fastmcp 2.12.5__py3-none-any.whl → 2.13.2__py3-none-any.whl

fastmcp/server/auth/providers/jwt.py

@@ -16,6 +16,7 @@ from pydantic_settings import BaseSettings, SettingsConfigDict
 from typing_extensions import TypedDict
 
 from fastmcp.server.auth import AccessToken, TokenVerifier
+from fastmcp.settings import ENV_FILE
 from fastmcp.utilities.auth import parse_scopes
 from fastmcp.utilities.logging import get_logger
 from fastmcp.utilities.types import NotSet, NotSetT
@@ -143,13 +144,13 @@ class JWTVerifierSettings(BaseSettings):
 
     model_config = SettingsConfigDict(
         env_prefix="FASTMCP_SERVER_AUTH_JWT_",
-        env_file=".env",
+        env_file=ENV_FILE,
         extra="ignore",
     )
 
     public_key: str | None = None
     jwks_uri: str | None = None
-    issuer: str | None = None
+    issuer: str | list[str] | None = None
     algorithm: str | None = None
     audience: str | list[str] | None = None
     required_scopes: list[str] | None = None
@@ -183,28 +184,28 @@ class JWTVerifier(TokenVerifier):
     def __init__(
         self,
         *,
-        public_key: str | None | NotSetT = NotSet,
-        jwks_uri: str | None | NotSetT = NotSet,
-        issuer: str | None | NotSetT = NotSet,
-        audience: str | list[str] | None | NotSetT = NotSet,
-        algorithm: str | None | NotSetT = NotSet,
-        required_scopes: list[str] | None | NotSetT = NotSet,
-        base_url: AnyHttpUrl | str | None | NotSetT = NotSet,
+        public_key: str | NotSetT | None = NotSet,
+        jwks_uri: str | NotSetT | None = NotSet,
+        issuer: str | list[str] | NotSetT | None = NotSet,
+        audience: str | list[str] | NotSetT | None = NotSet,
+        algorithm: str | NotSetT | None = NotSet,
+        required_scopes: list[str] | NotSetT | None = NotSet,
+        base_url: AnyHttpUrl | str | NotSetT | None = NotSet,
     ):
         """
-        Initialize the JWT token verifier.
-
-        Args:
-            public_key: For asymmetric algorithms (RS256, ES256, etc.): PEM-encoded public key.
-                       For symmetric algorithms (HS256, HS384, HS512): The shared secret string.
-            jwks_uri: URI to fetch JSON Web Key Set (only for asymmetric algorithms)
-            issuer: Expected issuer claim
-            audience: Expected audience claim(s)
-            algorithm: JWT signing algorithm. Supported algorithms:
-                      - Asymmetric: RS256/384/512, ES256/384/512, PS256/384/512 (default: RS256)
-                      - Symmetric: HS256, HS384, HS512
-            required_scopes: Required scopes for all tokens
-            base_url: Base URL for TokenVerifier protocol
+        Initialize a JWTVerifier configured to validate JWTs using either a static key or a JWKS endpoint.
+
+        Parameters:
+            public_key (str | NotSetT | None): PEM-encoded public key for asymmetric algorithms or shared secret for symmetric algorithms.
+            jwks_uri (str | NotSetT | None): URI to fetch a JSON Web Key Set; used when verifying tokens with remote JWKS.
+            issuer (str | list[str] | NotSetT | None): Expected issuer claim value or list of allowed issuer values.
+            audience (str | list[str] | NotSetT | None): Expected audience claim value or list of allowed audience values.
+            algorithm (str | NotSetT | None): JWT signing algorithm to accept (default: "RS256"). Supported: HS256/384/512, RS256/384/512, ES256/384/512, PS256/384/512.
+            required_scopes (list[str] | NotSetT | None): Scopes that must be present in validated tokens.
+            base_url (AnyHttpUrl | str | NotSetT | None): Base URL passed to the parent TokenVerifier.
+
+        Raises:
+            ValueError: If neither or both of `public_key` and `jwks_uri` are provided, or if `algorithm` is unsupported.
         """
         settings = JWTVerifierSettings.model_validate(
             {
@@ -282,7 +283,7 @@ class JWTVerifier(TokenVerifier):
             return await self._get_jwks_key(kid)
 
         except Exception as e:
-            raise ValueError(f"Failed to extract key ID from token: {e}")
+            raise ValueError(f"Failed to extract key ID from token: {e}") from e
 
