.withToolAuth);
+     * const resources = resourceFactories.map(f => f()).map(middleware.withResourceAuth);
+     * const prompts = promptFactories.map(f => f()).map(middleware.withPromptAuth);
+     * ```
+     */
+    authMiddleware(): {
+        withToolAuth: <T extends {
+            name: string;
+            config: unknown;
+            handler: unknown;
+        }>(module: T) => T;
+        withResourceAuth: <T extends {
+            name: string;
+            template?: unknown;
+            config?: unknown;
+            handler: unknown;
+        }>(module: T) => T;
+        withPromptAuth: <T extends {
+            name: string;
+            config: unknown;
+            handler: unknown;
+        }>(module: T) => T;
+    };
+}

package/dist/cjs/providers/dcr.d.ts

@@ -0,0 +1,110 @@
+/**
+ * DCR Provider - Stateless Dynamic Client Registration Provider
+ *
+ * Implements stateless provider pattern where provider tokens are received from
+ * token verification context rather than managed by the provider itself.
+ *
+ * Use case: MCP HTTP servers with DCR authentication where client manages tokens
+ * and provider only handles Microsoft Graph API calls with provided credentials.
+ */
+import type { ProviderTokens } from '@mcp-z/oauth';
+import type { Logger, MicrosoftAuthProvider } from '../types.js';
+/**
+ * DCR Provider configuration
+ */
+export interface DcrOAuthProviderConfig {
+    /** Microsoft application client ID */
+    clientId: string;
+    /** Microsoft application client secret (optional for public clients) */
+    clientSecret?: string;
+    /** Azure AD tenant ID */
+    tenantId: string;
+    /** OAuth scopes */
+    scope: string;
+    /** Custom token endpoint URL (for testing, defaults to Microsoft OAuth endpoint) */
+    tokenUrl?: string;
+    /** DCR token verification endpoint URL (e.g., http://localhost:3000/oauth/verify) */
+    verifyEndpoint: string;
+    /** Logger for auth operations */
+    logger: Logger;
+}
+/**
+ * DCR Provider - Stateless OAuth provider for Dynamic Client Registration
+ *
+ * Unlike LoopbackOAuthProvider which manages token storage, DcrOAuthProvider is stateless:
+ * - Receives provider tokens from verification context (HTTP bearer auth)
+ * - Creates auth providers on-demand from tokens
+ * - Handles token refresh using Microsoft OAuth
+ * - No token storage dependency
+ *
+ * Pattern:
+ * ```typescript
+ * const provider = new DcrOAuthProvider(config);
+ * const auth = provider.toAuthProvider(providerTokens);
+ * const accessToken = await auth.getAccessToken();
+ * ```
+ */
+export declare class DcrOAuthProvider {
+    private config;
+    private emailCache;
+    constructor(config: DcrOAuthProviderConfig);
+    /**
+     * Create Microsoft Graph auth provider from provider tokens
+     *
+     * This is the core stateless pattern - provider receives tokens from context
+     * (token verification, HTTP request) and creates auth provider on-demand.
+     *
+     * @param tokens - Provider tokens (Microsoft access/refresh tokens)
+     * @returns Microsoft Graph-compatible auth provider
+     */
+    toAuthProvider(tokens: ProviderTokens): MicrosoftAuthProvider;
+    /**
+     * Check if token is still valid (with 1 minute buffer)
+     */
+    private isTokenValid;
+    /**
+     * Refresh Microsoft access token using refresh token
+     *
+     * @param refreshToken - Microsoft refresh token
+     * @returns New provider tokens
+     */
+    refreshAccessToken(refreshToken: string): Promise<ProviderTokens>;
+    /**
+     * Get user email from Microsoft Graph API (with caching)
+     *
+     * @param tokens - Provider tokens to use for API call
+     * @returns User's email address
+     */
+    getUserEmail(tokens: ProviderTokens): Promise<string>;
+    /**
+     * Auth middleware for HTTP servers with DCR bearer auth
+     * Validates bearer tokens and enriches extra with provider tokens
+     *
+     * Pattern:
+     * ```typescript
+     * const provider = new DcrOAuthProvider({ ..., verifyEndpoint: 'http://localhost:3000/oauth/verify' });
+     * const middleware = provider.authMiddleware();
+     * const tools = toolFactories.map(f => f()).map(middleware.withToolAuth);
+     * const resources = resourceFactories.map(f => f()).map(middleware.withResourceAuth);
+     * const prompts = promptFactories.map(f => f()).map(middleware.withPromptAuth);
+     * ```
+     */
+    authMiddleware(): {
+        withToolAuth: <T extends {
+            name: string;
+            config: unknown;
+            handler: unknown;
+        }>(module: T) => T;
+        withResourceAuth: <T extends {
+            name: string;
+            template?: unknown;
+            config?: unknown;
+            handler: unknown;
+        }>(module: T) => T;
+        withPromptAuth: <T extends {
+            name: string;
+            config: unknown;
+            handler: unknown;
+        }>(module: T) => T;
+    };
+}