@rekog/mcp-nest 1.7.1 → 1.7.2

package/dist/authz/controllers/well-known.controller.d.ts

@@ -0,0 +1,63 @@
+import { OAuthModuleOptions } from '../providers/oauth-provider.interface';
+export declare class WellKnownController {
+    private readonly options;
+    constructor(options: OAuthModuleOptions);
+    getAuthorizationServerMetadata(): {
+        issuer: string;
+        authorization_endpoint: string;
+        token_endpoint: string;
+        userinfo_endpoint: string;
+        jwks_uri: string;
+        registration_endpoint: string;
+        scopes_supported: string[];
+        response_types_supported: string[];
+        grant_types_supported: string[];
+        subject_types_supported: string[];
+        token_endpoint_auth_methods_supported: string[];
+        code_challenge_methods_supported: string[];
+        claims_supported: string[];
+        introspection_endpoint: string;
+        revocation_endpoint: string;
+        service_documentation: string;
+        end_session_endpoint: string;
+        check_session_iframe: string;
+        'x-mcp-capabilities': string[];
+        'x-mcp-version': string;
+        'x-api-version': string;
+    };
+    getOpenIdConfiguration(): {
+        url: string;
+        statusCode: number;
+    };
+    getOAuthAuthorizationServer(): {
+        issuer: string;
+        authorization_endpoint: string;
+        token_endpoint: string;
+        userinfo_endpoint: string;
+        jwks_uri: string;
+        registration_endpoint: string;
+        scopes_supported: string[];
+        response_types_supported: string[];
+        grant_types_supported: string[];
+        subject_types_supported: string[];
+        token_endpoint_auth_methods_supported: string[];
+        code_challenge_methods_supported: string[];
+        claims_supported: string[];
+        introspection_endpoint: string;
+        revocation_endpoint: string;
+        service_documentation: string;
+        end_session_endpoint: string;
+        check_session_iframe: string;
+        'x-mcp-capabilities': string[];
+        'x-mcp-version': string;
+        'x-api-version': string;
+    };
+    getWebFinger(): {
+        subject: string;
+        links: {
+            rel: string;
+            href: string;
+        }[];
+    };
+}
+//# sourceMappingURL=well-known.controller.d.ts.map

package/dist/authz/controllers/well-known.controller.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"well-known.controller.d.ts","sourceRoot":"","sources":["../../../src/authz/controllers/well-known.controller.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,uCAAuC,CAAC;AAQ3E,qBACa,mBAAmB;IAEI,OAAO,CAAC,QAAQ,CAAC,OAAO;gBAAP,OAAO,EAAE,kBAAkB;IAU9E,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;IAwE9B,sBAAsB;;;;IAWtB,2BAA2B;;;;;;;;;;;;;;;;;;;;;;;IAS3B,YAAY;;;;;;;CAWb"}

package/dist/authz/controllers/well-known.controller.js

@@ -0,0 +1,131 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.WellKnownController = void 0;
+const common_1 = require("@nestjs/common");
+let WellKnownController = class WellKnownController {
+    constructor(options) {
+        this.options = options;
+    }
+    getAuthorizationServerMetadata() {
+        return {
+            issuer: this.options.serverUrl,
+            authorization_endpoint: `${this.options.serverUrl}/oidc/auth`,
+            token_endpoint: `${this.options.serverUrl}/oidc/token`,
+            userinfo_endpoint: `${this.options.serverUrl}/oidc/me`,
+            jwks_uri: `${this.options.serverUrl}/oidc/jwks`,
+            registration_endpoint: `${this.options.serverUrl}/oidc/reg`,
+            scopes_supported: [
+                'openid',
+                'profile',
+                'email',
+                'offline_access'
+            ],
+            response_types_supported: [
+                'code',
+                'id_token',
+                'code id_token'
+            ],
+            grant_types_supported: [
+                'authorization_code',
+                'refresh_token'
+            ],
+            subject_types_supported: [
+                'public'
+            ],
+            token_endpoint_auth_methods_supported: [
+                'client_secret_basic',
+                'client_secret_post',
+                'none'
+            ],
+            code_challenge_methods_supported: [
+                'plain',
+                'S256'
+            ],
+            claims_supported: [
+                'sub',
+                'name',
+                'preferred_username',
+                'email',
+                'email_verified'
+            ],
+            introspection_endpoint: `${this.options.serverUrl}/oidc/introspect`,
+            revocation_endpoint: `${this.options.serverUrl}/oidc/revoke`,
+            service_documentation: `${this.options.serverUrl}/docs`,
+            end_session_endpoint: `${this.options.serverUrl}/oidc/session/end`,
+            check_session_iframe: `${this.options.serverUrl}/oidc/session/check`,
+            'x-mcp-capabilities': [
+                'tools',
+                'resources',
+                'prompts',
+                'server-side-events',
+                'streamable-http'
+            ],
+            'x-mcp-version': '2024-11-05',
+            'x-api-version': '1.0'
+        };
+    }
+    getOpenIdConfiguration() {
+        return {
+            url: `/oidc/.well-known/openid_configuration`,
+            statusCode: 302
+        };
+    }
+    getOAuthAuthorizationServer() {
+        return this.getAuthorizationServerMetadata();
+    }
+    getWebFinger() {
+        return {
+            subject: this.options.serverUrl,
+            links: [
+                {
+                    rel: 'http://openid.net/specs/connect/1.0/issuer',
+                    href: this.options.serverUrl
+                }
+            ]
+        };
+    }
+};
+exports.WellKnownController = WellKnownController;
+__decorate([
+    (0, common_1.Get)('.well-known/oauth-authorization-server'),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", []),
+    __metadata("design:returntype", void 0)
+], WellKnownController.prototype, "getAuthorizationServerMetadata", null);
+__decorate([
+    (0, common_1.Get)('.well-known/openid_configuration'),
+    (0, common_1.Redirect)(),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", []),
+    __metadata("design:returntype", void 0)
+], WellKnownController.prototype, "getOpenIdConfiguration", null);
+__decorate([
+    (0, common_1.Get)('.well-known/oauth_authorization_server'),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", []),
+    __metadata("design:returntype", void 0)
+], WellKnownController.prototype, "getOAuthAuthorizationServer", null);
+__decorate([
+    (0, common_1.Get)('.well-known/webfinger'),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", []),
+    __metadata("design:returntype", void 0)
+], WellKnownController.prototype, "getWebFinger", null);
+exports.WellKnownController = WellKnownController = __decorate([
+    (0, common_1.Controller)(),
+    __param(0, (0, common_1.Inject)('OAUTH_MODULE_OPTIONS')),
+    __metadata("design:paramtypes", [Object])
+], WellKnownController);
+//# sourceMappingURL=well-known.controller.js.map

