@platf/bridge 0.0.21 → 0.0.22
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -28,8 +28,9 @@ export function createDiscoveryRouter(auth, logger) {
|
|
|
28
28
|
* the resource is the path after the well-known prefix.
|
|
29
29
|
*
|
|
30
30
|
* IMPORTANT: We advertise the BRIDGE as the authorization_server (not the upstream issuer).
|
|
31
|
-
*
|
|
32
|
-
*
|
|
31
|
+
* Per RFC 8414 Section 3.3, the issuer in AS metadata MUST match the URL
|
|
32
|
+
* it was fetched from. So we point to the REAL issuer (auth.issuer).
|
|
33
|
+
* Clients will fetch AS metadata directly from the real auth server.
|
|
33
34
|
*/
|
|
34
35
|
router.get('/.well-known/oauth-protected-resource', (req, res) => {
|
|
35
36
|
// Exact match — client is looking for the root resource
|
|
@@ -39,8 +40,8 @@ export function createDiscoveryRouter(auth, logger) {
|
|
|
39
40
|
const bridgeOrigin = `${scheme}://${host}`;
|
|
40
41
|
const resourceMetadata = {
|
|
41
42
|
resource: `${bridgeOrigin}/mcp`,
|
|
42
|
-
// Point to
|
|
43
|
-
authorization_servers: [
|
|
43
|
+
// Point to REAL issuer so AS metadata validation passes (RFC 8414 §3.3)
|
|
44
|
+
authorization_servers: [auth.issuer],
|
|
44
45
|
scopes_supported: ['openid', 'profile', 'email'],
|
|
45
46
|
bearer_methods_supported: ['header'],
|
|
46
47
|
};
|
|
@@ -54,8 +55,8 @@ export function createDiscoveryRouter(auth, logger) {
|
|
|
54
55
|
const resourcePath = '/' + req.params[0];
|
|
55
56
|
const resourceMetadata = {
|
|
56
57
|
resource: `${bridgeOrigin}${resourcePath}`,
|
|
57
|
-
// Point to
|
|
58
|
-
authorization_servers: [
|
|
58
|
+
// Point to REAL issuer so AS metadata validation passes (RFC 8414 §3.3)
|
|
59
|
+
authorization_servers: [auth.issuer],
|
|
59
60
|
scopes_supported: ['openid', 'profile', 'email'],
|
|
60
61
|
bearer_methods_supported: ['header'],
|
|
61
62
|
};
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"discoveryRoutes.js","sourceRoot":"","sources":["../../src/lib/discoveryRoutes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,MAAM,EAA+B,MAAM,SAAS,CAAA;AAG7D,MAAM,UAAU,qBAAqB,CAAC,IAAgB,EAAE,MAAc;IACpE,MAAM,MAAM,GAAG,MAAM,EAAE,CAAA;IAEvB
|
|
1
|
+
{"version":3,"file":"discoveryRoutes.js","sourceRoot":"","sources":["../../src/lib/discoveryRoutes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,MAAM,EAA+B,MAAM,SAAS,CAAA;AAG7D,MAAM,UAAU,qBAAqB,CAAC,IAAgB,EAAE,MAAc;IACpE,MAAM,MAAM,GAAG,MAAM,EAAE,CAAA;IAEvB;;;;;;;;;;;;;;;;;;;OAmBG;IACH,MAAM,CAAC,GAAG,CAAC,uCAAuC,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QAClF,wDAAwD;QACxD,+CAA+C;QAC/C,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;QAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAC5B,MAAM,YAAY,GAAG,GAAG,MAAM,MAAM,IAAI,EAAE,CAAA;QAC1C,MAAM,gBAAgB,GAAG;YACvB,QAAQ,EAAE,GAAG,YAAY,MAAM;YAC/B,wEAAwE;YACxE,qBAAqB,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;YACpC,gBAAgB,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC;YAChD,wBAAwB,EAAE,CAAC,QAAQ,CAAC;SACrC,CAAA;QACD,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAA;IAC5B,CAAC,CAAC,CAAA;IAEF,MAAM,CAAC,GAAG,CAAC,yCAAyC,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QACpF,oEAAoE;QACpE,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;QAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QAC5B,MAAM,YAAY,GAAG,GAAG,MAAM,MAAM,IAAI,EAAE,CAAA;QAC1C,MAAM,YAAY,GAAG,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAA;QACxC,MAAM,gBAAgB,GAAG;YACvB,QAAQ,EAAE,GAAG,YAAY,GAAG,YAAY,EAAE;YAC1C,wEAAwE;YACxE,qBAAqB,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;YACpC,gBAAgB,EAAE,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC;YAChD,wBAAwB,EAAE,CAAC,QAAQ,CAAC;SACrC,CAAA;QACD,GAAG,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAA;IAC5B,CAAC,CAAC,CAAA;IAEF;;;;;;;OAOG;IACH,MAAM,CAAC,GAAG,CAAC,0CAA0C,EAAE,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,EAAE;QAC3F,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,GAAG,IAAI,CAAC,MAAM,yCAAyC,CAAA;YAC3E,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,WAAW,CAAC,CAAA;YAEzC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,CAAC,KAAK,CAAC,4CAA4C,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;gBAC3E,OAAO,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAA;YAC1D,CAAC;YAED,MAAM,QAAQ,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA4B,CAAA;YAEnE,8DAA8D;YAC9D,0FAA0F;YAC1F,MAAM,MAAM,GAAG,GAAG,CAAC,QAAQ,CAAA;YAC3B,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;YAC5B,QAAQ,CAAC,qBAAqB,GAAG,GAAG,MAAM,MAAM,IAAI,WAAW,CAAA;YAE/D,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACpB,CAAC;QAAC,OAAO,GAAQ,EAAE,CAAC;YAClB,MAAM,CAAC,KAAK,CAAC,yCAAyC,EAAE,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,CAAA;YAC3E,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAA;QACnD,CAAC;IACH,CAAC,CAAC,CAAA;IAEF;;;;;;;OAOG;IACH,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,GAAY,EAAE,GAAa,EAAE,EAAE;QACvD,MAAM,IAAI,GAAG,GAAG,CAAC,IAAI,IAAI,EAAE,CAAA;QAC3B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;YACnB,SAAS,EAAE,IAAI,CAAC,QAAQ;YACxB,WAAW,EAAE,cAAc;YAC3B,8CAA8C;YAC9C,0BAA0B,EAAE,MAAM;YAClC,WAAW,EAAE,CAAC,oBAAoB,CAAC;YACnC,cAAc,EAAE,CAAC,MAAM,CAAC;YACxB,aAAa,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE;SAC3E,CAAC,CAAA;IACJ,CAAC,CAAC,CAAA;IAEF,OAAO,MAAM,CAAA;AACf,CAAC"}
|
package/package.json
CHANGED
|
@@ -32,8 +32,9 @@ export function createDiscoveryRouter(auth: AuthConfig, logger: Logger): Router
|
|
|
32
32
|
* the resource is the path after the well-known prefix.
|
|
33
33
|
*
|
|
34
34
|
* IMPORTANT: We advertise the BRIDGE as the authorization_server (not the upstream issuer).
|
|
35
|
-
*
|
|
36
|
-
*
|
|
35
|
+
* Per RFC 8414 Section 3.3, the issuer in AS metadata MUST match the URL
|
|
36
|
+
* it was fetched from. So we point to the REAL issuer (auth.issuer).
|
|
37
|
+
* Clients will fetch AS metadata directly from the real auth server.
|
|
37
38
|
*/
|
|
38
39
|
router.get('/.well-known/oauth-protected-resource', (req: Request, res: Response) => {
|
|
39
40
|
// Exact match — client is looking for the root resource
|
|
@@ -43,8 +44,8 @@ export function createDiscoveryRouter(auth: AuthConfig, logger: Logger): Router
|
|
|
43
44
|
const bridgeOrigin = `${scheme}://${host}`
|
|
44
45
|
const resourceMetadata = {
|
|
45
46
|
resource: `${bridgeOrigin}/mcp`,
|
|
46
|
-
// Point to
|
|
47
|
-
authorization_servers: [
|
|
47
|
+
// Point to REAL issuer so AS metadata validation passes (RFC 8414 §3.3)
|
|
48
|
+
authorization_servers: [auth.issuer],
|
|
48
49
|
scopes_supported: ['openid', 'profile', 'email'],
|
|
49
50
|
bearer_methods_supported: ['header'],
|
|
50
51
|
}
|
|
@@ -59,8 +60,8 @@ export function createDiscoveryRouter(auth: AuthConfig, logger: Logger): Router
|
|
|
59
60
|
const resourcePath = '/' + req.params[0]
|
|
60
61
|
const resourceMetadata = {
|
|
61
62
|
resource: `${bridgeOrigin}${resourcePath}`,
|
|
62
|
-
// Point to
|
|
63
|
-
authorization_servers: [
|
|
63
|
+
// Point to REAL issuer so AS metadata validation passes (RFC 8414 §3.3)
|
|
64
|
+
authorization_servers: [auth.issuer],
|
|
64
65
|
scopes_supported: ['openid', 'profile', 'email'],
|
|
65
66
|
bearer_methods_supported: ['header'],
|
|
66
67
|
}
|