n8n 2.26.3 → 2.27.0

package/dist/modules/oauth-server/oauth-consent.controller.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-consent.controller.js","sourceRoot":"","sources":["../../../src/modules/oauth-server/oauth-consent.controller.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,wDAA6C;AAE7C,gDAAkE;AAGlE,mFAA6E;AAC7E,mEAA8D;AAC9D,mEAA8D;AAGvD,IAAM,sBAAsB,GAA5B,MAAM,sBAAsB;IAClC,YACkB,MAAc,EACd,cAAmC,EACnC,mBAAwC;QAFxC,WAAM,GAAN,MAAM,CAAQ;QACd,mBAAc,GAAd,cAAc,CAAqB;QACnC,wBAAmB,GAAnB,mBAAmB,CAAqB;IACvD,CAAC;IAGE,AAAN,KAAK,CAAC,iBAAiB,CAAC,GAAyB,EAAE,GAAa;QAC/D,IAAI,CAAC;YACJ,MAAM,YAAY,GAAG,IAAI,CAAC,0BAA0B,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;YAC/D,IAAI,CAAC,YAAY;gBAAE,OAAO;YAE1B,MAAM,cAAc,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,iBAAiB,CAAC,YAAY,CAAC,CAAC;YAEjF,IAAI,CAAC,cAAc,EAAE,CAAC;gBACrB,IAAI,CAAC,uBAAuB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;gBACxC,OAAO;YACR,CAAC;YAED,IAAI,CAAC,cAAc,CAAC,EAAE,EAAE,CAAC;gBACxB,IAAI,CAAC,mBAAmB,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;gBAC3C,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,GAAG,EAAE,6CAA6C,CAAC,CAAC;gBAChF,OAAO;YACR,CAAC;YAED,GAAG,CAAC,IAAI,CAAC;gBACR,IAAI,EAAE;oBACL,UAAU,EAAE,cAAc,CAAC,UAAU;oBACrC,QAAQ,EAAE,cAAc,CAAC,QAAQ;oBACjC,YAAY,EAAE,cAAc,CAAC,YAAY;iBACzC;aACD,CAAC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,+BAA+B,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;YAC9D,IAAI,CAAC,mBAAmB,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;YAC3C,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,GAAG,EAAE,sCAAsC,CAAC,CAAC;QAC1E,CAAC;IACF,CAAC;IAGK,AAAN,KAAK,CAAC,cAAc,CACnB,GAAyB,EACzB,GAAa,EACP,OAAiC;QAEvC,IAAI,CAAC;YACJ,MAAM,YAAY,GAAG,IAAI,CAAC,0BAA0B,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;YAC/D,IAAI,CAAC,YAAY;gBAAE,OAAO;YAE1B,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,qBAAqB,CAC7D,YAAY,EACZ,GAAG,CAAC,IAAI,CAAC,EAAE,EACX,OAAO,CAAC,QAAQ,CAChB,CAAC;YAEF,IAAI,CAAC,mBAAmB,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;YAE3C,GAAG,CAAC,IAAI,CAAC;gBACR,IAAI,EAAE;oBACL,MAAM,EAAE,SAAS;oBACjB,WAAW,EAAE,MAAM,CAAC,WAAW;iBAC/B;aACD,CAAC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,2BAA2B,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;YAC1D,IAAI,CAAC,mBAAmB,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;YAC3C,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,iCAAiC,CAAC;YAC3F,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,GAAG,EAAE,OAAO,CAAC,CAAC;QAC3C,CAAC;IACF,CAAC;IAEO,iBAAiB,CAAC,GAAa,EAAE,UAAkB,EAAE,OAAe;QAC3E,GAAG,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC;YAC3B,MAAM,EAAE,OAAO;YACf,OAAO;SACP,CAAC,CAAC;IACJ,CAAC;IAEO,uBAAuB,CAAC,GAAa,EAAE,WAAW,GAAG,KAAK;QACjE,IAAI,WAAW,EAAE,CAAC;YACjB,IAAI,CAAC,mBAAmB,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;QAC5C,CAAC;QACD,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,GAAG,EAAE,0CAA0C,CAAC,CAAC;IAC9E,CAAC;IAEO,0BAA0B,CAAC,GAAyB,EAAE,GAAa;QAC1E,MAAM,YAAY,GAAG,IAAI,CAAC,mBAAmB,CAAC,eAAe,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;QAC3E,IAAI,CAAC,YAAY,EAAE,CAAC;YACnB,IAAI,CAAC,uBAAuB,CAAC,GAAG,CAAC,CAAC;YAClC,OAAO,IAAI,CAAC;QACb,CAAC;QAED,IAAI,CAAC;YACJ,IAAI,CAAC,mBAAmB,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC;YACrD,OAAO,YAAY,CAAC;QACrB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,uBAAuB,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;YACtD,IAAI,CAAC,uBAAuB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;YACxC,OAAO,IAAI,CAAC;QACb,CAAC;IACF,CAAC;CACD,CAAA;AAtGY,wDAAsB;AAQ5B;IADL,IAAA,gBAAG,EAAC,UAAU,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;;;;+DA+BxC;AAGK;IADL,IAAA,iBAAI,EAAC,UAAU,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC;IAIxC,WAAA,iBAAI,CAAA;;qDAAU,sDAAwB;;4DA0BvC;iCAtEW,sBAAsB;IADlC,IAAA,2BAAc,EAAC,UAAU,CAAC;qCAGA,uBAAM;QACE,2CAAmB;QACd,2CAAmB;GAJ9C,sBAAsB,CAsGlC"}

package/dist/modules/{mcp/mcp-oauth-consent.service.d.ts → oauth-server/oauth-consent.service.d.ts}

@@ -1,20 +1,29 @@
 import { Logger } from '@n8n/backend-common';
 import { OAuthClientRepository } from './database/repositories/oauth-client.repository';
 import { UserConsentRepository } from './database/repositories/oauth-user-consent.repository';
-import { McpOAuthAuthorizationCodeService } from './mcp-oauth-authorization-code.service';
+import { OAuthAuthorizationCodeService } from './oauth-authorization-code.service';
 import { OAuthSessionService } from './oauth-session.service';
-export declare class McpOAuthConsentService {
+import { ProtectedResourceRegistry } from '../../services/protected-resource.registry';
+type ConsentDetailsResult = {
+    ok: true;
+    clientName: string;
+    clientId: string;
+    resourceName?: string;
+} | {
+    ok: false;
+    reason: 'resource_unavailable';
+};
+export declare class OAuthConsentService {
     private readonly logger;
     private readonly oauthSessionService;
     private readonly oauthClientRepository;
     private readonly userConsentRepository;
     private readonly authorizationCodeService;
-    constructor(logger: Logger, oauthSessionService: OAuthSessionService, oauthClientRepository: OAuthClientRepository, userConsentRepository: UserConsentRepository, authorizationCodeService: McpOAuthAuthorizationCodeService);
-    getConsentDetails(sessionToken: string): Promise<{
-        clientName: string;
-        clientId: string;
-    } | null>;
+    private readonly protectedResourceRegistry;
+    constructor(logger: Logger, oauthSessionService: OAuthSessionService, oauthClientRepository: OAuthClientRepository, userConsentRepository: UserConsentRepository, authorizationCodeService: OAuthAuthorizationCodeService, protectedResourceRegistry: ProtectedResourceRegistry);
+    getConsentDetails(sessionToken: string): Promise<ConsentDetailsResult | null>;
     handleConsentDecision(sessionToken: string, userId: string, approved: boolean): Promise<{
         redirectUrl: string;
     }>;
 }
+export {};

package/dist/modules/{mcp/mcp-oauth-consent.service.js → oauth-server/oauth-consent.service.js}

