@platf/bridge 0.0.13 → 0.0.15

package/dist/lib/discoveryRoutes.js

@@ -26,15 +26,21 @@ export function createDiscoveryRouter(auth, logger) {
      * The `resource` field MUST match the URL the client is accessing (RFC 9728 §2).
      * For path-suffixed requests like /.well-known/oauth-protected-resource/mcp,
      * the resource is the path after the well-known prefix.
+     *
+     * IMPORTANT: We advertise the BRIDGE as the authorization_server (not the upstream issuer).
+     * This ensures clients use our proxied AS metadata (which patches registration_endpoint),
+     * rather than going directly to the upstream auth server's DCR endpoint.
      */
     router.get('/.well-known/oauth-protected-resource', (req, res) => {
         // Exact match — client is looking for the root resource
         // Return /mcp as that's our protected endpoint
         const scheme = req.protocol;
         const host = req.get('host');
+        const bridgeOrigin = `${scheme}://${host}`;
         const resourceMetadata = {
-            resource: `${scheme}://${host}/mcp`,
-            authorization_servers: [auth.issuer],
+            resource: `${bridgeOrigin}/mcp`,
+            // Point to OURSELVES so clients use our proxied AS metadata
+            authorization_servers: [bridgeOrigin],
             scopes_supported: ['openid', 'profile', 'email'],
             bearer_methods_supported: ['header'],
         };
@@ -44,10 +50,12 @@ export function createDiscoveryRouter(auth, logger) {
         // Path-suffixed request — the suffix IS the protected resource path
         const scheme = req.protocol;
         const host = req.get('host');
+        const bridgeOrigin = `${scheme}://${host}`;
         const resourcePath = '/' + req.params[0];
         const resourceMetadata = {
-            resource: `${scheme}://${host}${resourcePath}`,
-            authorization_servers: [auth.issuer],
+            resource: `${bridgeOrigin}${resourcePath}`,
+            // Point to OURSELVES so clients use our proxied AS metadata
+            authorization_servers: [bridgeOrigin],
             scopes_supported: ['openid', 'profile', 'email'],
             bearer_methods_supported: ['header'],
         };
@@ -101,6 +109,69 @@ export function createDiscoveryRouter(auth, logger) {
             redirect_uris: Array.isArray(body.redirect_uris) ? body.redirect_uris : [],
         });
     });
+    /**
+     * OAuth Authorization Endpoint — Redirect to upstream
+     *
+     * Since the bridge advertises itself as the authorization_server,
+     * clients will attempt to call /oauth/authorize here. We redirect
+     * to the upstream auth server, preserving all query parameters.
+     */
+    router.get('/oauth/authorize', (req, res) => {
+        const upstreamUrl = new URL(`${auth.issuer}/oauth/authorize`);
+        // Copy all query params to upstream
+        for (const [key, value] of Object.entries(req.query)) {
+            if (typeof value === 'string') {
+                upstreamUrl.searchParams.set(key, value);
+            }
+        }
+        logger.info(`[discovery] Redirecting /oauth/authorize to ${upstreamUrl.toString().slice(0, 100)}...`);
+        res.redirect(upstreamUrl.toString());
+    });
+    /**
+     * OAuth Token Endpoint — Proxy to upstream
+     *
+     * Proxies token exchange requests to the upstream auth server.
+     */
+    router.post('/oauth/token', async (req, res) => {
+        try {
+            const upstreamUrl = `${auth.issuer}/oauth/token`;
+            logger.info('[discovery] Proxying /oauth/token to upstream');
+            const upstreamRes = await fetch(upstreamUrl, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': req.get('Content-Type') || 'application/x-www-form-urlencoded',
+                },
+                body: req.get('Content-Type')?.includes('application/json')
+                    ? JSON.stringify(req.body)
+                    : new URLSearchParams(req.body).toString(),
+            });
+            const data = await upstreamRes.text();
+            res.status(upstreamRes.status);
+            res.set('Content-Type', upstreamRes.headers.get('Content-Type') || 'application/json');
+            res.send(data);
+        }
+        catch (err) {
+            logger.error('[discovery] Error proxying /oauth/token:', err.message ?? err);
+            res.status(502).json({ error: 'upstream_error' });
+        }
+    });
+    /**
+     * JWKS Endpoint — Proxy to upstream
+     *
+     * Proxies JSON Web Key Set requests for token verification.
+     */
+    router.get('/jwks', async (req, res) => {
+        try {
+            const upstreamUrl = `${auth.issuer}/jwks`;
+            const upstreamRes = await fetch(upstreamUrl);
+            const data = await upstreamRes.json();
+            res.json(data);
+        }
+        catch (err) {
+            logger.error('[discovery] Error proxying /jwks:', err.message ?? err);
+            res.status(502).json({ error: 'upstream_error' });
+        }
+    });
     return router;
 }
 //# sourceMappingURL=discoveryRoutes.js.map