package/dist/authz/controllers/well-known.controller.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"well-known.controller.js","sourceRoot":"","sources":["../../../src/authz/controllers/well-known.controller.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,2CAAmE;AAU5D,IAAM,mBAAmB,GAAzB,MAAM,mBAAmB;IAC9B,YACmD,OAA2B;QAA3B,YAAO,GAAP,OAAO,CAAoB;IAC3E,CAAC;IASJ,8BAA8B;QAC5B,OAAO;YACL,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS;YAC9B,sBAAsB,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,YAAY;YAC7D,cAAc,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,aAAa;YACtD,iBAAiB,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,UAAU;YACtD,QAAQ,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,YAAY;YAC/C,qBAAqB,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,WAAW;YAC3D,gBAAgB,EAAE;gBAChB,QAAQ;gBACR,SAAS;gBACT,OAAO;gBACP,gBAAgB;aACjB;YACD,wBAAwB,EAAE;gBACxB,MAAM;gBACN,UAAU;gBACV,eAAe;aAChB;YACD,qBAAqB,EAAE;gBACrB,oBAAoB;gBACpB,eAAe;aAChB;YACD,uBAAuB,EAAE;gBACvB,QAAQ;aACT;YACD,qCAAqC,EAAE;gBACrC,qBAAqB;gBACrB,oBAAoB;gBACpB,MAAM;aACP;YACD,gCAAgC,EAAE;gBAChC,OAAO;gBACP,MAAM;aACP;YACD,gBAAgB,EAAE;gBAChB,KAAK;gBACL,MAAM;gBACN,oBAAoB;gBACpB,OAAO;gBACP,gBAAgB;aACjB;YAED,sBAAsB,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,kBAAkB;YACnE,mBAAmB,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,cAAc;YAC5D,qBAAqB,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,OAAO;YAGvD,oBAAoB,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,mBAAmB;YAClE,oBAAoB,EAAE,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,qBAAqB;YAGpE,oBAAoB,EAAE;gBACpB,OAAO;gBACP,WAAW;gBACX,SAAS;gBACT,oBAAoB;gBACpB,iBAAiB;aAClB;YACD,eAAe,EAAE,YAAY;YAC7B,eAAe,EAAE,KAAK;SACvB,CAAC;IACJ,CAAC;IAUD,sBAAsB;QACpB,OAAO;YACL,GAAG,EAAE,wCAAwC;YAC7C,UAAU,EAAE,GAAG;SAChB,CAAC;IACJ,CAAC;IAMD,2BAA2B;QACzB,OAAO,IAAI,CAAC,8BAA8B,EAAE,CAAC;IAC/C,CAAC;IAOD,YAAY;QACV,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS;YAC/B,KAAK,EAAE;gBACL;oBACE,GAAG,EAAE,4CAA4C;oBACjD,IAAI,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS;iBAC7B;aACF;SACF,CAAC;IACJ,CAAC;CACF,CAAA;AAnHY,kDAAmB;AAY9B;IADC,IAAA,YAAG,EAAC,wCAAwC,CAAC;;;;yEA+D7C;AAUD;IAFC,IAAA,YAAG,EAAC,kCAAkC,CAAC;IACvC,IAAA,iBAAQ,GAAE;;;;iEAMV;AAMD;IADC,IAAA,YAAG,EAAC,wCAAwC,CAAC;;;;sEAG7C;AAOD;IADC,IAAA,YAAG,EAAC,uBAAuB,CAAC;;;;uDAW5B;8BAlHU,mBAAmB;IAD/B,IAAA,mBAAU,GAAE;IAGR,WAAA,IAAA,eAAM,EAAC,sBAAsB,CAAC,CAAA;;GAFtB,mBAAmB,CAmH/B","sourcesContent":["import { Controller, Get, Inject, Redirect } from '@nestjs/common';\nimport { OAuthModuleOptions } from '../providers/oauth-provider.interface';\n\n/**\n * Root Well-Known Endpoints Controller\n * \n * Handles OAuth 2.0 and OIDC well-known endpoints at the root level\n * as required by RFC 8414 and RFC 8623\n */\n@Controller()\nexport class WellKnownController {\n  constructor(\n    @Inject('OAUTH_MODULE_OPTIONS') private readonly options: OAuthModuleOptions,\n  ) {}\n\n  /**\n   * OAuth Authorization Server Metadata Endpoint (RFC 8414)\n   * MUST be at /.well-known/oauth-authorization-server (not prefixed)\n   * \n   * This returns the same metadata as the OIDC provider but at the correct root path\n   */\n  @Get('.well-known/oauth-authorization-server')\n  getAuthorizationServerMetadata() {\n    return {\n      issuer: this.options.serverUrl,\n      authorization_endpoint: `${this.options.serverUrl}/oidc/auth`,\n      token_endpoint: `${this.options.serverUrl}/oidc/token`,\n      userinfo_endpoint: `${this.options.serverUrl}/oidc/me`,\n      jwks_uri: `${this.options.serverUrl}/oidc/jwks`,\n      registration_endpoint: `${this.options.serverUrl}/oidc/reg`,\n      scopes_supported: [\n        'openid',\n        'profile',\n        'email',\n        'offline_access'\n      ],\n      response_types_supported: [\n        'code',\n        'id_token',\n        'code id_token'\n      ],\n      grant_types_supported: [\n        'authorization_code',\n        'refresh_token'\n      ],\n      subject_types_supported: [\n        'public'\n      ],\n      token_endpoint_auth_methods_supported: [\n        'client_secret_basic',\n        'client_secret_post',\n        'none'\n      ],\n      code_challenge_methods_supported: [\n        'plain',\n        'S256'\n      ],\n      claims_supported: [\n        'sub',\n        'name',\n        'preferred_username',\n        'email',\n        'email_verified'\n      ],\n      // Additional OAuth 2.0 Authorization Server metadata\n      introspection_endpoint: `${this.options.serverUrl}/oidc/introspect`,\n      revocation_endpoint: `${this.options.serverUrl}/oidc/revoke`,\n      service_documentation: `${this.options.serverUrl}/docs`,\n      \n      // OIDC-specific metadata\n      end_session_endpoint: `${this.options.serverUrl}/oidc/session/end`,\n      check_session_iframe: `${this.options.serverUrl}/oidc/session/check`,\n      \n      // MCP-specific extensions (non-standard but useful)\n      'x-mcp-capabilities': [\n        'tools',\n        'resources', \n        'prompts',\n        'server-side-events',\n        'streamable-http'\n      ],\n      'x-mcp-version': '2024-11-05',\n      'x-api-version': '1.0'\n    };\n  }\n\n  /**\n   * OpenID Connect Discovery Document (RFC 8414 Section 3)\n   * Should be at /.well-known/openid_configuration \n   * \n   * We redirect to the OIDC provider's discovery endpoint\n   */\n  @Get('.well-known/openid_configuration')\n  @Redirect()\n  getOpenIdConfiguration() {\n    return {\n      url: `/oidc/.well-known/openid_configuration`,\n      statusCode: 302\n    };\n  }\n\n  /**\n   * Alternative OAuth Discovery endpoint (some implementations check here)\n   */\n  @Get('.well-known/oauth_authorization_server')\n  getOAuthAuthorizationServer() {\n    return this.getAuthorizationServerMetadata();\n  }\n\n  /**\n   * WebFinger endpoint for OpenID Connect Discovery (RFC 7033)\n   * Some clients use this for discovery\n   */\n  @Get('.well-known/webfinger')\n  getWebFinger() {\n    return {\n      subject: this.options.serverUrl,\n      links: [\n        {\n          rel: 'http://openid.net/specs/connect/1.0/issuer',\n          href: this.options.serverUrl\n        }\n      ]\n    };\n  }\n}"]}