@@ -9,22 +9,24 @@ var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.McpOAuthConsentService = void 0;
+exports.OAuthConsentService = void 0;
 const backend_common_1 = require("@n8n/backend-common");
 const di_1 = require("@n8n/di");
 const n8n_workflow_1 = require("n8n-workflow");
 const oauth_client_repository_1 = require("./database/repositories/oauth-client.repository");
 const oauth_user_consent_repository_1 = require("./database/repositories/oauth-user-consent.repository");
-const mcp_oauth_authorization_code_service_1 = require("./mcp-oauth-authorization-code.service");
-const mcp_oauth_helpers_1 = require("./mcp-oauth.helpers");
+const oauth_authorization_code_service_1 = require("./oauth-authorization-code.service");
 const oauth_session_service_1 = require("./oauth-session.service");
-let McpOAuthConsentService = class McpOAuthConsentService {
-    constructor(logger, oauthSessionService, oauthClientRepository, userConsentRepository, authorizationCodeService) {
+const oauth_helpers_1 = require("./oauth.helpers");
+const protected_resource_registry_1 = require("../../services/protected-resource.registry");
+let OAuthConsentService = class OAuthConsentService {
+    constructor(logger, oauthSessionService, oauthClientRepository, userConsentRepository, authorizationCodeService, protectedResourceRegistry) {
         this.logger = logger;
         this.oauthSessionService = oauthSessionService;
         this.oauthClientRepository = oauthClientRepository;
         this.userConsentRepository = userConsentRepository;
         this.authorizationCodeService = authorizationCodeService;
+        this.protectedResourceRegistry = protectedResourceRegistry;
     }
     async getConsentDetails(sessionToken) {
         try {
@@ -35,7 +37,20 @@ let McpOAuthConsentService = class McpOAuthConsentService {
             if (!client) {
                 return null;
             }
+            if (sessionPayload.resource) {
+                const resource = await this.protectedResourceRegistry.getByResourceUrl(sessionPayload.resource);
+                if (!resource) {
+                    return { ok: false, reason: 'resource_unavailable' };
+                }
+                return {
+                    ok: true,
+                    clientName: client.name,
+                    clientId: client.id,
+                    resourceName: resource.displayName,
+                };
+            }
             return {
+                ok: true,
                 clientName: client.name,
                 clientId: client.id,
             };
@@ -54,7 +69,7 @@ let McpOAuthConsentService = class McpOAuthConsentService {
             throw new n8n_workflow_1.UserError('Invalid or expired session');
         }
         if (!approved) {
-            const redirectUrl = mcp_oauth_helpers_1.McpOAuthHelpers.buildErrorRedirectUrl(sessionPayload.redirectUri, 'access_denied', 'User denied the authorization request', sessionPayload.state);
+            const redirectUrl = oauth_helpers_1.OAuthHelpers.buildErrorRedirectUrl(sessionPayload.redirectUri, 'access_denied', 'User denied the authorization request', sessionPayload.state);
             this.logger.info('Consent denied', {
                 clientId: sessionPayload.clientId,
                 userId,
@@ -67,7 +82,7 @@ let McpOAuthConsentService = class McpOAuthConsentService {
             grantedAt: Date.now(),
         }, ['userId', 'clientId']);
         const code = await this.authorizationCodeService.createAuthorizationCode(sessionPayload.clientId, userId, sessionPayload.redirectUri, sessionPayload.codeChallenge, sessionPayload.state, sessionPayload.resource);
-        const successRedirectUrl = mcp_oauth_helpers_1.McpOAuthHelpers.buildSuccessRedirectUrl(sessionPayload.redirectUri, code, sessionPayload.state);
+        const successRedirectUrl = oauth_helpers_1.OAuthHelpers.buildSuccessRedirectUrl(sessionPayload.redirectUri, code, sessionPayload.state);
         this.logger.info('Consent approved', {
             clientId: sessionPayload.clientId,
             userId,
@@ -75,13 +90,14 @@ let McpOAuthConsentService = class McpOAuthConsentService {
         return { redirectUrl: successRedirectUrl };
     }
 };
-exports.McpOAuthConsentService = McpOAuthConsentService;
-exports.McpOAuthConsentService = McpOAuthConsentService = __decorate([
+exports.OAuthConsentService = OAuthConsentService;
+exports.OAuthConsentService = OAuthConsentService = __decorate([
     (0, di_1.Service)(),
     __metadata("design:paramtypes", [backend_common_1.Logger,
         oauth_session_service_1.OAuthSessionService,
         oauth_client_repository_1.OAuthClientRepository,
         oauth_user_consent_repository_1.UserConsentRepository,
-        mcp_oauth_authorization_code_service_1.McpOAuthAuthorizationCodeService])
-], McpOAuthConsentService);
-//# sourceMappingURL=mcp-oauth-consent.service.js.map
+        oauth_authorization_code_service_1.OAuthAuthorizationCodeService,
+        protected_resource_registry_1.ProtectedResourceRegistry])
+], OAuthConsentService);
+//# sourceMappingURL=oauth-consent.service.js.map

package/dist/modules/oauth-server/oauth-consent.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-consent.service.js","sourceRoot":"","sources":["../../../src/modules/oauth-server/oauth-consent.service.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,wDAA6C;AAC7C,gCAAkC;AAClC,+CAAyC;AAEzC,6FAAwF;AACxF,yGAA8F;AAC9F,yFAAmF;AACnF,mEAAwF;AACxF,mDAA+C;AAC/C,wFAAmF;AAW5E,IAAM,mBAAmB,GAAzB,MAAM,mBAAmB;IAC/B,YACkB,MAAc,EACd,mBAAwC,EACxC,qBAA4C,EAC5C,qBAA4C,EAC5C,wBAAuD,EACvD,yBAAoD;QALpD,WAAM,GAAN,MAAM,CAAQ;QACd,wBAAmB,GAAnB,mBAAmB,CAAqB;QACxC,0BAAqB,GAArB,qBAAqB,CAAuB;QAC5C,0BAAqB,GAArB,qBAAqB,CAAuB;QAC5C,6BAAwB,GAAxB,wBAAwB,CAA+B;QACvD,8BAAyB,GAAzB,yBAAyB,CAA2B;IACnE,CAAC;IAMJ,KAAK,CAAC,iBAAiB,CAAC,YAAoB;QAC3C,IAAI,CAAC;YACJ,MAAM,cAAc,GAAG,IAAI,CAAC,mBAAmB,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC;YAE5E,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,OAAO,CAAC;gBACvD,KAAK,EAAE,EAAE,EAAE,EAAE,cAAc,CAAC,QAAQ,EAAE;aACtC,CAAC,CAAC;YAEH,IAAI,CAAC,MAAM,EAAE,CAAC;gBACb,OAAO,IAAI,CAAC;YACb,CAAC;YAED,IAAI,cAAc,CAAC,QAAQ,EAAE,CAAC;gBAC7B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,yBAAyB,CAAC,gBAAgB,CACrE,cAAc,CAAC,QAAQ,CACvB,CAAC;gBAEF,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACf,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,sBAAsB,EAAE,CAAC;gBACtD,CAAC;gBAED,OAAO;oBACN,EAAE,EAAE,IAAI;oBACR,UAAU,EAAE,MAAM,CAAC,IAAI;oBACvB,QAAQ,EAAE,MAAM,CAAC,EAAE;oBACnB,YAAY,EAAE,QAAQ,CAAC,WAAW;iBAClC,CAAC;YACH,CAAC;YAED,OAAO;gBACN,EAAE,EAAE,IAAI;gBACR,UAAU,EAAE,MAAM,CAAC,IAAI;gBACvB,QAAQ,EAAE,MAAM,CAAC,EAAE;aACnB,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,+BAA+B,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;YAC9D,OAAO,IAAI,CAAC;QACb,CAAC;IACF,CAAC;IAMD,KAAK,CAAC,qBAAqB,CAC1B,YAAoB,EACpB,MAAc,EACd,QAAiB;QAEjB,IAAI,cAAmC,CAAC;QACxC,IAAI,CAAC;YACJ,cAAc,GAAG,IAAI,CAAC,mBAAmB,CAAC,aAAa,CAAC,YAAY,CAAC,CAAC;QACvE,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,MAAM,IAAI,wBAAS,CAAC,4BAA4B,CAAC,CAAC;QACnD,CAAC;QAED,IAAI,CAAC,QAAQ,EAAE,CAAC;YACf,MAAM,WAAW,GAAG,4BAAY,CAAC,qBAAqB,CACrD,cAAc,CAAC,WAAW,EAC1B,eAAe,EACf,uCAAuC,EACvC,cAAc,CAAC,KAAK,CACpB,CAAC;YAEF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,EAAE;gBAClC,QAAQ,EAAE,cAAc,CAAC,QAAQ;gBACjC,MAAM;aACN,CAAC,CAAC;YAEH,OAAO,EAAE,WAAW,EAAE,CAAC;QACxB,CAAC;QAED,MAAM,IAAI,CAAC,qBAAqB,CAAC,MAAM,CACtC;YACC,MAAM;YACN,QAAQ,EAAE,cAAc,CAAC,QAAQ;YACjC,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE;SACrB,EACD,CAAC,QAAQ,EAAE,UAAU,CAAC,CACtB,CAAC;QAEF,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,wBAAwB,CAAC,uBAAuB,CACvE,cAAc,CAAC,QAAQ,EACvB,MAAM,EACN,cAAc,CAAC,WAAW,EAC1B,cAAc,CAAC,aAAa,EAC5B,cAAc,CAAC,KAAK,EACpB,cAAc,CAAC,QAAQ,CACvB,CAAC;QAEF,MAAM,kBAAkB,GAAG,4BAAY,CAAC,uBAAuB,CAC9D,cAAc,CAAC,WAAW,EAC1B,IAAI,EACJ,cAAc,CAAC,KAAK,CACpB,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,kBAAkB,EAAE;YACpC,QAAQ,EAAE,cAAc,CAAC,QAAQ;YACjC,MAAM;SACN,CAAC,CAAC;QAEH,OAAO,EAAE,WAAW,EAAE,kBAAkB,EAAE,CAAC;IAC5C,CAAC;CACD,CAAA;AArHY,kDAAmB;8BAAnB,mBAAmB;IAD/B,IAAA,YAAO,GAAE;qCAGiB,uBAAM;QACO,2CAAmB;QACjB,+CAAqB;QACrB,qDAAqB;QAClB,gEAA6B;QAC5B,uDAAyB;GAP1D,mBAAmB,CAqH/B"}