     async def _get_jwks_key(self, kid: str | None) -> str:
         """Fetch key from JWKS with simple caching."""
@@ -341,10 +342,10 @@ class JWTVerifier(TokenVerifier):
                     raise ValueError("No keys found in JWKS")
 
         except httpx.HTTPError as e:
-            raise ValueError(f"Failed to fetch JWKS: {e}")
+            raise ValueError(f"Failed to fetch JWKS: {e}") from e
         except Exception as e:
             self.logger.debug(f"JWKS fetch failed: {e}")
-            raise ValueError(f"Failed to fetch JWKS: {e}")
+            raise ValueError(f"Failed to fetch JWKS: {e}") from e
 
     def _extract_scopes(self, claims: dict[str, Any]) -> list[str]:
         """
@@ -365,13 +366,13 @@ class JWTVerifier(TokenVerifier):
 
     async def load_access_token(self, token: str) -> AccessToken | None:
         """
-        Validates the provided JWT bearer token.
+        Validate a JWT bearer token and return an AccessToken when the token is valid.
 
-        Args:
-            token: The JWT token string to validate
+        Parameters:
+            token (str): The JWT bearer token string to validate.
 
         Returns:
-            AccessToken object if valid, None if invalid or expired
+            AccessToken | None: An AccessToken populated from token claims if the token is valid; `None` if the token is expired, has an invalid signature or format, fails issuer/audience/scope validation, or any other validation error occurs.
         """
         try:
             # Get verification key (static or from JWKS)
@@ -381,7 +382,12 @@ class JWTVerifier(TokenVerifier):
             claims = self.jwt.decode(token, verification_key)
 
             # Extract client ID early for logging
-            client_id = claims.get("client_id") or claims.get("sub") or "unknown"
+            client_id = (
+                claims.get("client_id")
+                or claims.get("azp")
+                or claims.get("sub")
+                or "unknown"
+            )
 
             # Validate expiration
             exp = claims.get("exp")
@@ -395,7 +401,18 @@ class JWTVerifier(TokenVerifier):
             # Validate issuer - note we use issuer instead of issuer_url here because
             # issuer is optional, allowing users to make this check optional
             if self.issuer:
-                if claims.get("iss") != self.issuer:
+                iss = claims.get("iss")
+
+                # Handle different combinations of issuer types
+                issuer_valid = False
+                if isinstance(self.issuer, list):
+                    # self.issuer is a list - check if token issuer matches any expected issuer
+                    issuer_valid = iss in self.issuer
+                else:
+                    # self.issuer is a string - check for equality
+                    issuer_valid = iss == self.issuer
+
+                if not issuer_valid:
                     self.logger.debug(
                         "Token validation failed: issuer mismatch for client %s",
                         client_id,