package/dist/authz/examples/oidc-provider-example.d.ts

@@ -0,0 +1,3 @@
+export declare class AppModuleWithOidcProvider {
+}
+//# sourceMappingURL=oidc-provider-example.d.ts.map

package/dist/authz/examples/oidc-provider-example.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc-provider-example.d.ts","sourceRoot":"","sources":["../../../src/authz/examples/oidc-provider-example.ts"],"names":[],"mappings":"AASA,qBAsDa,yBAAyB;CAAG"}

package/dist/authz/examples/oidc-provider-example.js

@@ -0,0 +1,51 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AppModuleWithOidcProvider = void 0;
+const common_1 = require("@nestjs/common");
+const oidc_provider_module_1 = require("../oidc-provider.module");
+const github_provider_1 = require("../providers/github.provider");
+let AppModuleWithOidcProvider = class AppModuleWithOidcProvider {
+};
+exports.AppModuleWithOidcProvider = AppModuleWithOidcProvider;
+exports.AppModuleWithOidcProvider = AppModuleWithOidcProvider = __decorate([
+    (0, common_1.Module)({
+        imports: [
+            oidc_provider_module_1.McpOidcProviderModule.forRoot({
+                clientId: process.env.GITHUB_CLIENT_ID,
+                clientSecret: process.env.GITHUB_CLIENT_SECRET,
+                jwtSecret: process.env.JWT_SECRET,
+                serverUrl: process.env.SERVER_URL || 'https://localhost:3000',
+                resource: process.env.RESOURCE_URL || 'https://localhost:3000/mcp',
+                jwtIssuer: process.env.JWT_ISSUER || 'https://localhost:3000',
+                jwtAudience: process.env.JWT_AUDIENCE || 'mcp-client',
+                jwtAccessTokenExpiresIn: '1h',
+                jwtRefreshTokenExpiresIn: '30d',
+                cookieMaxAge: 24 * 60 * 60 * 1000,
+                cookieSecure: process.env.NODE_ENV === 'production',
+                oauthSessionExpiresIn: 10 * 60 * 1000,
+                authCodeExpiresIn: 10 * 60 * 1000,
+                provider: github_provider_1.GitHubOAuthProvider,
+                apiPrefix: 'oidc',
+                endpoints: {
+                    wellKnownAuthorizationServerMetadata: '/.well-known/oauth-authorization-server',
+                    register: '/reg',
+                    authorize: '/auth',
+                    callback: '/callback',
+                    token: '/token',
+                    validate: '/introspect',
+                    revoke: '/revoke',
+                },
+                storeConfiguration: {
+                    type: 'memory',
+                },
+            }),
+        ],
+    })
+], AppModuleWithOidcProvider);
+//# sourceMappingURL=oidc-provider-example.js.map