package/dist/modules/oauth-server/oauth-server.module.d.ts

@@ -0,0 +1,5 @@
+import type { ModuleInterface } from '@n8n/decorators';
+export declare class OAuthServerModule implements ModuleInterface {
+    init(): Promise<void>;
+    entities(): Promise<never>;
+}

package/dist/modules/oauth-server/oauth-server.module.js

@@ -0,0 +1,75 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OAuthServerModule = void 0;
+const protected_resource_registry_1 = require("../../services/protected-resource.registry");
+const decorators_1 = require("@n8n/decorators");
+const di_1 = require("@n8n/di");
+const n8n_core_1 = require("n8n-core");
+let OAuthServerModule = class OAuthServerModule {
+    async init() {
+        if (di_1.Container.get(n8n_core_1.InstanceSettings).instanceType === 'main') {
+            await Promise.resolve().then(() => __importStar(require('./oauth.controller')));
+            await Promise.resolve().then(() => __importStar(require('./oauth-consent.controller')));
+            await Promise.resolve().then(() => __importStar(require('./oauth-clients.controller')));
+        }
+        const { OAuthTokenVerifierProxy } = await Promise.resolve().then(() => __importStar(require('../../services/oauth-token-verifier-proxy.service')));
+        const { OAuthTokenService } = await Promise.resolve().then(() => __importStar(require('./oauth-token.service')));
+        di_1.Container.get(OAuthTokenVerifierProxy).registerProvider(di_1.Container.get(OAuthTokenService));
+        const { WorkflowMcpTriggerResourceResolver } = await Promise.resolve().then(() => __importStar(require('./protected-resource-resolvers/workflow-mcp-trigger-resource.resolver')));
+        di_1.Container.get(protected_resource_registry_1.ProtectedResourceRegistry).registerResolver(di_1.Container.get(WorkflowMcpTriggerResourceResolver));
+        const { WorkflowMcpTestTriggerResourceResolver } = await Promise.resolve().then(() => __importStar(require('./protected-resource-resolvers/workflow-mcp-test-trigger-resource.resolver')));
+        di_1.Container.get(protected_resource_registry_1.ProtectedResourceRegistry).registerResolver(di_1.Container.get(WorkflowMcpTestTriggerResourceResolver));
+    }
+    async entities() {
+        const { OAuthClient } = await Promise.resolve().then(() => __importStar(require('./database/entities/oauth-client.entity')));
+        const { AuthorizationCode } = await Promise.resolve().then(() => __importStar(require('./database/entities/oauth-authorization-code.entity')));
+        const { AccessToken } = await Promise.resolve().then(() => __importStar(require('./database/entities/oauth-access-token.entity')));
+        const { RefreshToken } = await Promise.resolve().then(() => __importStar(require('./database/entities/oauth-refresh-token.entity')));
+        const { UserConsent } = await Promise.resolve().then(() => __importStar(require('./database/entities/oauth-user-consent.entity')));
+        return [OAuthClient, AuthorizationCode, AccessToken, RefreshToken, UserConsent];
+    }
+};
+exports.OAuthServerModule = OAuthServerModule;
+exports.OAuthServerModule = OAuthServerModule = __decorate([
+    (0, decorators_1.BackendModule)({ name: 'oauth-server', instanceTypes: ['main', 'webhook'] })
+], OAuthServerModule);
+//# sourceMappingURL=oauth-server.module.js.map

package/dist/modules/oauth-server/oauth-server.module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-server.module.js","sourceRoot":"","sources":["../../../src/modules/oauth-server/oauth-server.module.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,wFAAmF;AAEnF,gDAAgD;AAChD,gCAAoC;AACpC,uCAA4C;AAWrC,IAAM,iBAAiB,GAAvB,MAAM,iBAAiB;IAC7B,KAAK,CAAC,IAAI;QAET,IAAI,cAAS,CAAC,GAAG,CAAC,2BAAgB,CAAC,CAAC,YAAY,KAAK,MAAM,EAAE,CAAC;YAC7D,wDAAa,oBAAoB,GAAC,CAAC;YACnC,wDAAa,4BAA4B,GAAC,CAAC;YAC3C,wDAAa,4BAA4B,GAAC,CAAC;QAC5C,CAAC;QAKD,MAAM,EAAE,uBAAuB,EAAE,GAAG,wDACnC,+CAA+C,GAC/C,CAAC;QACF,MAAM,EAAE,iBAAiB,EAAE,GAAG,wDAAa,uBAAuB,GAAC,CAAC;QACpE,cAAS,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAC,gBAAgB,CAAC,cAAS,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC,CAAC;QAE1F,MAAM,EAAE,kCAAkC,EAAE,GAAG,wDAC9C,uEAAuE,GACvE,CAAC;QACF,cAAS,CAAC,GAAG,CAAC,uDAAyB,CAAC,CAAC,gBAAgB,CACxD,cAAS,CAAC,GAAG,CAAC,kCAAkC,CAAC,CACjD,CAAC;QAEF,MAAM,EAAE,sCAAsC,EAAE,GAAG,wDAClD,4EAA4E,GAC5E,CAAC;QACF,cAAS,CAAC,GAAG,CAAC,uDAAyB,CAAC,CAAC,gBAAgB,CACxD,cAAS,CAAC,GAAG,CAAC,sCAAsC,CAAC,CACrD,CAAC;IACH,CAAC;IAED,KAAK,CAAC,QAAQ;QACb,MAAM,EAAE,WAAW,EAAE,GAAG,wDAAa,yCAAyC,GAAC,CAAC;QAChF,MAAM,EAAE,iBAAiB,EAAE,GAAG,wDAC7B,qDAAqD,GACrD,CAAC;QACF,MAAM,EAAE,WAAW,EAAE,GAAG,wDAAa,+CAA+C,GAAC,CAAC;QACtF,MAAM,EAAE,YAAY,EAAE,GAAG,wDAAa,gDAAgD,GAAC,CAAC;QACxF,MAAM,EAAE,WAAW,EAAE,GAAG,wDAAa,+CAA+C,GAAC,CAAC;QAEtF,OAAO,CAAC,WAAW,EAAE,iBAAiB,EAAE,WAAW,EAAE,YAAY,EAAE,WAAW,CAAU,CAAC;IAC1F,CAAC;CACD,CAAA;AA5CY,8CAAiB;4BAAjB,iBAAiB;IAD7B,IAAA,0BAAa,EAAC,EAAE,IAAI,EAAE,cAAc,EAAE,aAAa,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE,CAAC;GAC/D,iBAAiB,CA4C7B"}

