mcp-oauth-provider 0.0.2 → 0.0.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mcp-oauth-provider",
-  "version": "0.0.2",
+  "version": "0.0.3",
   "description": "MCP OAuth client provider for streamable HTTP clients",
   "author": "Clutch Creator",
   "license": "MIT",

package/src/__tests__/integration.test.ts

@@ -97,34 +97,6 @@ describe('MCPOAuthClientProvider Integration', () => {
     });
   });
 
-  describe('authorization server metadata', () => {
-    test('should accept authorizationServerMetadata through constructor', () => {
-      const metadata = {
-        issuer: 'https://auth.example.com',
-        authorization_endpoint: 'https://auth.example.com/authorize',
-        token_endpoint: 'https://auth.example.com/token',
-      };
-      const provider = new MCPOAuthClientProvider({
-        ...config,
-        authorizationServerMetadata: metadata,
-      });
-
-      expect(provider.authorizationServerMetadata).toBeDefined();
-      expect(provider.authorizationServerMetadata?.issuer).toBe(
-        'https://auth.example.com'
-      );
-      expect(provider.authorizationServerMetadata?.token_endpoint).toBe(
-        'https://auth.example.com/token'
-      );
-    });
-
-    test('should be undefined when not provided', () => {
-      const provider = new MCPOAuthClientProvider(config);
-
-      expect(provider.authorizationServerMetadata).toBeUndefined();
-    });
-  });
-
   describe('token management', () => {
     test('should return undefined when no tokens exist', async () => {
       const provider = new MCPOAuthClientProvider(config);

package/src/client/config.ts

@@ -49,7 +49,7 @@ export interface OAuthConfig {
   /**
    * Redirect URI for OAuth callbacks
    */
-  redirectUri: string;
+  redirectUri?: string;
 
   /**
    * OAuth scope to request
@@ -76,6 +76,11 @@ export interface OAuthConfig {
    */
   tokens?: OAuthTokens;
 
+  /**
+   * Token refresh endpoint URL (optional, can be obtained from metadata)
+   */
+  tokenEndpoint?: string;
+
   /**
    * Token refresh configuration
    */
@@ -90,16 +95,6 @@ export interface OAuthConfig {
      */
     retryDelay?: number;
   };
-
-  /**
-   * Authorization server metadata (can be provided or obtained during auth flow)
-   */
-  authorizationServerMetadata?: {
-    issuer: string;
-    authorization_endpoint: string;
-    token_endpoint: string;
-    [key: string]: unknown;
-  };
 }
 
 /**

package/src/client/index.ts

@@ -26,35 +26,44 @@ interface TokenRefreshConfig {
 /**
  * MCP OAuth Client Provider implementation with automatic token refresh
  */
-interface ProcessedOAuthConfig
-  extends Omit<
-    Required<OAuthConfig>,
-    'clientSecret' | 'tokens' | 'authorizationServerMetadata'
-  > {
-  clientSecret?: string;
-  tokens?: OAuthTokens;
-  clientMetadata: OAuthClientMetadata;
-  tokenRefresh: TokenRefreshConfig;
-}
-
 export class MCPOAuthClientProvider implements OAuthClientProvider {
-  private readonly config: ProcessedOAuthConfig;
   private readonly oauthStorage: OAuthStorage;
   private readonly sessionId: string;
+  private readonly redirectUri: string | undefined;
+  private readonly tokenRefreshConfig: TokenRefreshConfig;
+  private readonly _clientMetadata: OAuthClientMetadata;
   private cachedClientInformation?: OAuthClientInformationFull;
 
+  public tokenEndpoint?: string;
   public authorizationServerMetadata?: AuthorizationServerMetadata;
 
   constructor(config: OAuthConfig) {
     this.sessionId = config.sessionId ?? generateSessionId();
     const storage = config.storage ?? new MemoryStorage();
 
-    // Set authorization server metadata if provided
-    if (config.authorizationServerMetadata) {
-      this.authorizationServerMetadata =
-        config.authorizationServerMetadata as AuthorizationServerMetadata;
+    // Set token endpoint if provided
+    if (config.tokenEndpoint) {
+      this.tokenEndpoint = config.tokenEndpoint;
     }
 