package/dist/authz/examples/oidc-provider-example.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oidc-provider-example.js","sourceRoot":"","sources":["../../../src/authz/examples/oidc-provider-example.ts"],"names":[],"mappings":";;;;;;;;;AAAA,2CAAwC;AACxC,kEAAgE;AAChE,kEAAmE;AA6D5D,IAAM,yBAAyB,GAA/B,MAAM,yBAAyB;CAAG,CAAA;AAA5B,8DAAyB;oCAAzB,yBAAyB;IAtDrC,IAAA,eAAM,EAAC;QACN,OAAO,EAAE;YAEP,4CAAqB,CAAC,OAAO,CAAC;gBAE5B,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,gBAAiB;gBACvC,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,oBAAqB;gBAG/C,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,UAAW;gBAGlC,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,wBAAwB;gBAC7D,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,4BAA4B;gBAGlE,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,wBAAwB;gBAC7D,WAAW,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,YAAY;gBAGrD,uBAAuB,EAAE,IAAI;gBAC7B,wBAAwB,EAAE,KAAK;gBAG/B,YAAY,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;gBACjC,YAAY,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;gBACnD,qBAAqB,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI;gBACrC,iBAAiB,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI;gBAGjC,QAAQ,EAAE,qCAAmB;gBAG7B,SAAS,EAAE,MAAM;gBAGjB,SAAS,EAAE;oBACT,oCAAoC,EAClC,yCAAyC;oBAC3C,QAAQ,EAAE,MAAM;oBAChB,SAAS,EAAE,OAAO;oBAClB,QAAQ,EAAE,WAAW;oBACrB,KAAK,EAAE,QAAQ;oBACf,QAAQ,EAAE,aAAa;oBACvB,MAAM,EAAE,SAAS;iBAClB;gBAGD,kBAAkB,EAAE;oBAClB,IAAI,EAAE,QAAQ;iBACf;aACF,CAAC;SACH;KACF,CAAC;GACW,yBAAyB,CAAG","sourcesContent":["import { Module } from '@nestjs/common';\nimport { McpOidcProviderModule } from '../oidc-provider.module';\nimport { GitHubOAuthProvider } from '../providers/github.provider';\n\n/**\n * Example configuration for using the new OIDC Provider\n * instead of the legacy custom OAuth implementation\n */\n\n@Module({\n  imports: [\n    // Replace McpAuthModule.forRoot with McpOidcProviderModule.forRoot\n    McpOidcProviderModule.forRoot({\n      // GitHub OAuth App credentials\n      clientId: process.env.GITHUB_CLIENT_ID!,\n      clientSecret: process.env.GITHUB_CLIENT_SECRET!,\n\n      // JWT signing secret (should be at least 32 characters)\n      jwtSecret: process.env.JWT_SECRET!,\n\n      // Server configuration\n      serverUrl: process.env.SERVER_URL || 'https://localhost:3000',\n      resource: process.env.RESOURCE_URL || 'https://localhost:3000/mcp',\n\n      // OIDC Provider configuration\n      jwtIssuer: process.env.JWT_ISSUER || 'https://localhost:3000',\n      jwtAudience: process.env.JWT_AUDIENCE || 'mcp-client',\n\n      // Token expiration settings\n      jwtAccessTokenExpiresIn: '1h',\n      jwtRefreshTokenExpiresIn: '30d',\n\n      // Cookie and session settings\n      cookieMaxAge: 24 * 60 * 60 * 1000, // 24 hours\n      cookieSecure: process.env.NODE_ENV === 'production',\n      oauthSessionExpiresIn: 10 * 60 * 1000, // 10 minutes\n      authCodeExpiresIn: 10 * 60 * 1000, // 10 minutes\n\n      // GitHub provider configuration\n      provider: GitHubOAuthProvider,\n\n      // Optional: API prefix for OIDC endpoints (defaults to 'oidc')\n      apiPrefix: 'oidc',\n\n      // Optional: Custom endpoint configuration\n      endpoints: {\n        wellKnownAuthorizationServerMetadata:\n          '/.well-known/oauth-authorization-server',\n        register: '/reg',\n        authorize: '/auth',\n        callback: '/callback',\n        token: '/token',\n        validate: '/introspect',\n        revoke: '/revoke',\n      },\n\n      // Optional: Storage configuration (defaults to memory)\n      storeConfiguration: {\n        type: 'memory', // or 'typeorm' for persistent storage\n      },\n    }),\n  ],\n})\nexport class AppModuleWithOidcProvider {}\n\n/**\n * Environment variables required:\n *\n * GITHUB_CLIENT_ID=your_github_oauth_app_client_id\n * GITHUB_CLIENT_SECRET=your_github_oauth_app_client_secret\n * JWT_SECRET=your_jwt_signing_secret_at_least_32_characters_long\n * SERVER_URL=https://your-server.com (optional, defaults to localhost:3000)\n * RESOURCE_URL=https://your-server.com/mcp (optional)\n * JWT_ISSUER=https://your-server.com (optional)\n * JWT_AUDIENCE=mcp-client (optional)\n * NODE_ENV=production (for secure cookies)\n */\n\n/**\n * OIDC Endpoints provided by this configuration:\n *\n * Well-known metadata:\n * - GET /.well-known/oauth-authorization-server\n * - GET /.well-known/oauth-protected-resource\n * - GET /oidc/.well-known/openid_configuration\n *\n * OAuth 2.0 / OIDC endpoints:\n * - GET /oidc/auth - Authorization endpoint\n * - POST /oidc/token - Token endpoint\n * - GET /oidc/me - UserInfo endpoint\n * - GET /oidc/jwks - JSON Web Key Set\n * - POST /oidc/reg - Dynamic client registration\n * - POST /oidc/introspect - Token introspection\n * - POST /oidc/revoke - Token revocation\n *\n * Custom interaction endpoints:\n * - GET /oidc/interaction/:uid - GitHub authentication initiation\n * - GET /oidc/callback - GitHub OAuth callback\n */\n\n/**\n * Migration from legacy McpAuthModule:\n *\n * 1. Replace imports:\n *    - Change: import { McpAuthModule } from '@rekog/mcp-nest/authz'\n *    - To: import { McpOidcProviderModule } from '@rekog/mcp-nest/authz'\n *\n * 2. Update module registration:\n *    - Change: McpAuthModule.forRoot(...)\n *    - To: McpOidcProviderModule.forRoot(...)\n *\n * 3. Update endpoints (if you have hardcoded URLs):\n *    - Authorization: /authorize → /oidc/auth\n *    - Token: /token → /oidc/token\n *    - Callback: /callback → /oidc/callback\n *    - Well-known: /.well-known/oauth-authorization-server (unchanged)\n *\n * 4. Benefits of the new implementation:\n *    - Standards-compliant OIDC provider\n *    - Better security with proper OIDC flows\n *    - Automatic JWKS endpoint\n *    - Built-in token introspection\n *    - Support for ID tokens\n *    - Better integration with OIDC-compliant clients\n */\n"]}