package/dist/modules/{mcp/mcp-oauth-service.d.ts → oauth-server/oauth-server.service.d.ts}

@@ -8,11 +8,11 @@ import type { Response } from 'express';
 import { OAuthClient } from './database/entities/oauth-client.entity';
 import { OAuthClientRepository } from './database/repositories/oauth-client.repository';
 import { UserConsentRepository } from './database/repositories/oauth-user-consent.repository';
-import { McpOAuthAuthorizationCodeService } from './mcp-oauth-authorization-code.service';
-import { McpOAuthTokenService } from './mcp-oauth-token.service';
+import { OAuthAuthorizationCodeService } from './oauth-authorization-code.service';
 import { OAuthSessionService } from './oauth-session.service';
-export declare const SUPPORTED_SCOPES: string[];
-export declare class McpOAuthService implements OAuthServerProvider {
+import { OAuthTokenService } from './oauth-token.service';
+import { ProtectedResourceRegistry } from '../../services/protected-resource.registry';
+export declare class OAuthServerService implements OAuthServerProvider {
     private readonly logger;
     private readonly globalConfig;
     private readonly oauthSessionService;
@@ -20,7 +20,8 @@ export declare class McpOAuthService implements OAuthServerProvider {
     private readonly tokenService;
     private readonly authorizationCodeService;
     private readonly userConsentRepository;
-    constructor(logger: Logger, globalConfig: GlobalConfig, oauthSessionService: OAuthSessionService, oauthClientRepository: OAuthClientRepository, tokenService: McpOAuthTokenService, authorizationCodeService: McpOAuthAuthorizationCodeService, userConsentRepository: UserConsentRepository);
+    private readonly resourceRegistry;
+    constructor(logger: Logger, globalConfig: GlobalConfig, oauthSessionService: OAuthSessionService, oauthClientRepository: OAuthClientRepository, tokenService: OAuthTokenService, authorizationCodeService: OAuthAuthorizationCodeService, userConsentRepository: UserConsentRepository, resourceRegistry: ProtectedResourceRegistry);
     get clientsStore(): OAuthRegisteredClientsStore;
     isClientLimitReached(): Promise<boolean>;
     getInstanceClientStats(): Promise<{
@@ -35,7 +36,6 @@ export declare class McpOAuthService implements OAuthServerProvider {
     exchangeAuthorizationCode(client: OAuthClientInformationFull, authorizationCode: string, _codeVerifier?: string, redirectUri?: string, resource?: URL): Promise<OAuthTokens>;
     exchangeRefreshToken(client: OAuthClientInformationFull, refreshToken: string, _scopes?: string[], resource?: URL): Promise<OAuthTokens>;
     verifyAccessToken(token: string): Promise<AuthInfo>;
-    private getCanonicalMcpResourceUrl;
     private resolveAndValidateResourceIndicator;
     revokeToken(client: OAuthClientInformationFull, request: OAuthTokenRevocationRequest): Promise<void>;
     getAllClients(userId: string): Promise<Array<Omit<OAuthClient, 'clientSecret' | 'clientSecretExpiresAt' | 'setUpdateDate'>>>;

package/dist/modules/{mcp/mcp-oauth-service.js → oauth-server/oauth-server.service.js}