+    // Store redirect URI
+    this.redirectUri = config.redirectUri;
+
+    // Store token refresh configuration
+    this.tokenRefreshConfig = {
+      maxRetries: 3,
+      retryDelay: 1000,
+      ...(config.tokenRefresh ?? {}),
+    };
+
+    // Store client metadata
+    this._clientMetadata = {
+      ...DEFAULT_CLIENT_METADATA,
+      ...(config.clientMetadata ?? {}),
+      redirect_uris: config.redirectUri ? [config.redirectUri] : [], // Always required
+      scope: config.scope ?? DEFAULT_CLIENT_METADATA.scope,
+    };
+
     this.oauthStorage = new OAuthStorage(storage, this.sessionId, {
       staticClientInfo: config.clientId
         ? {
@@ -64,42 +73,24 @@ export class MCPOAuthClientProvider implements OAuthClientProvider {
         : undefined,
       initialTokens: config.tokens,
     });
-
-    // Merge with defaults
-    this.config = {
-      clientId: config.clientId ?? '',
-      clientSecret: config.clientSecret ?? undefined,
-      redirectUri: config.redirectUri,
-      scope: config.scope ?? 'read write',
-      sessionId: this.sessionId,
-      storage,
-      tokens: config.tokens,
-      clientMetadata: {
-        ...DEFAULT_CLIENT_METADATA,
-        ...(config.clientMetadata ?? {}),
-        redirect_uris: [config.redirectUri], // Always required
-        scope: config.scope ?? DEFAULT_CLIENT_METADATA.scope,
-      },
-      tokenRefresh: {
-        maxRetries: 3,
-        retryDelay: 1000,
-        ...(config.tokenRefresh ?? {}),
-      },
-    };
   }
 
   /**
    * The URL to redirect the user agent to after authorization
    */
   get redirectUrl(): string | URL {
-    return this.config.redirectUri;
+    if (!this.redirectUri) {
+      throw new Error('No redirect URI configured for this OAuth client');
+    }
+
+    return this.redirectUri;
   }
 
   /**
    * Metadata about this OAuth client
    */
   get clientMetadata(): OAuthClientMetadata {
-    return this.config.clientMetadata;
+    return this._clientMetadata;
   }
 
   /**
@@ -144,11 +135,7 @@ export class MCPOAuthClientProvider implements OAuthClientProvider {
     const needsRefresh = areTokensExpired(currentTokens, undefined, 300);
 
     // If tokens need refresh and we have the server metadata and refresh token, refresh automatically
-    if (
-      needsRefresh &&
-      currentTokens.refresh_token &&
-      this.authorizationServerMetadata?.token_endpoint
-    ) {
+    if (needsRefresh && currentTokens.refresh_token && this.tokenEndpoint) {
       try {
         // Use the token endpoint from authorization server metadata
         const newTokens = await this.refreshTokens();
@@ -172,13 +159,13 @@ export class MCPOAuthClientProvider implements OAuthClientProvider {
    * @throws Error if no authorization server metadata is available
    */
   async refreshTokens(): Promise<OAuthTokens> {
-    if (!this.authorizationServerMetadata?.token_endpoint) {
+    if (!this.tokenEndpoint) {
       throw new Error(
-        'No authorization server metadata available. Cannot refresh tokens without token_endpoint.'
+        'No token endpoint available. Cannot refresh tokens without token_endpoint.'
       );
     }
 
-    const { maxRetries, retryDelay } = this.config.tokenRefresh;
+    const { maxRetries, retryDelay } = this.tokenRefreshConfig;
 
     const currentTokens = await this.oauthStorage.getTokens();
 
@@ -195,7 +182,7 @@ export class MCPOAuthClientProvider implements OAuthClientProvider {
     try {
       // Use helper function for retry logic with token endpoint
       const newTokens = await refreshTokensWithRetry(
-        this.authorizationServerMetadata.token_endpoint,
+        this.tokenEndpoint,
         clientInfo,
         currentTokens.refresh_token,
         this.addClientAuthentication,
@@ -283,6 +270,7 @@ export class MCPOAuthClientProvider implements OAuthClientProvider {
     const clientInfo = this.cachedClientInformation;
 
     this.authorizationServerMetadata = metadata;
+    this.tokenEndpoint = metadata?.token_endpoint;
 
     if (!clientInfo) {
       throw new Error('No client information available for authentication');