package/dist/authz/guards/jwt-auth.guard.js

@@ -23,7 +23,7 @@ let McpAuthJwtGuard = class McpAuthJwtGuard {
             throw new common_1.UnauthorizedException('Access token required');
         }
         const payload = this.jwtTokenService.validateToken(token);
-        if (!payload || payload.type !== 'access') {
+        if (!payload) {
             throw new common_1.UnauthorizedException('Invalid or expired access token');
         }
         request.user = payload;

package/dist/authz/guards/jwt-auth.guard.js.map

@@ -1 +1 @@
-{"version":3,"file":"jwt-auth.guard.js","sourceRoot":"","sources":["../../../src/authz/guards/jwt-auth.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,2CAKwB;AAExB,qEAA4E;AAOrE,IAAM,eAAe,GAArB,MAAM,eAAe;IAC1B,YAA6B,eAAgC;QAAhC,oBAAe,GAAf,eAAe,CAAiB;IAAG,CAAC;IAEjE,WAAW,CAAC,OAAyB;QACnC,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAwB,CAAC;QAC1E,MAAM,KAAK,GAAG,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,CAAC;QAEnD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,8BAAqB,CAAC,uBAAuB,CAAC,CAAC;QAC3D,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QAE1D,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;YAC1C,MAAM,IAAI,8BAAqB,CAAC,iCAAiC,CAAC,CAAC;QACrE,CAAC;QAED,OAAO,CAAC,IAAI,GAAG,OAAO,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,sBAAsB,CAAC,OAAgB;QAC7C,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QACjD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC5C,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;IAC/C,CAAC;CACF,CAAA;AA9BY,0CAAe;0BAAf,eAAe;IAD3B,IAAA,mBAAU,GAAE;qCAEmC,mCAAe;GADlD,eAAe,CA8B3B","sourcesContent":["import {\n  Injectable,\n  CanActivate,\n  ExecutionContext,\n  UnauthorizedException,\n} from '@nestjs/common';\nimport { Request } from 'express';\nimport { JwtPayload, JwtTokenService } from '../services/jwt-token.service';\n\nexport interface AuthenticatedRequest extends Request {\n  user: JwtPayload;\n}\n\n@Injectable()\nexport class McpAuthJwtGuard implements CanActivate {\n  constructor(private readonly jwtTokenService: JwtTokenService) {}\n\n  canActivate(context: ExecutionContext): boolean {\n    const request = context.switchToHttp().getRequest<AuthenticatedRequest>();\n    const token = this.extractTokenFromHeader(request);\n\n    if (!token) {\n      throw new UnauthorizedException('Access token required');\n    }\n\n    const payload = this.jwtTokenService.validateToken(token);\n\n    if (!payload || payload.type !== 'access') {\n      throw new UnauthorizedException('Invalid or expired access token');\n    }\n\n    request.user = payload;\n    return true;\n  }\n\n  private extractTokenFromHeader(request: Request): string | undefined {\n    const authHeader = request.headers.authorization;\n    if (!authHeader) {\n      return undefined;\n    }\n\n    const [type, token] = authHeader.split(' ');\n    return type === 'Bearer' ? token : undefined;\n  }\n}\n"]}
+{"version":3,"file":"jwt-auth.guard.js","sourceRoot":"","sources":["../../../src/authz/guards/jwt-auth.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,2CAKwB;AAExB,qEAA4E;AAOrE,IAAM,eAAe,GAArB,MAAM,eAAe;IAC1B,YAA6B,eAAgC;QAAhC,oBAAe,GAAf,eAAe,CAAiB;IAAG,CAAC;IAEjE,WAAW,CAAC,OAAyB;QACnC,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAwB,CAAC;QAC1E,MAAM,KAAK,GAAG,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,CAAC;QAEnD,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,8BAAqB,CAAC,uBAAuB,CAAC,CAAC;QAC3D,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,eAAe,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;QAE1D,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,8BAAqB,CAAC,iCAAiC,CAAC,CAAC;QACrE,CAAC;QAED,OAAO,CAAC,IAAI,GAAG,OAAO,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,sBAAsB,CAAC,OAAgB;QAC7C,MAAM,UAAU,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC;QACjD,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC5C,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;IAC/C,CAAC;CACF,CAAA;AA9BY,0CAAe;0BAAf,eAAe;IAD3B,IAAA,mBAAU,GAAE;qCAEmC,mCAAe;GADlD,eAAe,CA8B3B","sourcesContent":["import {\n  Injectable,\n  CanActivate,\n  ExecutionContext,\n  UnauthorizedException,\n} from '@nestjs/common';\nimport { Request } from 'express';\nimport { JwtPayload, JwtTokenService } from '../services/jwt-token.service';\n\nexport interface AuthenticatedRequest extends Request {\n  user: JwtPayload;\n}\n\n@Injectable()\nexport class McpAuthJwtGuard implements CanActivate {\n  constructor(private readonly jwtTokenService: JwtTokenService) {}\n\n  canActivate(context: ExecutionContext): boolean {\n    const request = context.switchToHttp().getRequest<AuthenticatedRequest>();\n    const token = this.extractTokenFromHeader(request);\n\n    if (!token) {\n      throw new UnauthorizedException('Access token required');\n    }\n\n    const payload = this.jwtTokenService.validateToken(token);\n\n    if (!payload) {\n      throw new UnauthorizedException('Invalid or expired access token');\n    }\n\n    request.user = payload;\n    return true;\n  }\n\n  private extractTokenFromHeader(request: Request): string | undefined {\n    const authHeader = request.headers.authorization;\n    if (!authHeader) {\n      return undefined;\n    }\n\n    const [type, token] = authHeader.split(' ');\n    return type === 'Bearer' ? token : undefined;\n  }\n}\n"]}

