npm - @platf/bridge - Versions diffs - 0.0.14 → 0.0.16 - Mend

@platf/bridge 0.0.14 → 0.0.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/lib/discoveryRoutes.js +70 -2
package/dist/lib/discoveryRoutes.js.map +1 -1
package/package.json +1 -1
package/src/lib/discoveryRoutes.ts +73 -2

package/dist/lib/discoveryRoutes.js CHANGED Viewed

@@ -78,10 +78,15 @@ export function createDiscoveryRouter(auth, logger) {
                 return res.status(502).json({ error: 'upstream_error' });
             }
             const metadata = (await upstream.json());
-            // Patch registration_endpoint to point to our pseudo-DCR
+            // Patch all OAuth endpoints to point to our proxy
             const scheme = req.protocol;
             const host = req.get('host');
-            metadata.registration_endpoint = `${scheme}://${host}/oauth/register`;
+            const bridgeOrigin = `${scheme}://${host}`;
+            metadata.issuer = bridgeOrigin;
+            metadata.authorization_endpoint = `${bridgeOrigin}/oauth/authorize`;
+            metadata.token_endpoint = `${bridgeOrigin}/oauth/token`;
+            metadata.registration_endpoint = `${bridgeOrigin}/oauth/register`;
+            metadata.jwks_uri = `${bridgeOrigin}/jwks`;
             res.json(metadata);
         }
         catch (err) {
@@ -109,6 +114,69 @@ export function createDiscoveryRouter(auth, logger) {
             redirect_uris: Array.isArray(body.redirect_uris) ? body.redirect_uris : [],
         });
     });
+    /**
+     * OAuth Authorization Endpoint — Redirect to upstream
+     *
+     * Since the bridge advertises itself as the authorization_server,
+     * clients will attempt to call /oauth/authorize here. We redirect
+     * to the upstream auth server, preserving all query parameters.
+     */
+    router.get('/oauth/authorize', (req, res) => {
+        const upstreamUrl = new URL(`${auth.issuer}/oauth/authorize`);
+        // Copy all query params to upstream
+        for (const [key, value] of Object.entries(req.query)) {
+            if (typeof value === 'string') {
+                upstreamUrl.searchParams.set(key, value);
+            }
+        }
+        logger.info(`[discovery] Redirecting /oauth/authorize to ${upstreamUrl.toString().slice(0, 100)}...`);
+        res.redirect(upstreamUrl.toString());
+    });
+    /**
+     * OAuth Token Endpoint — Proxy to upstream
+     *
+     * Proxies token exchange requests to the upstream auth server.
+     */
+    router.post('/oauth/token', async (req, res) => {
+        try {
+            const upstreamUrl = `${auth.issuer}/oauth/token`;
+            logger.info('[discovery] Proxying /oauth/token to upstream');
+            const upstreamRes = await fetch(upstreamUrl, {
+                method: 'POST',
+                headers: {
+                    'Content-Type': req.get('Content-Type') || 'application/x-www-form-urlencoded',
+                },
+                body: req.get('Content-Type')?.includes('application/json')
+                    ? JSON.stringify(req.body)
+                    : new URLSearchParams(req.body).toString(),
+            });
+            const data = await upstreamRes.text();
+            res.status(upstreamRes.status);
+            res.set('Content-Type', upstreamRes.headers.get('Content-Type') || 'application/json');
+            res.send(data);
+        }
+        catch (err) {
+            logger.error('[discovery] Error proxying /oauth/token:', err.message ?? err);
+            res.status(502).json({ error: 'upstream_error' });
+        }
+    });
+    /**
+     * JWKS Endpoint — Proxy to upstream
+     *
+     * Proxies JSON Web Key Set requests for token verification.