package/dist/lib/discoveryRoutes.js.map

@@ -1 +1 @@
-{"version":3,"file":"discoveryRoutes.js","sourceRoot":"","sources":["../../src/lib/discoveryRoutes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,MAAM,EAA+B,MAAM,SAAS,CAAA;AAG7D,MAAM,UAAU,qBAAqB,CAAC,IAAgB,EAAE,MAAc;IACpE,MAAM,MAAM,GAAG,MAAM,EAAE,CAAA;IAEvB;;;;;;;;;;;;;;OAcG;IACH,MAAM,CAAC,GAAG,CAAC,uCAAuC,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QAClF,wDAAwD;QACxD,+CAA+C;QAC/C,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;QAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAC5B,MAAM,gBAAgB,GAAG;YACvB,QAAQ,EAAE,GAAG,MAAM,MAAM,IAAI,MAAM;YACnC,qBAAqB,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;YACpC,gBAAgB,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC;YAChD,wBAAwB,EAAE,CAAC,QAAQ,CAAC;SACrC,CAAA;QACD,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAA;IAC5B,CAAC,CAAC,CAAA;IAEF,MAAM,CAAC,GAAG,CAAC,yCAAyC,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QACpF,oEAAoE;QACpE,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;QAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAC5B,MAAM,YAAY,GAAG,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;QACxC,MAAM,gBAAgB,GAAG;YACvB,QAAQ,EAAE,GAAG,MAAM,MAAM,IAAI,GAAG,YAAY,EAAE;YAC9C,qBAAqB,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;YACpC,gBAAgB,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC;YAChD,wBAAwB,EAAE,CAAC,QAAQ,CAAC;SACrC,CAAA;QACD,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAA;IAC5B,CAAC,CAAC,CAAA;IAEF;;;;;;;OAOG;IACH,MAAM,CAAC,GAAG,CAAC,0CAA0C,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;QAC3F,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,GAAG,IAAI,CAAC,MAAM,yCAAyC,CAAA;YAC3E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,CAAA;YAEzC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,CAAC,KAAK,CAAC,4CAA4C,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;gBAC3E,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAA;YAC1D,CAAC;YAED,MAAM,QAAQ,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAA;YAEnE,yDAAyD;YACzD,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;YAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;YAC5B,QAAQ,CAAC,qBAAqB,GAAG,GAAG,MAAM,MAAM,IAAI,iBAAiB,CAAA;YAErE,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACpB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,CAAC,KAAK,CAAC,yCAAyC,EAAE,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,CAAA;YAC3E,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAA;QACnD,CAAC;IACH,CAAC,CAAC,CAAA;IAEF;;;;;;;OAOG;IACH,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QAC7D,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAA;QAC3B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,SAAS,EAAE,IAAI,CAAC,QAAQ;YACxB,WAAW,EAAE,cAAc;YAC3B,8CAA8C;YAC9C,0BAA0B,EAAE,MAAM;YAClC,WAAW,EAAE,CAAC,oBAAoB,CAAC;YACnC,cAAc,EAAE,CAAC,MAAM,CAAC;YACxB,aAAa,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE;SAC3E,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,OAAO,MAAM,CAAA;AACf,CAAC"}
+{"version":3,"file":"discoveryRoutes.js","sourceRoot":"","sources":["../../src/lib/discoveryRoutes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,MAAM,EAA+B,MAAM,SAAS,CAAA;AAG7D,MAAM,UAAU,qBAAqB,CAAC,IAAgB,EAAE,MAAc;IACpE,MAAM,MAAM,GAAG,MAAM,EAAE,CAAA;IAEvB;;;;;;;;;;;;;;;;;;OAkBG;IACH,MAAM,CAAC,GAAG,CAAC,uCAAuC,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QAClF,wDAAwD;QACxD,+CAA+C;QAC/C,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;QAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAC5B,MAAM,YAAY,GAAG,GAAG,MAAM,MAAM,IAAI,EAAE,CAAA;QAC1C,MAAM,gBAAgB,GAAG;YACvB,QAAQ,EAAE,GAAG,YAAY,MAAM;YAC/B,4DAA4D;YAC5D,qBAAqB,EAAE,CAAC,YAAY,CAAC;YACrC,gBAAgB,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC;YAChD,wBAAwB,EAAE,CAAC,QAAQ,CAAC;SACrC,CAAA;QACD,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAA;IAC5B,CAAC,CAAC,CAAA;IAEF,MAAM,CAAC,GAAG,CAAC,yCAAyC,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QACpF,oEAAoE;QACpE,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;QAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAC5B,MAAM,YAAY,GAAG,GAAG,MAAM,MAAM,IAAI,EAAE,CAAA;QAC1C,MAAM,YAAY,GAAG,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;QACxC,MAAM,gBAAgB,GAAG;YACvB,QAAQ,EAAE,GAAG,YAAY,GAAG,YAAY,EAAE;YAC1C,4DAA4D;YAC5D,qBAAqB,EAAE,CAAC,YAAY,CAAC;YACrC,gBAAgB,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC;YAChD,wBAAwB,EAAE,CAAC,QAAQ,CAAC;SACrC,CAAA;QACD,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAA;IAC5B,CAAC,CAAC,CAAA;IAEF;;;;;;;OAOG;IACH,MAAM,CAAC,GAAG,CAAC,0CAA0C,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;QAC3F,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,GAAG,IAAI,CAAC,MAAM,yCAAyC,CAAA;YAC3E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,CAAA;YAEzC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,CAAC,KAAK,CAAC,4CAA4C,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;gBAC3E,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAA;YAC1D,CAAC;YAED,MAAM,QAAQ,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAA;YAEnE,yDAAyD;YACzD,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;YAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;YAC5B,QAAQ,CAAC,qBAAqB,GAAG,GAAG,MAAM,MAAM,IAAI,iBAAiB,CAAA;YAErE,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACpB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,CAAC,KAAK,CAAC,yCAAyC,EAAE,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,CAAA;YAC3E,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAA;QACnD,CAAC;IACH,CAAC,CAAC,CAAA;IAEF;;;;;;;OAOG;IACH,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QAC7D,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAA;QAC3B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,SAAS,EAAE,IAAI,CAAC,QAAQ;YACxB,WAAW,EAAE,cAAc;YAC3B,8CAA8C;YAC9C,0BAA0B,EAAE,MAAM;YAClC,WAAW,EAAE,CAAC,oBAAoB,CAAC;YACnC,cAAc,EAAE,CAAC,MAAM,CAAC;YACxB,aAAa,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE;SAC3E,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF;;;;;;OAMG;IACH,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QAC7D,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,kBAAkB,CAAC,CAAA;QAC7D,oCAAoC;QACpC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YACrD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC9B,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;YAC1C,CAAC;QACH,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,+CAA+C,WAAW,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,KAAK,CAAC,CAAA;QACrG,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAA;IACtC,CAAC,CAAC,CAAA;IAEF;;;;OAIG;IACH,MAAM,CAAC,IAAI,CAAC,cAAc,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;QAChE,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,GAAG,IAAI,CAAC,MAAM,cAAc,CAAA;YAChD,MAAM,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAA;YAE5D,MAAM,WAAW,GAAG,MAAM,KAAK,CAAC,WAAW,EAAE;gBAC3C,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,mCAAmC;iBAC/E;gBACD,IAAI,EAAE,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,QAAQ,CAAC,kBAAkB,CAAC;oBACzD,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC;oBAC1B,CAAC,CAAC,IAAI,eAAe,CAAC,GAAG,CAAC,IAA8B,CAAC,CAAC,QAAQ,EAAE;aACvE,CAAC,CAAA;YAEF,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,IAAI,EAAE,CAAA;YACrC,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAA;YAC9B,GAAG,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,kBAAkB,CAAC,CAAA;YACtF,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAChB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,CAAC,KAAK,CAAC,0CAA0C,EAAE,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,CAAA;YAC5E,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAA;QACnD,CAAC;IACH,CAAC,CAAC,CAAA;IAEF;;;;OAIG;IACH,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;QACxD,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,GAAG,IAAI,CAAC,MAAM,OAAO,CAAA;YACzC,MAAM,WAAW,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,CAAA;YAC5C,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,IAAI,EAAE,CAAA;YACrC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAChB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,CAAA;YACrE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAA;QACnD,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,MAAM,CAAA;AACf,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@platf/bridge",
-  "version": "0.0.13",
+  "version": "0.0.15",
   "description": "Stdio-to-Streamable HTTP bridge for MCP servers — Platf AI Hub",
   "module": "src/index.ts",
   "main": "dist/index.js",