package/dist/authz/mcp-oauth.controller.d.ts

@@ -4,7 +4,7 @@ import { AuthenticatedRequest } from './guards/jwt-auth.guard';
 import { OAuthEndpointConfiguration, OAuthModuleOptions, OAuthUserProfile } from './providers/oauth-provider.interface';
 import { ClientService } from './services/client.service';
 import { JwtTokenService, TokenPair } from './services/jwt-token.service';
-import { ClientRegistrationDto, IOAuthStore } from './stores/oauth-store.interface';
+import { IOAuthStore } from './stores/oauth-store.interface';
 interface OAuthCallbackRequest extends ExpressRequest {
     user?: {
         profile: OAuthUserProfile;
@@ -30,23 +30,32 @@ export declare function createMcpOAuthController(endpoints?: OAuthEndpointConfig
             response_modes_supported: string[];
             grant_types_supported: string[];
             token_endpoint_auth_methods_supported: string[];
+            scopes_supported: string[];
             revocation_endpoint: string;
             code_challenge_methods_supported: string[];
         };
-        registerClient(registrationDto: ClientRegistrationDto): Promise<import("./stores/oauth-store.interface").OAuthClient>;
+        registerClient(registrationDto: any): Promise<import("./stores/oauth-store.interface").OAuthClient>;
         authorize(query: any, req: any, res: Response, next: NextFunction): Promise<void>;
         handleProviderCallback(req: OAuthCallbackRequest, res: Response, next: NextFunction): void;
         processAuthenticationSuccess(req: OAuthCallbackRequest, res: Response): Promise<void>;
-        exchangeToken(body: any): Promise<TokenPair>;
-        handleAuthorizationCodeGrant(code: string, code_verifier: string, _redirect_uri: string, client_id: string): Promise<TokenPair>;
-        handleRefreshTokenGrant(refresh_token: string): TokenPair;
-        validateToken(req: AuthenticatedRequest): {
-            valid: boolean;
-            user_id: string;
-            client_id: string | undefined;
-            scope: string | undefined;
-            expires_at: number;
+        exchangeToken(body: any, req: any): Promise<TokenPair>;
+        extractClientCredentials(req: any, body: any): {
+            client_id: string;
+            client_secret?: string;
         };
+        validateClientAuthentication(client: any, clientCredentials: {
+            client_id: string;
+            client_secret?: string;
+        }): void;
+        handleAuthorizationCodeGrant(code: string, code_verifier: string, _redirect_uri: string, clientCredentials: {
+            client_id: string;
+            client_secret?: string;
+        }): Promise<TokenPair>;
+        handleRefreshTokenGrant(refresh_token: string, clientCredentials: {
+            client_id: string;
+            client_secret?: string;
+        }): Promise<TokenPair>;
+        validateToken(req: AuthenticatedRequest): any;
         validatePKCE(code_verifier: string, code_challenge: string, method: string): boolean;
     };
 };