@@ -9,22 +9,22 @@ var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.McpOAuthService = exports.SUPPORTED_SCOPES = void 0;
+exports.OAuthServerService = void 0;
 const errors_js_1 = require("@modelcontextprotocol/sdk/server/auth/errors.js");
 const backend_common_1 = require("@n8n/backend-common");
 const config_1 = require("@n8n/config");
 const di_1 = require("@n8n/di");
 const oauth_client_repository_1 = require("./database/repositories/oauth-client.repository");
 const oauth_user_consent_repository_1 = require("./database/repositories/oauth-user-consent.repository");
-const mcp_oauth_authorization_code_service_1 = require("./mcp-oauth-authorization-code.service");
-const mcp_oauth_token_service_1 = require("./mcp-oauth-token.service");
-const mcp_errors_1 = require("./mcp.errors");
+const oauth_authorization_code_service_1 = require("./oauth-authorization-code.service");
 const oauth_session_service_1 = require("./oauth-session.service");
-exports.SUPPORTED_SCOPES = ['tool:listWorkflows', 'tool:getWorkflowDetails'];
+const oauth_token_service_1 = require("./oauth-token.service");
+const oauth_errors_1 = require("./oauth.errors");
+const protected_resource_registry_1 = require("../../services/protected-resource.registry");
 const MAX_REDIRECT_URIS = 10;
 const MAX_REDIRECT_URI_LENGTH = 2048;
-let McpOAuthService = class McpOAuthService {
-    constructor(logger, globalConfig, oauthSessionService, oauthClientRepository, tokenService, authorizationCodeService, userConsentRepository) {
+let OAuthServerService = class OAuthServerService {
+    constructor(logger, globalConfig, oauthSessionService, oauthClientRepository, tokenService, authorizationCodeService, userConsentRepository, resourceRegistry) {
         this.logger = logger;
         this.globalConfig = globalConfig;
         this.oauthSessionService = oauthSessionService;
@@ -32,6 +32,7 @@ let McpOAuthService = class McpOAuthService {
         this.tokenService = tokenService;
         this.authorizationCodeService = authorizationCodeService;
         this.userConsentRepository = userConsentRepository;
+        this.resourceRegistry = resourceRegistry;
     }
     get clientsStore() {
         return {
@@ -51,7 +52,7 @@ let McpOAuthService = class McpOAuthService {
                         client_secret_expires_at: client.clientSecretExpiresAt,
                     }),
                     response_types: ['code'],
-                    scope: exports.SUPPORTED_SCOPES.join(' '),
+                    scope: this.resourceRegistry.getAllScopes().join(' '),
                     logo_uri: undefined,
                     tos_uri: undefined,
                 };
@@ -86,8 +87,8 @@ let McpOAuthService = class McpOAuthService {
         const limit = this.globalConfig.endpoints.mcpMaxRegisteredClients;
         if (clientCount > limit) {
             await this.oauthClientRepository.delete({ id: clientId });
-            this.logger.warn('MCP OAuth client registration rejected: instance limit reached (post-insert rollback)', { limit, clientCount });
-            throw new mcp_errors_1.McpClientLimitReachedError(limit);
+            this.logger.warn('OAuth client registration rejected: instance limit reached (post-insert rollback)', { limit, clientCount });
+            throw new oauth_errors_1.OAuthClientLimitReachedError(limit);
         }
     }
     validateClientRegistration(client) {
@@ -112,7 +113,7 @@ let McpOAuthService = class McpOAuthService {
     async authorize(client, params, res) {
         this.logger.debug('Starting OAuth authorization', { clientId: client.client_id });
         try {
-            const resource = this.resolveAndValidateResourceIndicator(params.resource?.toString());
+            const resource = await this.resolveAndValidateResourceIndicator(params.resource?.toString());
             this.oauthSessionService.createSession(res, {
                 clientId: client.client_id,
                 redirectUri: params.redirectUri,
@@ -147,10 +148,10 @@ let McpOAuthService = class McpOAuthService {
     async exchangeAuthorizationCode(client, authorizationCode, _codeVerifier, redirectUri, resource) {
         const authRecord = await this.authorizationCodeService.findAuthorizationCode(authorizationCode, client.client_id, redirectUri);
         if (!authRecord) {
-            throw new errors_js_1.OAuthError('invalid_grant', 'Invalid authorization code');
+            throw new errors_js_1.InvalidGrantError('Invalid authorization code');
         }
         const resourceStr = resource?.toString();
-        const tokenResource = this.resolveAndValidateResourceIndicator(resourceStr);
+        const tokenResource = await this.resolveAndValidateResourceIndicator(resourceStr);
         let finalResource;
         const codeResource = authRecord.resource ?? undefined;
         if (tokenResource && codeResource) {
@@ -174,22 +175,23 @@ let McpOAuthService = class McpOAuthService {
     }
     async exchangeRefreshToken(client, refreshToken, _scopes, resource) {
         const resourceStr = resource?.toString();
-        return await this.tokenService.validateAndRotateRefreshToken(refreshToken, client.client_id, this.resolveAndValidateResourceIndicator(resourceStr));
+        return await this.tokenService.validateAndRotateRefreshToken(refreshToken, client.client_id, await this.resolveAndValidateResourceIndicator(resourceStr));
     }
     async verifyAccessToken(token) {
         return await this.tokenService.verifyAccessToken(token);
     }
-    getCanonicalMcpResourceUrl() {
-        return this.tokenService.getCanonicalResourceUrl();
-    }
-    resolveAndValidateResourceIndicator(resource) {
+    async resolveAndValidateResourceIndicator(resource) {
         if (resource === undefined) {
             return undefined;
         }
-        const canonicalResource = this.getCanonicalMcpResourceUrl();
         const normalizedResource = resource.replace(/\/$/, '');
-        if (normalizedResource !== canonicalResource) {
-            throw new InvalidResourceIndicatorError(resource, canonicalResource);
+        const match = await this.resourceRegistry.getByResourceUrl(normalizedResource);
+        if (!match) {
+            const knownResources = this.resourceRegistry
+                .getAll()
+                .map((registered) => registered.getResourceUrl())
+                .join(', ');
+            throw new InvalidResourceIndicatorError(resource, knownResources);
         }
         return normalizedResource;
     }
@@ -237,22 +239,23 @@ let McpOAuthService = class McpOAuthService {
         });
     }
 };
-exports.McpOAuthService = McpOAuthService;
-exports.McpOAuthService = McpOAuthService = __decorate([
+exports.OAuthServerService = OAuthServerService;
+exports.OAuthServerService = OAuthServerService = __decorate([
     (0, di_1.Service)(),
     __metadata("design:paramtypes", [backend_common_1.Logger,
         config_1.GlobalConfig,
         oauth_session_service_1.OAuthSessionService,
         oauth_client_repository_1.OAuthClientRepository,
-        mcp_oauth_token_service_1.McpOAuthTokenService,
-        mcp_oauth_authorization_code_service_1.McpOAuthAuthorizationCodeService,
-        oauth_user_consent_repository_1.UserConsentRepository])
-], McpOAuthService);
-class InvalidResourceIndicatorError extends errors_js_1.OAuthError {
+        oauth_token_service_1.OAuthTokenService,
+        oauth_authorization_code_service_1.OAuthAuthorizationCodeService,
+        oauth_user_consent_repository_1.UserConsentRepository,
+        protected_resource_registry_1.ProtectedResourceRegistry])
+], OAuthServerService);
+class InvalidResourceIndicatorError extends errors_js_1.InvalidTargetError {
     constructor(resource, expectedResource) {
-        super('invalid_target', 'Invalid resource indicator');
+        super('Invalid resource indicator');
         this.resource = resource;
         this.expectedResource = expectedResource;
     }
 }
-//# sourceMappingURL=mcp-oauth-service.js.map
+//# sourceMappingURL=oauth-server.service.js.map