package/src/lib/discoveryRoutes.ts

@@ -30,15 +30,21 @@ export function createDiscoveryRouter(auth: AuthConfig, logger: Logger): Router
    * The `resource` field MUST match the URL the client is accessing (RFC 9728 §2).
    * For path-suffixed requests like /.well-known/oauth-protected-resource/mcp,
    * the resource is the path after the well-known prefix.
+   *
+   * IMPORTANT: We advertise the BRIDGE as the authorization_server (not the upstream issuer).
+   * This ensures clients use our proxied AS metadata (which patches registration_endpoint),
+   * rather than going directly to the upstream auth server's DCR endpoint.
    */
   router.get('/.well-known/oauth-protected-resource', (req: Request, res: Response) => {
     // Exact match — client is looking for the root resource
     // Return /mcp as that's our protected endpoint
     const scheme = req.protocol
     const host = req.get('host')
+    const bridgeOrigin = `${scheme}://${host}`
     const resourceMetadata = {
-      resource: `${scheme}://${host}/mcp`,
-      authorization_servers: [auth.issuer],
+      resource: `${bridgeOrigin}/mcp`,
+      // Point to OURSELVES so clients use our proxied AS metadata
+      authorization_servers: [bridgeOrigin],
       scopes_supported: ['openid', 'profile', 'email'],
       bearer_methods_supported: ['header'],
     }
@@ -49,10 +55,12 @@ export function createDiscoveryRouter(auth: AuthConfig, logger: Logger): Router
     // Path-suffixed request — the suffix IS the protected resource path
     const scheme = req.protocol
     const host = req.get('host')
+    const bridgeOrigin = `${scheme}://${host}`
     const resourcePath = '/' + req.params[0]
     const resourceMetadata = {
-      resource: `${scheme}://${host}${resourcePath}`,
-      authorization_servers: [auth.issuer],
+      resource: `${bridgeOrigin}${resourcePath}`,
+      // Point to OURSELVES so clients use our proxied AS metadata
+      authorization_servers: [bridgeOrigin],
       scopes_supported: ['openid', 'profile', 'email'],
       bearer_methods_supported: ['header'],
     }
@@ -112,5 +120,71 @@ export function createDiscoveryRouter(auth: AuthConfig, logger: Logger): Router
     })
   })
 
+  /**
+   * OAuth Authorization Endpoint — Redirect to upstream
+   *
+   * Since the bridge advertises itself as the authorization_server,
+   * clients will attempt to call /oauth/authorize here. We redirect
+   * to the upstream auth server, preserving all query parameters.
+   */
+  router.get('/oauth/authorize', (req: Request, res: Response) => {
+    const upstreamUrl = new URL(`${auth.issuer}/oauth/authorize`)
+    // Copy all query params to upstream
+    for (const [key, value] of Object.entries(req.query)) {
+      if (typeof value === 'string') {
+        upstreamUrl.searchParams.set(key, value)
+      }
+    }
+    logger.info(`[discovery] Redirecting /oauth/authorize to ${upstreamUrl.toString().slice(0, 100)}...`)
+    res.redirect(upstreamUrl.toString())
+  })
+
+  /**
+   * OAuth Token Endpoint — Proxy to upstream
+   *
+   * Proxies token exchange requests to the upstream auth server.
+   */
+  router.post('/oauth/token', async (req: Request, res: Response) => {
+    try {
+      const upstreamUrl = `${auth.issuer}/oauth/token`
+      logger.info('[discovery] Proxying /oauth/token to upstream')
+
+      const upstreamRes = await fetch(upstreamUrl, {
+        method: 'POST',
+        headers: {
+          'Content-Type': req.get('Content-Type') || 'application/x-www-form-urlencoded',
+        },
+        body: req.get('Content-Type')?.includes('application/json')
+          ? JSON.stringify(req.body)
+          : new URLSearchParams(req.body as Record<string, string>).toString(),
+      })
+
+      const data = await upstreamRes.text()
+      res.status(upstreamRes.status)
+      res.set('Content-Type', upstreamRes.headers.get('Content-Type') || 'application/json')
+      res.send(data)
+    } catch (err: any) {
+      logger.error('[discovery] Error proxying /oauth/token:', err.message ?? err)
+      res.status(502).json({ error: 'upstream_error' })
+    }
+  })
+
+  /**
+   * JWKS Endpoint — Proxy to upstream
+   *
+   * Proxies JSON Web Key Set requests for token verification.
+   */
+  router.get('/jwks', async (req: Request, res: Response) => {
+    try {
+      const upstreamUrl = `${auth.issuer}/jwks`
+      const upstreamRes = await fetch(upstreamUrl)
+      const data = await upstreamRes.json()
+      res.json(data)
+    } catch (err: any) {
+      logger.error('[discovery] Error proxying /jwks:', err.message ?? err)
+      res.status(502).json({ error: 'upstream_error' })
+    }
+  })
+
   return router
 }