+     */
+    router.get('/jwks', async (req, res) => {
+        try {
+            const upstreamUrl = `${auth.issuer}/jwks`;
+            const upstreamRes = await fetch(upstreamUrl);
+            const data = await upstreamRes.json();
+            res.json(data);
+        }
+        catch (err) {
+            logger.error('[discovery] Error proxying /jwks:', err.message ?? err);
+            res.status(502).json({ error: 'upstream_error' });
+        }
+    });
     return router;
 }
 //# sourceMappingURL=discoveryRoutes.js.map

package/dist/lib/discoveryRoutes.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"discoveryRoutes.js","sourceRoot":"","sources":["../../src/lib/discoveryRoutes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,MAAM,EAA+B,MAAM,SAAS,CAAA;AAG7D,MAAM,UAAU,qBAAqB,CAAC,IAAgB,EAAE,MAAc;IACpE,MAAM,MAAM,GAAG,MAAM,EAAE,CAAA;IAEvB;;;;;;;;;;;;;;;;;;OAkBG;IACH,MAAM,CAAC,GAAG,CAAC,uCAAuC,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QAClF,wDAAwD;QACxD,+CAA+C;QAC/C,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;QAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAC5B,MAAM,YAAY,GAAG,GAAG,MAAM,MAAM,IAAI,EAAE,CAAA;QAC1C,MAAM,gBAAgB,GAAG;YACvB,QAAQ,EAAE,GAAG,YAAY,MAAM;YAC/B,4DAA4D;YAC5D,qBAAqB,EAAE,CAAC,YAAY,CAAC;YACrC,gBAAgB,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC;YAChD,wBAAwB,EAAE,CAAC,QAAQ,CAAC;SACrC,CAAA;QACD,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAA;IAC5B,CAAC,CAAC,CAAA;IAEF,MAAM,CAAC,GAAG,CAAC,yCAAyC,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QACpF,oEAAoE;QACpE,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;QAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAC5B,MAAM,YAAY,GAAG,GAAG,MAAM,MAAM,IAAI,EAAE,CAAA;QAC1C,MAAM,YAAY,GAAG,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;QACxC,MAAM,gBAAgB,GAAG;YACvB,QAAQ,EAAE,GAAG,YAAY,GAAG,YAAY,EAAE;YAC1C,4DAA4D;YAC5D,qBAAqB,EAAE,CAAC,YAAY,CAAC;YACrC,gBAAgB,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC;YAChD,wBAAwB,EAAE,CAAC,QAAQ,CAAC;SACrC,CAAA;QACD,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAA;IAC5B,CAAC,CAAC,CAAA;IAEF;;;;;;;OAOG;IACH,MAAM,CAAC,GAAG,CAAC,0CAA0C,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;QAC3F,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,GAAG,IAAI,CAAC,MAAM,yCAAyC,CAAA;YAC3E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,CAAA;YAEzC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,CAAC,KAAK,CAAC,4CAA4C,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;gBAC3E,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAA;YAC1D,CAAC;YAED,MAAM,QAAQ,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAA;YAEnE,~~yDAAyD~~;~~YACzD~~,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;YAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;YAC5B,~~QAAQ~~,~~CAAC~~,~~qBAAqB,~~GAAG,GAAG,MAAM,MAAM,IAAI,iBAAiB,CAAA;~~YAErE~~,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACpB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,CAAC,KAAK,CAAC,yCAAyC,EAAE,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,CAAA;YAC3E,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAA;QACnD,CAAC;IACH,CAAC,CAAC,CAAA;IAEF;;;;;;;OAOG;IACH,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QAC7D,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAA;QAC3B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,SAAS,EAAE,IAAI,CAAC,QAAQ;YACxB,WAAW,EAAE,cAAc;YAC3B,8CAA8C;YAC9C,0BAA0B,EAAE,MAAM;YAClC,WAAW,EAAE,CAAC,oBAAoB,CAAC;YACnC,cAAc,EAAE,CAAC,MAAM,CAAC;YACxB,aAAa,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE;SAC3E,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,OAAO,MAAM,CAAA;AACf,CAAC"}
1	+ {"version":3,"file":"discoveryRoutes.js","sourceRoot":"","sources":["../../src/lib/discoveryRoutes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,MAAM,EAA+B,MAAM,SAAS,CAAA;AAG7D,MAAM,UAAU,qBAAqB,CAAC,IAAgB,EAAE,MAAc;IACpE,MAAM,MAAM,GAAG,MAAM,EAAE,CAAA;IAEvB;;;;;;;;;;;;;;;;;;OAkBG;IACH,MAAM,CAAC,GAAG,CAAC,uCAAuC,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QAClF,wDAAwD;QACxD,+CAA+C;QAC/C,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;QAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAC5B,MAAM,YAAY,GAAG,GAAG,MAAM,MAAM,IAAI,EAAE,CAAA;QAC1C,MAAM,gBAAgB,GAAG;YACvB,QAAQ,EAAE,GAAG,YAAY,MAAM;YAC/B,4DAA4D;YAC5D,qBAAqB,EAAE,CAAC,YAAY,CAAC;YACrC,gBAAgB,