package/dist/modules/oauth-server/oauth-server.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-server.service.js","sourceRoot":"","sources":["../../../src/modules/oauth-server/oauth-server.service.ts"],"names":[],"mappings":";;;;;;;;;;;;AACA,+EAGyD;AAWzD,wDAA6C;AAC7C,wCAA2C;AAC3C,gCAAkC;AAIlC,6FAAwF;AACxF,yGAA8F;AAC9F,yFAAmF;AACnF,mEAA8D;AAC9D,+DAA0D;AAC1D,iDAA8D;AAC9D,wFAAmF;AAGnF,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAG7B,MAAM,uBAAuB,GAAG,IAAI,CAAC;AAO9B,IAAM,kBAAkB,GAAxB,MAAM,kBAAkB;IAC9B,YACkB,MAAc,EACd,YAA0B,EAC1B,mBAAwC,EACxC,qBAA4C,EAC5C,YAA+B,EAC/B,wBAAuD,EACvD,qBAA4C,EAC5C,gBAA2C;QAP3C,WAAM,GAAN,MAAM,CAAQ;QACd,iBAAY,GAAZ,YAAY,CAAc;QAC1B,wBAAmB,GAAnB,mBAAmB,CAAqB;QACxC,0BAAqB,GAArB,qBAAqB,CAAuB;QAC5C,iBAAY,GAAZ,YAAY,CAAmB;QAC/B,6BAAwB,GAAxB,wBAAwB,CAA+B;QACvD,0BAAqB,GAArB,qBAAqB,CAAuB;QAC5C,qBAAgB,GAAhB,gBAAgB,CAA2B;IAC1D,CAAC;IAEJ,IAAI,YAAY;QACf,OAAO;YACN,SAAS,EAAE,KAAK,EAAE,QAAgB,EAAmD,EAAE;gBACtF,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;gBAC5E,IAAI,CAAC,MAAM,EAAE,CAAC;oBACb,OAAO,SAAS,CAAC;gBAClB,CAAC;gBAED,OAAO;oBACN,SAAS,EAAE,MAAM,CAAC,EAAE;oBACpB,WAAW,EAAE,MAAM,CAAC,IAAI;oBACxB,aAAa,EAAE,MAAM,CAAC,YAAY;oBAClC,WAAW,EAAE,MAAM,CAAC,UAAU;oBAC9B,0BAA0B,EAAE,MAAM,CAAC,uBAAuB;oBAC1D,GAAG,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE,aAAa,EAAE,MAAM,CAAC,YAAY,EAAE,CAAC;oBAClE,GAAG,CAAC,MAAM,CAAC,qBAAqB,IAAI;wBACnC,wBAAwB,EAAE,MAAM,CAAC,qBAAqB;qBACtD,CAAC;oBACF,cAAc,EAAE,CAAC,MAAM,CAAC;oBACxB,KAAK,EAAE,IAAI,CAAC,gBAAgB,CAAC,YAAY,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC;oBACrD,QAAQ,EAAE,SAAS;oBACnB,OAAO,EAAE,SAAS;iBAClB,CAAC;YACH,CAAC;YACD,cAAc,EAAE,KAAK,EACpB,MAAkC,EACI,EAAE;gBACxC,IAAI,CAAC,0BAA0B,CAAC,MAAM,CAAC,CAAC;gBAExC,MAAM,IAAI,CAAC,qBAAqB,CAAC,MAAM,CAAC;oBACvC,EAAE,EAAE,MAAM,CAAC,SAAS;oBACpB,IAAI,EAAE,MAAM,CAAC,WAAW;oBACxB,YAAY,EAAE,MAAM,CAAC,aAAa;oBAClC,UAAU,EAAE,MAAM,CAAC,WAAW;oBAC9B,YAAY,EAAE,MAAM,CAAC,aAAa,IAAI,IAAI;oBAC1C,qBAAqB,EAAE,MAAM,CAAC,wBAAwB,IAAI,IAAI;oBAC9D,uBAAuB,EAAE,MAAM,CAAC,0BAA0B,IAAI,MAAM;iBACpE,CAAC,CAAC;gBAEH,MAAM,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;gBAEhD,OAAO,MAAM,CAAC;YACf,CAAC;SACD,CAAC;IACH,CAAC;IAGD,KAAK,CAAC,oBAAoB;QACzB,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,KAAK,EAAE,CAAC;QAC7D,OAAO,WAAW,IAAI,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,uBAAuB,CAAC;IAC3E,CAAC;IAED,KAAK,CAAC,sBAAsB;QAK3B,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,KAAK,EAAE,CAAC;QACvD,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,uBAAuB,CAAC;QAClE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,UAAU,EAAE,KAAK,IAAI,KAAK,EAAE,CAAC;IACrD,CAAC;IAUO,KAAK,CAAC,kBAAkB,CAAC,QAAgB;QAChD,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,KAAK,EAAE,CAAC;QAC7D,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,SAAS,CAAC,uBAAuB,CAAC;QAClE,IAAI,WAAW,GAAG,KAAK,EAAE,CAAC;YACzB,MAAM,IAAI,CAAC,qBAAqB,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;YAC1D,IAAI,CAAC,MAAM,CAAC,IAAI,CACf,mFAAmF,EACnF,EAAE,KAAK,EAAE,WAAW,EAAE,CACtB,CAAC;YACF,MAAM,IAAI,2CAA4B,CAAC,KAAK,CAAC,CAAC;QAC/C,CAAC;IACF,CAAC;IAEO,0BAA0B,CAAC,MAAkC;QACpE,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;QAC5C,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,MAAM,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5D,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;QAC5C,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,aAAa,IAAI,MAAM,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAChE,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC9C,CAAC;QAED,IAAI,MAAM,CAAC,aAAa,CAAC,MAAM,GAAG,iBAAiB,EAAE,CAAC;YACrD,MAAM,IAAI,KAAK,CAAC,0CAA0C,iBAAiB,EAAE,CAAC,CAAC;QAChF,CAAC;QAED,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,aAAa,EAAE,CAAC;YACxC,IAAI,GAAG,CAAC,MAAM,GAAG,uBAAuB,EAAE,CAAC;gBAC1C,MAAM,IAAI,KAAK,CACd,0CAA0C,uBAAuB,aAAa,CAC9E,CAAC;YACH,CAAC;QACF,CAAC;IACF,CAAC;IAED,KAAK,CAAC,SAAS,CACd,MAAkC,EAClC,MAA2B,EAC3B,GAAa;QAEb,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,8BAA8B,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;QAElF,IAAI,CAAC;YACJ,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,mCAAmC,CAAC,MAAM,CAAC,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC;YAE7F,IAAI,CAAC,mBAAmB,CAAC,aAAa,CAAC,GAAG,EAAE;gBAC3C,QAAQ,EAAE,MAAM,CAAC,SAAS;gBAC1B,WAAW,EAAE,MAAM,CAAC,WAAW;gBAC/B,aAAa,EAAE,MAAM,CAAC,aAAa;gBACnC,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,IAAI;gBAC3B,QAAQ;aACR,CAAC,CAAC;YAEH,GAAG,CAAC,QAAQ,CAAC,gBAAgB,CAAC,CAAC;QAChC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YAChB,IAAI,KAAK,YAAY,6BAA6B,EAAE,CAAC;gBACpD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,6DAA6D,EAAE;oBAC/E,QAAQ,EAAE,MAAM,CAAC,SAAS;oBAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,gBAAgB,EAAE,KAAK,CAAC,gBAAgB;iBACxC,CAAC,CAAC;gBACH,IAAI,CAAC,mBAAmB,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;gBAC3C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;oBACpB,KAAK,EAAE,gBAAgB;oBACvB,iBAAiB,EAAE,4BAA4B;iBAC/C,CAAC,CAAC;gBACH,OAAO;YACR,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,2BAA2B,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC;YACtF,IAAI,CAAC,mBAAmB,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;YAC3C,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,cAAc,EAAE,iBAAiB,EAAE,uBAAuB,EAAE,CAAC,CAAC;QAC7F,CAAC;IACF,CAAC;IAED,KAAK,CAAC,6BAA6B,CAClC,MAAkC,EAClC,iBAAyB;QAEzB,OAAO,MAAM,IAAI,CAAC,wBAAwB,CAAC,gBAAgB,CAC1D,iBAAiB,EACjB,MAAM,CAAC,SAAS,CAChB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,yBAAyB,CAC9B,MAAkC,EAClC,iBAAyB,EACzB,aAAsB,EACtB,WAAoB,EACpB,QAAc;QAEd,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,wBAAwB,CAAC,qBAAqB,CAC3E,iBAAiB,EACjB,MAAM,CAAC,SAAS,EAChB,WAAW,CACX,CAAC;QAEF,IAAI,CAAC,UAAU,EAAE,CAAC;YACjB,MAAM,IAAI,6BAAiB,CAAC,4BAA4B,CAAC,CAAC;QAC3D,CAAC;QAED,MAAM,WAAW,GAAG,QAAQ,EAAE,QAAQ,EAAE,CAAC;QACzC,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,mCAAmC,CAAC,WAAW,CAAC,CAAC;QAKlF,IAAI,aAAiC,CAAC;QACtC,MAAM,YAAY,GAAG,UAAU,CAAC,QAAQ,IAAI,SAAS,CAAC;QAEtD,IAAI,aAAa,IAAI,YAAY,EAAE,CAAC;YACnC,IAAI,aAAa,KAAK,YAAY,EAAE,CAAC;gBACpC,MAAM,IAAI,6BAA6B,CAAC,aAAa,EAAE,YAAY,CAAC,CAAC;YACtE,CAAC;YACD,aAAa,GAAG,aAAa,CAAC;QAC/B,CAAC;aAAM,CAAC;YACP,aAAa,GAAG,aAAa,IAAI,YAAY,CAAC;QAC/C,CAAC;QAED,MAAM,IAAI,CAAC,wBAAwB,CAAC,2BAA2B,CAAC,iBAAiB,CAAC,CAAC;QAEnF,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,GAAG,IAAI,CAAC,YAAY,CAAC,iBAAiB,CACxE,UAAU,CAAC,MAAM,EACjB,MAAM,CAAC,SAAS,EAChB,aAAa,CACb,CAAC;QAEF,MAAM,IAAI,CAAC,YAAY,CAAC,aAAa,CACpC,WAAW,EACX,YAAY,EACZ,MAAM,CAAC,SAAS,EAChB,UAAU,CAAC,MAAM,CACjB,CAAC;QAEF,OAAO;YACN,YAAY,EAAE,WAAW;YACzB,UAAU,EAAE,QAAQ;YACpB,UAAU,EAAE,IAAI,CAAC,YAAY,CAAC,2BAA2B,EAAE;YAC3D,aAAa,EAAE,YAAY;SAC3B,CAAC;IACH,CAAC;IAKD,KAAK,CAAC,oBAAoB,CACzB,MAAkC,EAClC,YAAoB,EACpB,OAAkB,EAClB,QAAc;QAEd,MAAM,WAAW,GAAG,QAAQ,EAAE,QAAQ,EAAE,CAAC;QACzC,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,6BAA6B,CAC3D,YAAY,EACZ,MAAM,CAAC,SAAS,EAChB,MAAM,IAAI,CAAC,mCAAmC,CAAC,WAAW,CAAC,CAC3D,CAAC;IACH,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,KAAa;QACpC,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;IACzD,CAAC;IAKO,KAAK,CAAC,mCAAmC,CAChD,QAA4B;QAE5B,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC5B,OAAO,SAAS,CAAC;QAClB,CAAC;QAED,MAAM,kBAAkB,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QACvD,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,gBAAgB,CAAC,kBAAkB,CAAC,CAAC;QAC/E,IAAI,CAAC,KAAK,EAAE,CAAC;YACZ,MAAM,cAAc,GAAG,IAAI,CAAC,gBAAgB;iBAC1C,MAAM,EAAE;iBACR,GAAG,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,UAAU,CAAC,cAAc,EAAE,CAAC;iBAChD,IAAI,CAAC,IAAI,CAAC,CAAC;YACb,MAAM,IAAI,6BAA6B,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;QACnE,CAAC;QAED,OAAO,kBAAkB,CAAC;IAC3B,CAAC;IAED,KAAK,CAAC,WAAW,CAChB,MAAkC,EAClC,OAAoC;QAEpC,MAAM,EAAE,KAAK,EAAE,eAAe,EAAE,GAAG,OAAO,CAAC;QAE3C,IAAI,CAAC,eAAe,IAAI,eAAe,KAAK,cAAc,EAAE,CAAC;YAC5D,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,iBAAiB,CAAC,KAAK,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;YACnF,IAAI,OAAO,EAAE,CAAC;gBACb,OAAO;YACR,CAAC;QACF,CAAC;QAED,IAAI,CAAC,eAAe,IAAI,eAAe,KAAK,eAAe,EAAE,CAAC;YAC7D,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,kBAAkB,CAAC,KAAK,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;YACpF,IAAI,OAAO,EAAE,CAAC;gBACb,OAAO;YACR,CAAC;QACF,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,8CAA8C,EAAE;YACjE,QAAQ,EAAE,MAAM,CAAC,SAAS;SAC1B,CAAC,CAAC;IACJ,CAAC;IAKD,KAAK,CAAC,aAAa,CAClB,MAAc;QAGd,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC;QAGnF,OAAO,YAAY,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE;YACnC,MAAM,EAAE,YAAY,EAAE,qBAAqB,EAAE,GAAG,eAAe,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC;YACnF,OAAO,eAAe,CAAC;QACxB,CAAC,CAAC,CAAC;IACJ,CAAC;IAMD,KAAK,CAAC,YAAY,CAAC,QAAgB,EAAE,MAAc;QAElD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,OAAO,CAAC;YACvD,KAAK,EAAE,EAAE,EAAE,EAAE,QAAQ,EAAE;SACvB,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,wBAAwB,QAAQ,YAAY,CAAC,CAAC;QAC/D,CAAC;QAGD,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;QACjF,IAAI,CAAC,OAAO,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,wBAAwB,QAAQ,YAAY,CAAC,CAAC;QAC/D,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,wCAAwC,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;QAEzE,MAAM,IAAI,CAAC,qBAAqB,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAC;QAE1D,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,mCAAmC,EAAE;YACrD,QAAQ;YACR,UAAU,EAAE,MAAM,CAAC,IAAI;SACvB,CAAC,CAAC;IACJ,CAAC;CACD,CAAA;AAvVY,gDAAkB;6BAAlB,kBAAkB;IAD9B,IAAA,YAAO,GAAE;qCAGiB,uBAAM;QACA,qBAAY;QACL,2CAAmB;QACjB,+CAAqB;QAC9B,uCAAiB;QACL,gEAA6B;QAChC,qDAAqB;QAC1B,uDAAyB;GATjD,kBAAkB,CAuV9B;AAKD,MAAM,6BAA8B,SAAQ,8BAAkB;IAC7D,YACU,QAAgB,EAChB,gBAAwB;QAEjC,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAH3B,aAAQ,GAAR,QAAQ,CAAQ;QAChB,qBAAgB,GAAhB,gBAAgB,CAAQ;IAGlC,CAAC;CACD"}