fastmcp/server/auth/providers/oci.py

@@ -0,0 +1,233 @@
+"""OCI OIDC provider for FastMCP.
+
+The pull request for the provider is submitted to fastmcp.
+
+This module provides OIDC Implementation to integrate MCP servers with OCI.
+You only need OCI Identity Domain's discovery URL, client ID, client secret, and base URL.
+
+Post Authentication, you get OCI IAM domain access token. That is not authorized to invoke OCI control plane.
+You need to exchange the IAM domain access token for OCI UPST token to invoke OCI control plane APIs.
+The sample code below has get_oci_signer function that returns OCI TokenExchangeSigner object.
+You can use the signer object to create OCI service object.
+
+Example:
+    ```python
+    from fastmcp import FastMCP
+    from fastmcp.server.auth.providers.oci import OCIProvider
+    from fastmcp.server.dependencies import get_access_token
+    from fastmcp.utilities.logging import get_logger
+
+    import os
+
+    # Load configuration from environment
+    FASTMCP_SERVER_AUTH_OCI_CONFIG_URL = os.environ["FASTMCP_SERVER_AUTH_OCI_CONFIG_URL"]
+    FASTMCP_SERVER_AUTH_OCI_CLIENT_ID = os.environ["FASTMCP_SERVER_AUTH_OCI_CLIENT_ID"]
+    FASTMCP_SERVER_AUTH_OCI_CLIENT_SECRET = os.environ["FASTMCP_SERVER_AUTH_OCI_CLIENT_SECRET"]
+    FASTMCP_SERVER_AUTH_OCI_IAM_GUID = os.environ["FASTMCP_SERVER_AUTH_OCI_IAM_GUID"]
+
+    import oci
+    from oci.auth.signers import TokenExchangeSigner
+
+    logger = get_logger(__name__)
+
+    # Simple OCI OIDC protection
+    auth = OCIProvider(
+        config_url=FASTMCP_SERVER_AUTH_OCI_CONFIG_URL, #config URL is the OCI IAM Domain OIDC discovery URL.
+        client_id=FASTMCP_SERVER_AUTH_OCI_CLIENT_ID, #This is same as the client ID configured for the OCI IAM Domain Integrated Application
+        client_secret=FASTMCP_SERVER_AUTH_OCI_CLIENT_SECRET, #This is same as the client secret configured for the OCI IAM Domain Integrated Application
+        required_scopes=["openid", "profile", "email"],
+        redirect_path="/auth/callback",
+        base_url="http://localhost:8000",
+    )
+
+    # NOTE: For production use, replace this with a thread-safe cache implementation
+    # such as threading.Lock-protected dict or a proper caching library
+    _global_token_cache = {} #In memory cache for OCI session token signer
+
+    def get_oci_signer() -> TokenExchangeSigner:
+
+        authntoken = get_access_token()
+        tokenID = authntoken.claims.get("jti")
+        token = authntoken.token
+
+        #Check if the signer exists for the token ID in memory cache
+        cached_signer = _global_token_cache.get(tokenID)
+        logger.debug(f"Global cached signer: {cached_signer}")
+        if cached_signer:
+            logger.debug(f"Using globally cached signer for token ID: {tokenID}")
+            return cached_signer
+
+        #If the signer is not yet created for the token then create new OCI signer object
+        logger.debug(f"Creating new signer for token ID: {tokenID}")
+        signer = TokenExchangeSigner(
+            jwt_or_func=token,
+            oci_domain_id=FASTMCP_SERVER_AUTH_OCI_IAM_GUID.split(".")[0],   #This is same as IAM GUID configured for the OCI IAM Domain
+            client_id=FASTMCP_SERVER_AUTH_OCI_CLIENT_ID, #This is same as the client ID configured for the OCI IAM Domain Integrated Application
+            client_secret=FASTMCP_SERVER_AUTH_OCI_CLIENT_SECRET #This is same as the client secret configured for the OCI IAM Domain Integrated Application
+        )
+        logger.debug(f"Signer {signer} created for token ID: {tokenID}")
+
+        #Cache the signer object in memory cache
+        _global_token_cache[tokenID] = signer
+        logger.debug(f"Signer cached for token ID: {tokenID}")
+
+        return signer
+
+    mcp = FastMCP("My Protected Server", auth=auth)
+    ```
+"""
+
+from key_value.aio.protocols import AsyncKeyValue
+from pydantic import AnyHttpUrl, SecretStr, field_validator
+from pydantic_settings import BaseSettings, SettingsConfigDict
+
+from fastmcp.server.auth.oidc_proxy import OIDCProxy
+from fastmcp.settings import ENV_FILE
+from fastmcp.utilities.auth import parse_scopes
+from fastmcp.utilities.logging import get_logger
+from fastmcp.utilities.types import NotSet, NotSetT
+
+logger = get_logger(__name__)
+
+
+class OCIProviderSettings(BaseSettings):
+    """Settings for OCI IAM domain OIDC provider."""
+
+    model_config = SettingsConfigDict(
+        env_prefix="FASTMCP_SERVER_AUTH_OCI_",
+        env_file=ENV_FILE,
+        extra="ignore",
+    )
+
+    config_url: AnyHttpUrl | None = None
+    client_id: str | None = None
+    client_secret: SecretStr | None = None
+    audience: str | None = None
+    base_url: AnyHttpUrl | None = None
+    issuer_url: AnyHttpUrl | None = None
+    redirect_path: str | None = None
+    required_scopes: list[str] | None = None
+    allowed_client_redirect_uris: list[str] | None = None
+    jwt_signing_key: str | bytes | None = None
+
+    @field_validator("required_scopes", mode="before")
+    @classmethod