package/dist/authz/mcp-oauth.controller.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mcp-oauth.controller.d.ts","sourceRoot":"","sources":["../../src/authz/mcp-oauth.controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAML,MAAM,EAOP,MAAM,gBAAgB,CAAC;AAExB,OAAO,EAAE,OAAO,IAAI,cAAc,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAE5E,OAAO,EAAE,oBAAoB,EAAmB,MAAM,yBAAyB,CAAC;AAChF,OAAO,EACL,0BAA0B,EAC1B,kBAAkB,EAElB,gBAAgB,EACjB,MAAM,sCAAsC,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAC1D,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,8BAA8B,CAAC;AAE1E,OAAO,EACL,qBAAqB,EACrB,WAAW,EACZ,MAAM,gCAAgC,CAAC;AAGxC,UAAU,oBAAqB,SAAQ,cAAc;IACnD,IAAI,CAAC,EAAE;QACL,OAAO,EAAE,gBAAgB,CAAC;QAC1B,WAAW,EAAE,MAAM,CAAC;QACpB,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;CACH;AAED,wBAAgB,wBAAwB,CACtC,SAAS,GAAE,0BAA+B;kBASG,kBAAkB,SACpB,WAAW,mBACxB,eAAe,iBACjB,aAAa;;4BAPnB,MAAM;+BACH,OAAO;0BACZ,kBAAkB;wBAGK,WAAW;kCACxB,eAAe;gCACjB,aAAa;;;;;;;;;;;;;wCAqCO,qBAAqB;yBAMjD,GAAG,OAEd,GAAG,OACI,QAAQ,QACN,YAAY;oCA0Ed,oBAAoB,OACpB,QAAQ,QACN,YAAY;0CA2BrB,oBAAoB,OACpB,QAAQ;4BAwEmB,GAAG,GAAG,OAAO,CAAC,SAAS,CAAC;2CAyBlD,MAAM,iBACG,MAAM,iBACN,MAAM,aACV,MAAM,GAChB,OAAO,CAAC,SAAS,CAAC;+CA+DkB,MAAM,GAAG,SAAS;2BAW/B,oBAAoB;;;;;;;oCAW7B,MAAM,kBACL,MAAM,UACd,MAAM,GACb,OAAO;;EAcb"}
+{"version":3,"file":"mcp-oauth.controller.d.ts","sourceRoot":"","sources":["../../src/authz/mcp-oauth.controller.ts"],"names":[],"mappings":"AAAA,OAAO,EAML,MAAM,EAOP,MAAM,gBAAgB,CAAC;AAExB,OAAO,EAAE,OAAO,IAAI,cAAc,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAE5E,OAAO,EAAE,oBAAoB,EAAmB,MAAM,yBAAyB,CAAC;AAChF,OAAO,EACL,0BAA0B,EAC1B,kBAAkB,EAElB,gBAAgB,EACjB,MAAM,sCAAsC,CAAC;AAC9C,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAC1D,OAAO,EAAE,eAAe,EAAE,SAAS,EAAE,MAAM,8BAA8B,CAAC;AAE1E,OAAO,EAEL,WAAW,EACZ,MAAM,gCAAgC,CAAC;AAGxC,UAAU,oBAAqB,SAAQ,cAAc;IACnD,IAAI,CAAC,EAAE;QACL,OAAO,EAAE,gBAAgB,CAAC;QAC1B,WAAW,EAAE,MAAM,CAAC;QACpB,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC;CACH;AAED,wBAAgB,wBAAwB,CACtC,SAAS,GAAE,0BAA+B;kBASG,kBAAkB,SACpB,WAAW,mBACxB,eAAe,iBACjB,aAAa;;4BAPnB,MAAM;+BACH,OAAO;0BACZ,kBAAkB;wBAGK,WAAW;kCACxB,eAAe;gCACjB,aAAa;;;;;;;;;;;;;;wCAsCO,GAAG;yBAM/B,GAAG,OAEd,GAAG,OACI,QAAQ,QACN,YAAY;oCA2Ed,oBAAoB,OACpB,QAAQ,QACN,YAAY;0CA2BrB,oBAAoB,OACpB,QAAQ;4BAyEC,GAAG,OACL,GAAG,GACd,OAAO,CAAC,SAAS,CAAC;sCAuCd,GAAG,QACF,GAAG,GACR;YAAE,SAAS,EAAE,MAAM,CAAC;YAAC,aAAa,CAAC,EAAE,MAAM,CAAA;SAAE;6CA4BtC,GAAG,qBACQ;YAAE,SAAS,EAAE,MAAM,CAAC;YAAC,aAAa,CAAC,EAAE,MAAM,CAAA;SAAE,GAC/D,IAAI;2CAqCC,MAAM,iBACG,MAAM,iBACN,MAAM,qBACF;YAAE,SAAS,EAAE,MAAM,CAAC;YAAC,aAAa,CAAC,EAAE,MAAM,CAAA;SAAE,GAC/D,OAAO,CAAC,SAAS,CAAC;+CAyEJ,MAAM,qBACF;YAAE,SAAS,EAAE,MAAM,CAAC;YAAC,aAAa,CAAC,EAAE,MAAM,CAAA;SAAE,GAC/D,OAAO,CAAC,SAAS,CAAC;2BA0CK,oBAAoB;oCAiB7B,MAAM,kBACL,MAAM,UACd,MAAM,GACb,OAAO;;EAcb"}