package/dist/modules/oauth-server/oauth-session.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-session.service.js","sourceRoot":"","sources":["../../../src/modules/oauth-server/oauth-session.service.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,8CAAsC;AACtC,gCAAkC;AAGlC,wDAAoD;AAUpD,MAAM,WAAW,GAAG,mBAAmB,CAAC;AACxC,MAAM,iBAAiB,GAAG,EAAE,GAAG,gBAAI,CAAC,OAAO,CAAC,cAAc,CAAC;AAOpD,IAAM,mBAAmB,GAAzB,MAAM,mBAAmB;IAC/B,YAA6B,UAAsB;QAAtB,eAAU,GAAV,UAAU,CAAY;IAAG,CAAC;IAKvD,aAAa,CAAC,GAAa,EAAE,OAA4B;QACxD,MAAM,YAAY,GAAG,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,EAAE;YAClD,SAAS,EAAE,KAAK;SAChB,CAAC,CAAC;QAEH,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,YAAY,EAAE;YACrC,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;YAC7C,QAAQ,EAAE,KAAK;YACf,MAAM,EAAE,iBAAiB;SACzB,CAAC,CAAC;IACJ,CAAC;IAKD,aAAa,CAAC,YAAoB;QACjC,OAAO,IAAI,CAAC,UAAU,CAAC,MAAM,CAAsB,YAAY,CAAC,CAAC;IAClE,CAAC;IAKD,YAAY,CAAC,GAAa;QACzB,GAAG,CAAC,WAAW,CAAC,WAAW,CAAC,CAAC;IAC9B,CAAC;IAKD,eAAe,CAAC,OAA2C;QAC1D,OAAO,OAAO,CAAC,WAAW,CAAC,CAAC;IAC7B,CAAC;CACD,CAAA;AAvCY,kDAAmB;8BAAnB,mBAAmB;IAD/B,IAAA,YAAO,GAAE;qCAEgC,wBAAU;GADvC,mBAAmB,CAuC/B"}

package/dist/modules/{mcp/mcp-oauth-token.service.d.ts → oauth-server/oauth-token.service.d.ts}

@@ -4,22 +4,19 @@ import { Logger } from '@n8n/backend-common';
 import { UserRepository } from '@n8n/db';
 import { AccessTokenRepository } from './database/repositories/oauth-access-token.repository';
 import { RefreshTokenRepository } from './database/repositories/oauth-refresh-token.repository';
-import { UserWithContext } from './mcp.types';
 import { JwtService } from '../../services/jwt.service';
-import { UrlService } from '../../services/url.service';
-export declare class McpOAuthTokenService {
+import type { OAuthTokenVerifier, UserWithContext } from '../../services/oauth-token-verifier-proxy.service';
+import { ProtectedResourceRegistry } from '../../services/protected-resource.registry';
+export declare class OAuthTokenService implements OAuthTokenVerifier {
     private readonly logger;
     private readonly jwtService;
     private readonly userRepository;
     private readonly accessTokenRepository;
     private readonly refreshTokenRepository;
-    private readonly urlService;
-    private readonly LEGACY_MCP_AUDIENCE;
-    private readonly MCP_RESOURCE_PATH;
+    private readonly resourceRegistry;
     private readonly ACCESS_TOKEN_EXPIRY_SECONDS;
     private readonly REFRESH_TOKEN_EXPIRY_MS;
-    constructor(logger: Logger, jwtService: JwtService, userRepository: UserRepository, accessTokenRepository: AccessTokenRepository, refreshTokenRepository: RefreshTokenRepository, urlService: UrlService);
-    getCanonicalResourceUrl(): string;
+    constructor(logger: Logger, jwtService: JwtService, userRepository: UserRepository, accessTokenRepository: AccessTokenRepository, refreshTokenRepository: RefreshTokenRepository, resourceRegistry: ProtectedResourceRegistry);
     getAccessTokenExpirySeconds(): number;
     generateTokenPair(userId: string, clientId: string, resource?: string): {
         accessToken: string;

package/dist/modules/{mcp/mcp-oauth-token.service.js → oauth-server/oauth-token.service.js}