+    def _parse_scopes(cls, v):
+        return parse_scopes(v)
+
+
+class OCIProvider(OIDCProxy):
+    """An OCI IAM Domain provider implementation for FastMCP.
+
+    This provider is a complete OCI integration that's ready to use with
+    just the configuration URL, client ID, client secret, and base URL.
+
+    Example:
+        ```python
+        from fastmcp import FastMCP
+        from fastmcp.server.auth.providers.oci import OCIProvider
+
+        # Simple OCI OIDC protection
+        auth = OCIProvider(
+            config_url=FASTMCP_SERVER_AUTH_OCI_CONFIG_URL, #config URL is the OCI IAM Domain OIDC discovery URL.
+            client_id=FASTMCP_SERVER_AUTH_OCI_CLIENT_ID, #This is same as the client ID configured for the OCI IAM Domain Integrated Application
+            client_secret=FASTMCP_SERVER_AUTH_OCI_CLIENT_SECRET, #This is same as the client secret configured for the OCI IAM Domain Integrated Application
+            base_url="http://localhost:8000",
+            required_scopes=["openid", "profile", "email"],
+            redirect_path="/auth/callback",
+        )
+
+        mcp = FastMCP("My Protected Server", auth=auth)
+        ```
+    """
+
+    def __init__(
+        self,
+        *,
+        config_url: AnyHttpUrl | str | NotSetT = NotSet,
+        client_id: str | NotSetT = NotSet,
+        client_secret: str | NotSetT = NotSet,
+        audience: str | NotSetT = NotSet,
+        base_url: AnyHttpUrl | str | NotSetT = NotSet,
+        issuer_url: AnyHttpUrl | str | NotSetT = NotSet,
+        required_scopes: list[str] | NotSetT = NotSet,
+        redirect_path: str | NotSetT = NotSet,
+        allowed_client_redirect_uris: list[str] | NotSetT = NotSet,
+        client_storage: AsyncKeyValue | None = None,
+        jwt_signing_key: str | bytes | NotSetT = NotSet,
+        require_authorization_consent: bool = True,
+    ) -> None:
+        """Initialize OCI OIDC provider.
+
+        Args:
+            config_url: OCI OIDC Discovery URL
+            client_id: OCI IAM Domain Integrated Application client id
+            client_secret: OCI Integrated Application client secret
+            audience: OCI API audience (optional)
+            base_url: Public URL where OIDC endpoints will be accessible (includes any mount path)
+            issuer_url: Issuer URL for OCI IAM Domain metadata. This will override issuer URL from the discovery URL.
+            required_scopes: Required OCI scopes (defaults to ["openid"])
+            redirect_path: Redirect path configured in OCI IAM Domain Integrated Application. The default is "/auth/callback".
+            allowed_client_redirect_uris: List of allowed redirect URI patterns for MCP clients.
+        """
+
+        overrides = {
+            k: v
+            for k, v in {
+                "config_url": config_url,
+                "client_id": client_id,
+                "client_secret": client_secret,
+                "audience": audience,
+                "base_url": base_url,
+                "issuer_url": issuer_url,
+                "required_scopes": required_scopes,
+                "redirect_path": redirect_path,
+                "allowed_client_redirect_uris": allowed_client_redirect_uris,
+                "jwt_signing_key": jwt_signing_key,
+            }.items()
+            if v is not NotSet
+        }
+        settings = OCIProviderSettings(**overrides)
+
+        if not settings.config_url:
+            raise ValueError(
+                "config_url is required - set via parameter or FASTMCP_SERVER_AUTH_OCI_CONFIG_URL"
+            )
+
+        if not settings.client_id:
+            raise ValueError(
+                "client_id is required - set via parameter or FASTMCP_SERVER_AUTH_OCI_CLIENT_ID"
+            )
+
+        if not settings.client_secret:
+            raise ValueError(
+                "client_secret is required - set via parameter or FASTMCP_SERVER_AUTH_OCI_CLIENT_SECRET"
+            )
+
+        if not settings.base_url:
+            raise ValueError(
+                "base_url is required - set via parameter or FASTMCP_SERVER_AUTH_OCI_BASE_URL"
+            )
+
+        oci_required_scopes = settings.required_scopes or ["openid"]
+
+        super().__init__(
+            config_url=settings.config_url,
+            client_id=settings.client_id,
+            client_secret=settings.client_secret.get_secret_value(),
+            audience=settings.audience,
+            base_url=settings.base_url,
+            issuer_url=settings.issuer_url,
+            redirect_path=settings.redirect_path,
+            required_scopes=oci_required_scopes,
+            allowed_client_redirect_uris=settings.allowed_client_redirect_uris,
+            client_storage=client_storage,
+            jwt_signing_key=settings.jwt_signing_key,
+            require_authorization_consent=require_authorization_consent,
+        )
+
+        logger.debug(
+            "Initialized OCI OAuth provider for client %s with scopes: %s",
+            settings.client_id,
+            oci_required_scopes,
+        )