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC;YAChD,wBAAwB,EAAE,CAAC,QAAQ,CAAC;SACrC,CAAA;QACD,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAA;IAC5B,CAAC,CAAC,CAAA;IAEF,MAAM,CAAC,GAAG,CAAC,yCAAyC,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QACpF,oEAAoE;QACpE,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;QAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAC5B,MAAM,YAAY,GAAG,GAAG,MAAM,MAAM,IAAI,EAAE,CAAA;QAC1C,MAAM,YAAY,GAAG,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;QACxC,MAAM,gBAAgB,GAAG;YACvB,QAAQ,EAAE,GAAG,YAAY,GAAG,YAAY,EAAE;YAC1C,4DAA4D;YAC5D,qBAAqB,EAAE,CAAC,YAAY,CAAC;YACrC,gBAAgB,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC;YAChD,wBAAwB,EAAE,CAAC,QAAQ,CAAC;SACrC,CAAA;QACD,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAA;IAC5B,CAAC,CAAC,CAAA;IAEF;;;;;;;OAOG;IACH,MAAM,CAAC,GAAG,CAAC,0CAA0C,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;QAC3F,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,GAAG,IAAI,CAAC,MAAM,yCAAyC,CAAA;YAC3E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,CAAA;YAEzC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,CAAC,KAAK,CAAC,4CAA4C,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;gBAC3E,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAA;YAC1D,CAAC;YAED,MAAM,QAAQ,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAA;YAEnE,kDAAkD;YAClD,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;YAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;YAC5B,MAAM,YAAY,GAAG,GAAG,MAAM,MAAM,IAAI,EAAE,CAAA;YAC1C,QAAQ,CAAC,MAAM,GAAG,YAAY,CAAA;YAC9B,QAAQ,CAAC,sBAAsB,GAAG,GAAG,YAAY,kBAAkB,CAAA;YACnE,QAAQ,CAAC,cAAc,GAAG,GAAG,YAAY,cAAc,CAAA;YACvD,QAAQ,CAAC,qBAAqB,GAAG,GAAG,YAAY,iBAAiB,CAAA;YACjE,QAAQ,CAAC,QAAQ,GAAG,GAAG,YAAY,OAAO,CAAA;YAE1C,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACpB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,CAAC,KAAK,CAAC,yCAAyC,EAAE,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,CAAA;YAC3E,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAA;QACnD,CAAC;IACH,CAAC,CAAC,CAAA;IAEF;;;;;;;OAOG;IACH,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QAC7D,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAA;QAC3B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,SAAS,EAAE,IAAI,CAAC,QAAQ;YACxB,WAAW,EAAE,cAAc;YAC3B,8CAA8C;YAC9C,0BAA0B,EAAE,MAAM;YAClC,WAAW,EAAE,CAAC,oBAAoB,CAAC;YACnC,cAAc,EAAE,CAAC,MAAM,CAAC;YACxB,aAAa,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE;SAC3E,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF;;;;;;OAMG;IACH,MAAM,CAAC,GAAG,CAAC,kBAAkB,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QAC7D,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,GAAG,IAAI,CAAC,MAAM,kBAAkB,CAAC,CAAA;QAC7D,oCAAoC;QACpC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;YACrD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;gBAC9B,WAAW,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;YAC1C,CAAC;QACH,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,+CAA+C,WAAW,CAAC,QAAQ,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,KAAK,CAAC,CAAA;QACrG,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC,CAAA;IACtC,CAAC,CAAC,CAAA;IAEF;;;;OAIG;IACH,MAAM,CAAC,IAAI,CAAC,cAAc,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;QAChE,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,GAAG,IAAI,CAAC,MAAM,cAAc,CAAA;YAChD,MAAM,CAAC,IAAI,CAAC,+CAA+C,CAAC,CAAA;YAE5D,MAAM,WAAW,GAAG,MAAM,KAAK,CAAC,WAAW,EAAE;gBAC3C,MAAM,EAAE,MAAM;gBACd,OAAO,EAAE;oBACP,cAAc,EAAE,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,mCAAmC;iBAC/E;gBACD,IAAI,EAAE,GAAG,CAAC,GAAG,CAAC,cAAc,CAAC,EAAE,QAAQ,CAAC,kBAAkB,CAAC;oBACzD,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC;oBAC1B,CAAC,CAAC,IAAI,eAAe,CAAC,GAAG,CAAC,IAA8B,CAAC,CAAC,QAAQ,EAAE;aACvE,CAAC,CAAA;YAEF,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,IAAI,EAAE,CAAA;YACrC,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,MAAM,CAAC,CAAA;YAC9B,GAAG,CAAC,GAAG,CAAC,cAAc,EAAE,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,kBAAkB,CAAC,CAAA;YACtF,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAChB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,CAAC,KAAK,CAAC,0CAA0C,EAAE,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,CAAA;YAC5E,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAA;QACnD,CAAC;IACH,CAAC,CAAC,CAAA;IAEF;;;;OAIG;IACH,