package/dist/authz/mcp-oauth.controller.js

@@ -50,6 +50,7 @@ function createMcpOAuthController(endpoints = {}) {
                     'client_secret_post',
                     'none',
                 ],
+                scopes_supported: ['offline_access'],
                 revocation_endpoint: (0, normalize_endpoint_1.normalizeEndpoint)(`${this.serverUrl}/${endpoints?.revoke}`),
                 code_challenge_methods_supported: ['plain', 'S256'],
             };
@@ -58,7 +59,7 @@ function createMcpOAuthController(endpoints = {}) {
             return await this.clientService.registerClient(registrationDto);
         }
         async authorize(query, req, res, next) {
-            const { response_type, client_id, redirect_uri, code_challenge, code_challenge_method, state, } = query;
+            const { response_type, client_id, redirect_uri, code_challenge, code_challenge_method, state, scope, } = query;
             const resource = this.options.resource;
             if (response_type !== 'code') {
                 throw new common_1.BadRequestException('Only response_type=code is supported');
@@ -84,7 +85,7 @@ function createMcpOAuthController(endpoints = {}) {
                 codeChallenge: code_challenge,
                 codeChallengeMethod: code_challenge_method || 'plain',
                 oauthState: state,
-                scope: query.scope || '',
+                scope: scope,
                 resource,
                 expiresAt: Date.now() + this.options.oauthSessionExpiresIn,
             };
@@ -167,22 +168,71 @@ function createMcpOAuthController(endpoints = {}) {
             await this.store.removeOAuthSession(sessionId);
             res.redirect(redirectUrl.toString());
         }
-        async exchangeToken(body) {
-            const { grant_type, code, code_verifier, redirect_uri, client_id, refresh_token, } = body;
+        async exchangeToken(body, req) {
+            const { grant_type, code, code_verifier, redirect_uri, client_id, client_secret, refresh_token, } = body;
             if (grant_type === 'authorization_code') {
-                return this.handleAuthorizationCodeGrant(code, code_verifier, redirect_uri, client_id);
+                const clientCredentials = this.extractClientCredentials(req, body);
+                return this.handleAuthorizationCodeGrant(code, code_verifier, redirect_uri, clientCredentials);
             }
             else if (grant_type === 'refresh_token') {
-                return this.handleRefreshTokenGrant(refresh_token);
+                let clientCredentials;
+                try {
+                    clientCredentials = this.extractClientCredentials(req, body);
+                }
+                catch {
+                    clientCredentials = { client_id: '' };
+                }
+                return this.handleRefreshTokenGrant(refresh_token, clientCredentials);
             }
             else {
                 throw new common_1.BadRequestException('Unsupported grant_type');
             }
         }
-        async handleAuthorizationCodeGrant(code, code_verifier, _redirect_uri, client_id) {
+        extractClientCredentials(req, body) {
+            const authHeader = req.headers?.authorization;
+            if (authHeader && authHeader.startsWith('Basic ')) {
+                const credentials = Buffer.from(authHeader.slice(6), 'base64').toString('utf-8');
+                const [client_id, client_secret] = credentials.split(':', 2);
+                if (client_id) {
+                    return { client_id, client_secret };
+                }
+            }
+            if (body.client_id) {
+                return {
+                    client_id: body.client_id,
+                    client_secret: body.client_secret,
+                };
+            }
+            throw new common_1.BadRequestException('Missing client credentials');
+        }
+        validateClientAuthentication(client, clientCredentials) {
+            if (!client) {
+                throw new common_1.BadRequestException('Invalid client_id');
+            }
+            const { token_endpoint_auth_method } = client;
+            switch (token_endpoint_auth_method) {
+                case 'client_secret_basic':
+                case 'client_secret_post':
+                    if (!clientCredentials.client_secret) {
+                        throw new common_1.BadRequestException('Client secret required for this authentication method');
+                    }
+                    if (client.client_secret !== clientCredentials.client_secret) {
+                        throw new common_1.BadRequestException('Invalid client credentials');
+                    }
+                    break;
+                case 'none':
+                    if (clientCredentials.client_secret) {
+                        throw new common_1.BadRequestException('Client secret not allowed for public clients');
+                    }
+                    break;
+                default:
+                    throw new common_1.BadRequestException(`Unsupported authentication method: ${token_endpoint_auth_method}`);
+            }
+        }
+        async handleAuthorizationCodeGrant(code, code_verifier, _redirect_uri, clientCredentials) {
             this.logger.debug('handleAuthorizationCodeGrant - Params:', {
                 code,
-                client_id,
+                client_id: clientCredentials.client_id,
             });
             const authCode = await this.store.getAuthCode(code);
             if (!authCode) {
@@ -194,10 +244,12 @@ function createMcpOAuthController(endpoints = {}) {
                 this.logger.error('handleAuthorizationCodeGrant - Authorization code expired:', code);
                 throw new common_1.BadRequestException('Authorization code has expired');
             }
-            if (authCode.client_id !== client_id) {
-                this.logger.error('handleAuthorizationCodeGrant - Client ID mismatch:', { expected: authCode.client_id, got: client_id });
+            if (authCode.client_id !== clientCredentials.client_id) {
+                this.logger.error('handleAuthorizationCodeGrant - Client ID mismatch:', { expected: authCode.client_id, got: clientCredentials.client_id });
                 throw new common_1.BadRequestException('Client ID mismatch');
             }
+            const client = await this.clientService.getClient(clientCredentials.client_id);
+            this.validateClientAuthentication(client, clientCredentials);
             if (authCode.code_challenge) {
                 const isValid = this.validatePKCE(code_verifier, authCode.code_challenge, authCode.code_challenge_method);
                 if (!isValid) {
@@ -209,12 +261,30 @@ function createMcpOAuthController(endpoints = {}) {
                 this.logger.error('handleAuthorizationCodeGrant - No resource associated with code');
                 throw new common_1.BadRequestException('Authorization code is not associated with a resource');
             }
-            const tokens = this.jwtTokenService.generateTokenPair(authCode.user_id, client_id, authCode.scope, authCode.resource);
+            const tokens = this.jwtTokenService.generateTokenPair(authCode.user_id, clientCredentials.client_id, authCode.scope, authCode.resource);
             await this.store.removeAuthCode(code);
             this.logger.log('handleAuthorizationCodeGrant - Token pair generated for user:', authCode.user_id);
             return tokens;
         }
-        handleRefreshTokenGrant(refresh_token) {
+        async handleRefreshTokenGrant(refresh_token, clientCredentials) {
+            const payload = this.jwtTokenService.validateToken(refresh_token);
+            if (!payload || payload.type !== 'refresh') {
+                throw new common_1.BadRequestException('Invalid or expired refresh token');
+            }
+            const clientId = clientCredentials.client_id || payload.client_id;
+            if (!clientId) {
+                throw new common_1.BadRequestException('Unable to determine client_id');
+            }
+            const client = await this.clientService.getClient(clientId);
+            if (client?.token_endpoint_auth_method !== 'none') {
+                this.validateClientAuthentication(client, {
+                    ...clientCredentials,
+                    client_id: clientId,
+                });
+            }
+            if (payload.client_id !== clientId) {
+                throw new common_1.BadRequestException('Invalid refresh token or token does not belong to this client');
+            }
             const newTokens = this.jwtTokenService.refreshAccessToken(refresh_token);
             if (!newTokens) {
                 throw new common_1.BadRequestException('Failed to refresh token');
@@ -222,13 +292,16 @@ function createMcpOAuthController(endpoints = {}) {
             return newTokens;
         }
         validateToken(req) {
-            return {
+            const response = {
                 valid: true,
                 user_id: req.user.sub,
-                client_id: req.user.client_id,
-                scope: req.user.scope,
+                client_id: req.user.azp || req.user.client_id,
                 expires_at: req.user.exp * 1000,
             };
+            if (req.user.scope) {
+                response.scope = req.user.scope;
+            }
+            return response;
         }
         validatePKCE(code_verifier, code_challenge, method) {
             if (method === 'plain') {
@@ -244,7 +317,7 @@ function createMcpOAuthController(endpoints = {}) {
         }
     };
     __decorate([
-        (0, common_1.Get)(endpoints.wellKnown),
+        (0, common_1.Get)(endpoints.wellKnownAuthorizationServerMetadata),
         __metadata("design:type", Function),
         __metadata("design:paramtypes", []),
         __metadata("design:returntype", void 0)
@@ -278,8 +351,9 @@ function createMcpOAuthController(endpoints = {}) {
     __decorate([
         (0, common_1.Post)(endpoints.token),
         __param(0, (0, common_1.Body)()),
+        __param(1, (0, common_1.Req)()),
         __metadata("design:type", Function),
-        __metadata("design:paramtypes", [Object]),
+        __metadata("design:paramtypes", [Object, Object]),
         __metadata("design:returntype", Promise)
     ], McpOAuthController.prototype, "exchangeToken", null);
     __decorate([