fastmcp/server/auth/providers/scalekit.py

@@ -0,0 +1,238 @@
+"""Scalekit authentication provider for FastMCP.
+
+This module provides ScalekitProvider - a complete authentication solution that integrates
+with Scalekit's OAuth 2.1 and OpenID Connect services, supporting Resource Server
+authentication for seamless MCP client authentication.
+"""
+
+from __future__ import annotations
+
+import httpx
+from pydantic import AnyHttpUrl, field_validator, model_validator
+from pydantic_settings import BaseSettings, SettingsConfigDict
+from starlette.responses import JSONResponse
+from starlette.routing import Route
+
+from fastmcp.server.auth import RemoteAuthProvider, TokenVerifier
+from fastmcp.server.auth.providers.jwt import JWTVerifier
+from fastmcp.settings import ENV_FILE
+from fastmcp.utilities.auth import parse_scopes
+from fastmcp.utilities.logging import get_logger
+from fastmcp.utilities.types import NotSet, NotSetT
+
+logger = get_logger(__name__)
+
+
+class ScalekitProviderSettings(BaseSettings):
+    model_config = SettingsConfigDict(
+        env_prefix="FASTMCP_SERVER_AUTH_SCALEKITPROVIDER_",
+        env_file=ENV_FILE,
+        extra="ignore",
+    )
+
+    environment_url: AnyHttpUrl
+    resource_id: str
+    base_url: AnyHttpUrl | None = None
+    mcp_url: AnyHttpUrl | None = None
+    required_scopes: list[str] | None = None
+
+    @field_validator("required_scopes", mode="before")
+    @classmethod
+    def _parse_scopes(cls, value: object):
+        return parse_scopes(value)
+
+    @model_validator(mode="after")
+    def _resolve_base_url(self):
+        resolved = self.base_url or self.mcp_url
+        if resolved is None:
+            msg = "Either base_url or mcp_url must be provided for ScalekitProvider"
+            raise ValueError(msg)
+
+        object.__setattr__(self, "base_url", resolved)
+        return self
+
+
+class ScalekitProvider(RemoteAuthProvider):
+    """Scalekit resource server provider for OAuth 2.1 authentication.
+
+    This provider implements Scalekit integration using resource server pattern.
+    FastMCP acts as a protected resource server that validates access tokens issued
+    by Scalekit's authorization server.
+
+    IMPORTANT SETUP REQUIREMENTS:
+
+    1. Create an MCP Server in Scalekit Dashboard:
+       - Go to your [Scalekit Dashboard](https://app.scalekit.com/)
+       - Navigate to MCP Servers section
+       - Register a new MCP Server with appropriate scopes
+       - Ensure the Resource Identifier matches exactly what you configure as MCP URL
+       - Note the Resource ID
+
+    2. Environment Configuration:
+       - Set SCALEKIT_ENVIRONMENT_URL (e.g., https://your-env.scalekit.com)
+       - Set SCALEKIT_RESOURCE_ID from your created resource
+       - Set BASE_URL to your FastMCP server's public URL
+
+    For detailed setup instructions, see:
+    https://docs.scalekit.com/mcp/overview/
+
+    Example:
+        ```python
+        from fastmcp.server.auth.providers.scalekit import ScalekitProvider
+
+        # Create Scalekit resource server provider
+        scalekit_auth = ScalekitProvider(
+            environment_url="https://your-env.scalekit.com",
+            resource_id="sk_resource_...",
+            base_url="https://your-fastmcp-server.com",
+        )
+
+        # Use with FastMCP
+        mcp = FastMCP("My App", auth=scalekit_auth)
+        ```
+    """
+
+    def __init__(
+        self,
+        *,
+        environment_url: AnyHttpUrl | str | NotSetT = NotSet,
+        client_id: str | NotSetT = NotSet,
+        resource_id: str | NotSetT = NotSet,
+        base_url: AnyHttpUrl | str | NotSetT = NotSet,
+        mcp_url: AnyHttpUrl | str | NotSetT = NotSet,
+        required_scopes: list[str] | NotSetT = NotSet,
+        token_verifier: TokenVerifier | None = None,
+    ):
+        """Initialize Scalekit resource server provider.
+
+        Args:
+            environment_url: Your Scalekit environment URL (e.g., "https://your-env.scalekit.com")
+            resource_id: Your Scalekit resource ID
+            base_url: Public URL of this FastMCP server
+            required_scopes: Optional list of scopes that must be present in tokens
+            token_verifier: Optional token verifier. If None, creates JWT verifier for Scalekit