@@ -9,7 +9,8 @@ var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.McpOAuthTokenService = void 0;
+exports.OAuthTokenService = void 0;
+const errors_js_1 = require("@modelcontextprotocol/sdk/server/auth/errors.js");
 const backend_common_1 = require("@n8n/backend-common");
 const constants_1 = require("@n8n/constants");
 const db_1 = require("@n8n/db");
@@ -21,31 +22,28 @@ const oauth_access_token_entity_1 = require("./database/entities/oauth-access-to
 const oauth_refresh_token_entity_1 = require("./database/entities/oauth-refresh-token.entity");
 const oauth_access_token_repository_1 = require("./database/repositories/oauth-access-token.repository");
 const oauth_refresh_token_repository_1 = require("./database/repositories/oauth-refresh-token.repository");
-const mcp_errors_1 = require("./mcp.errors");
+const oauth_errors_1 = require("./oauth.errors");
 const jwt_service_1 = require("../../services/jwt.service");
-const url_service_1 = require("../../services/url.service");
-let McpOAuthTokenService = class McpOAuthTokenService {
-    constructor(logger, jwtService, userRepository, accessTokenRepository, refreshTokenRepository, urlService) {
+const protected_resource_registry_1 = require("../../services/protected-resource.registry");
+let OAuthTokenService = class OAuthTokenService {
+    constructor(logger, jwtService, userRepository, accessTokenRepository, refreshTokenRepository, resourceRegistry) {
         this.logger = logger;
         this.jwtService = jwtService;
         this.userRepository = userRepository;
         this.accessTokenRepository = accessTokenRepository;
         this.refreshTokenRepository = refreshTokenRepository;
-        this.urlService = urlService;
-        this.LEGACY_MCP_AUDIENCE = 'mcp-server-api';
-        this.MCP_RESOURCE_PATH = '/mcp-server/http';
+        this.resourceRegistry = resourceRegistry;
         this.ACCESS_TOKEN_EXPIRY_SECONDS = 1 * constants_1.Time.hours.toSeconds;
         this.REFRESH_TOKEN_EXPIRY_MS = 30 * constants_1.Time.days.toMilliseconds;
     }
-    getCanonicalResourceUrl() {
-        const baseUrl = this.urlService.getInstanceBaseUrl().replace(/\/$/, '');
-        return `${baseUrl}${this.MCP_RESOURCE_PATH}`;
-    }
     getAccessTokenExpirySeconds() {
         return this.ACCESS_TOKEN_EXPIRY_SECONDS;
     }
     generateTokenPair(userId, clientId, resource) {
-        const audience = resource ?? this.getCanonicalResourceUrl();
+        const audience = resource ?? this.resourceRegistry.getDefaultResource()?.getResourceUrl();
+        if (!audience) {
+            throw new n8n_workflow_1.UnexpectedError('Cannot mint an OAuth access token: no resource requested and no default protected resource is registered');
+        }
         const accessToken = this.jwtService.sign({
             sub: userId,
             aud: audience,
@@ -85,7 +83,7 @@ let McpOAuthTokenService = class McpOAuthTokenService {
                 },
             });
             if (!refreshTokenRecord) {
-                throw new Error('Invalid refresh token');
+                throw new errors_js_1.InvalidGrantError('Invalid refresh token');
             }
             const result = await trx.delete(oauth_refresh_token_entity_1.RefreshToken, {
                 token: refreshToken,
@@ -94,7 +92,7 @@ let McpOAuthTokenService = class McpOAuthTokenService {
             });
             const numAffected = result.affected ?? 0;
             if (numAffected < 1) {
-                throw new Error('Invalid refresh token');
+                throw new errors_js_1.InvalidGrantError('Invalid refresh token');
             }
             const { accessToken, refreshToken: newRefreshToken } = this.generateTokenPair(refreshTokenRecord.userId, clientId, resource);
             await trx.insert(oauth_access_token_entity_1.AccessToken, {
@@ -123,22 +121,22 @@ let McpOAuthTokenService = class McpOAuthTokenService {
     async verifyAccessToken(token, expectedAudience) {
         let decoded;
         try {
-            const allowedAudiences = this.getAllowedAudiences(expectedAudience);
+            const allowedAudiences = await this.getAllowedAudiences(expectedAudience);
             decoded = this.verifyJwtWithAllowedAudiences(token, allowedAudiences);
         }
         catch (error) {
-            throw new mcp_errors_1.JWTVerificationError();
+            throw new oauth_errors_1.JWTVerificationError();
         }
         const clientId = this.getStringClaim(decoded, 'client_id');
         const userId = this.getStringClaim(decoded, 'sub');
         if (!clientId || !userId) {
-            throw new mcp_errors_1.JWTVerificationError();
+            throw new oauth_errors_1.JWTVerificationError();
         }
         const accessTokenRecord = await this.accessTokenRepository.findOne({
             where: { token },
         });
         if (!accessTokenRecord) {
-            throw new mcp_errors_1.AccessTokenNotFoundError();
+            throw new oauth_errors_1.AccessTokenNotFoundError();
         }
         return {
             token,
@@ -169,9 +167,9 @@ let McpOAuthTokenService = class McpOAuthTokenService {
         }
         catch (error) {
             const errorForSure = (0, n8n_workflow_1.ensureError)(error);
-            const reason = errorForSure instanceof mcp_errors_1.JWTVerificationError
+            const reason = errorForSure instanceof oauth_errors_1.JWTVerificationError
                 ? 'invalid_token'
-                : errorForSure instanceof mcp_errors_1.AccessTokenNotFoundError
+                : errorForSure instanceof oauth_errors_1.AccessTokenNotFoundError
                     ? 'token_not_found_in_db'
                     : 'unknown_error';
             return {
@@ -206,11 +204,12 @@ let McpOAuthTokenService = class McpOAuthTokenService {
         }
         return revoked;
     }
-    getAllowedAudiences(expectedAudience) {
-        if (expectedAudience && expectedAudience !== this.getCanonicalResourceUrl()) {
-            return [expectedAudience, this.getCanonicalResourceUrl(), this.LEGACY_MCP_AUDIENCE];
+    async getAllowedAudiences(expectedAudience) {
+        if (expectedAudience) {
+            const resource = await this.resourceRegistry.getByResourceUrl(expectedAudience);
+            return resource ? resource.getAudiences() : [expectedAudience];
         }
-        return [this.getCanonicalResourceUrl(), this.LEGACY_MCP_AUDIENCE];
+        return this.resourceRegistry.getAllAudiences();
     }
     verifyJwtWithAllowedAudiences(token, audiences) {
         try {
@@ -237,14 +236,14 @@ let McpOAuthTokenService = class McpOAuthTokenService {
         return typeof claimValue === 'string' ? claimValue : null;
     }
 };
-exports.McpOAuthTokenService = McpOAuthTokenService;
-exports.McpOAuthTokenService = McpOAuthTokenService = __decorate([
+exports.OAuthTokenService = OAuthTokenService;
+exports.OAuthTokenService = OAuthTokenService = __decorate([
     (0, di_1.Service)(),
     __metadata("design:paramtypes", [backend_common_1.Logger,
         jwt_service_1.JwtService,
         db_1.UserRepository,
         oauth_access_token_repository_1.AccessTokenRepository,
         oauth_refresh_token_repository_1.RefreshTokenRepository,
-        url_service_1.UrlService])
-], McpOAuthTokenService);
-//# sourceMappingURL=mcp-oauth-token.service.js.map
+        protected_resource_registry_1.ProtectedResourceRegistry])
+], OAuthTokenService);
+//# sourceMappingURL=oauth-token.service.js.map