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;QACxD,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,GAAG,IAAI,CAAC,MAAM,OAAO,CAAA;YACzC,MAAM,WAAW,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,CAAA;YAC5C,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,IAAI,EAAE,CAAA;YACrC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QAChB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,CAAC,KAAK,CAAC,mCAAmC,EAAE,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,CAAA;YACrE,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAA;QACnD,CAAC;IACH,CAAC,CAAC,CAAA;IAEF,OAAO,MAAM,CAAA;AACf,CAAC"}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@platf/bridge",
-  "version": "0.0.14",
+  "version": "0.0.16",
   "description": "Stdio-to-Streamable HTTP bridge for MCP servers — Platf AI Hub",
   "module": "src/index.ts",
   "main": "dist/index.js",

package/src/lib/discoveryRoutes.ts CHANGED Viewed

@@ -87,10 +87,15 @@ export function createDiscoveryRouter(auth: AuthConfig, logger: Logger): Router
       const metadata = (await upstream.json()) as Record<string, unknown>
-      // Patch registration_endpoint to point to our pseudo-DCR
+      // Patch all OAuth endpoints to point to our proxy
       const scheme = req.protocol
       const host = req.get('host')
-      metadata.registration_endpoint = `${scheme}://${host}/oauth/register`
+      const bridgeOrigin = `${scheme}://${host}`
+      metadata.issuer = bridgeOrigin
+      metadata.authorization_endpoint = `${bridgeOrigin}/oauth/authorize`
+      metadata.token_endpoint = `${bridgeOrigin}/oauth/token`
+      metadata.registration_endpoint = `${bridgeOrigin}/oauth/register`
+      metadata.jwks_uri = `${bridgeOrigin}/jwks`
       res.json(metadata)
     } catch (err: any) {
@@ -120,5 +125,71 @@ export function createDiscoveryRouter(auth: AuthConfig, logger: Logger): Router
     })
   })
+  /**
+   * OAuth Authorization Endpoint — Redirect to upstream
+   *
+   * Since the bridge advertises itself as the authorization_server,
+   * clients will attempt to call /oauth/authorize here. We redirect
+   * to the upstream auth server, preserving all query parameters.
+   */
+  router.get('/oauth/authorize', (req: Request, res: Response) => {
+    const upstreamUrl = new URL(`${auth.issuer}/oauth/authorize`)
+    // Copy all query params to upstream
+    for (const [key, value] of Object.entries(req.query)) {
+      if (typeof value === 'string') {
+        upstreamUrl.searchParams.set(key, value)
+      }
+    }
+    logger.info(`[discovery] Redirecting /oauth/authorize to ${upstreamUrl.toString().slice(0, 100)}...`)
+    res.redirect(upstreamUrl.toString())
+  })
+  /**
+   * OAuth Token Endpoint — Proxy to upstream
+   *
+   * Proxies token exchange requests to the upstream auth server.
+   */
+  router.post('/oauth/token', async (req: Request, res: Response) => {
+    try {
+      const upstreamUrl = `${auth.issuer}/oauth/token`
+      logger.info('[discovery] Proxying /oauth/token to upstream')
+      const upstreamRes = await fetch(upstreamUrl, {
+        method: 'POST',
+        headers: {
+          'Content-Type': req.get('Content-Type') || 'application/x-www-form-urlencoded',
+        },
+        body: req.get('Content-Type')?.includes('application/json')
+          ? JSON.stringify(req.body)
+          : new URLSearchParams(req.body as Record<string, string>).toString(),
+      })
+      const data = await upstreamRes.text()
+      res.status(upstreamRes.status)
+      res.set('Content-Type', upstreamRes.headers.get('Content-Type') || 'application/json')
+      res.send(data)
+    } catch (err: any) {
+      logger.error('[discovery] Error proxying /oauth/token:', err.message ?? err)
+      res.status(502).json({ error: 'upstream_error' })
+    }
+  })
+  /**
+   * JWKS Endpoint — Proxy to upstream
+   *
+   * Proxies JSON Web Key Set requests for token verification.
+   */
+  router.get('/jwks', async (req: Request, res: Response) => {
+    try {
+      const upstreamUrl = `${auth.issuer}/jwks`
+      const upstreamRes = await fetch(upstreamUrl)
+      const data = await upstreamRes.json()
+      res.json(data)
+    } catch (err: any) {
+      logger.error('[discovery] Error proxying /jwks:', err.message ?? err)
+      res.status(502).json({ error: 'upstream_error' })
+    }
+  })
   return router
 }