+        """
+        legacy_client_id = client_id is not NotSet
+
+        settings = ScalekitProviderSettings.model_validate(
+            {
+                k: v
+                for k, v in {
+                    "environment_url": environment_url,
+                    "resource_id": resource_id,
+                    "base_url": base_url,
+                    "mcp_url": mcp_url,
+                    "required_scopes": required_scopes,
+                }.items()
+                if v is not NotSet
+            }
+        )
+
+        if settings.mcp_url is not None:
+            logger.warning(
+                "ScalekitProvider parameter 'mcp_url' is deprecated and will be removed in a future release. "
+                "Rename it to 'base_url'."
+            )
+
+        if legacy_client_id:
+            logger.warning(
+                "ScalekitProvider no longer requires 'client_id'. The parameter is accepted only for backward "
+                "compatibility and will be removed in a future release."
+            )
+
+        self.environment_url = str(settings.environment_url).rstrip("/")
+        self.resource_id = settings.resource_id
+        self.required_scopes = settings.required_scopes or []
+        base_url_value = str(settings.base_url)
+
+        logger.debug(
+            "Initializing ScalekitProvider: environment_url=%s resource_id=%s base_url=%s required_scopes=%s",
+            self.environment_url,
+            self.resource_id,
+            base_url_value,
+            self.required_scopes,
+        )
+
+        # Create default JWT verifier if none provided
+        if token_verifier is None:
+            logger.debug(
+                "Creating default JWTVerifier for Scalekit: jwks_uri=%s issuer=%s required_scopes=%s",
+                f"{self.environment_url}/keys",
+                self.environment_url,
+                self.required_scopes,
+            )
+            token_verifier = JWTVerifier(
+                jwks_uri=f"{self.environment_url}/keys",
+                issuer=self.environment_url,
+                algorithm="RS256",
+                required_scopes=self.required_scopes or None,
+            )
+        else:
+            logger.debug("Using custom token verifier for ScalekitProvider")
+
+        # Initialize RemoteAuthProvider with Scalekit as the authorization server
+        super().__init__(
+            token_verifier=token_verifier,
+            authorization_servers=[
+                AnyHttpUrl(f"{self.environment_url}/resources/{self.resource_id}")
+            ],
+            base_url=base_url_value,
+        )
+
+    def get_routes(
+        self,
+        mcp_path: str | None = None,
+    ) -> list[Route]:
+        """Get OAuth routes including Scalekit authorization server metadata forwarding.
+
+        This returns the standard protected resource routes plus an authorization server
+        metadata endpoint that forwards Scalekit's OAuth metadata to clients.
+
+        Args:
+            mcp_path: The path where the MCP endpoint is mounted (e.g., "/mcp")
+                This is used to advertise the resource URL in metadata.
+        """
+        # Get the standard protected resource routes from RemoteAuthProvider
+        routes = super().get_routes(mcp_path)
+        logger.debug(
+            "Preparing Scalekit metadata routes: mcp_path=%s resource_id=%s",
+            mcp_path,
+            self.resource_id,
+        )
+
+        async def oauth_authorization_server_metadata(request):
+            """Forward Scalekit OAuth authorization server metadata with FastMCP customizations."""
+            try:
+                metadata_url = f"{self.environment_url}/.well-known/oauth-authorization-server/resources/{self.resource_id}"
+                logger.debug(
+                    "Fetching Scalekit OAuth metadata: metadata_url=%s", metadata_url
+                )
+                async with httpx.AsyncClient() as client:
+                    response = await client.get(metadata_url)
+                    response.raise_for_status()
+                    metadata = response.json()
+                    logger.debug(
+                        "Scalekit metadata fetched successfully: metadata_keys=%s",
+                        list(metadata.keys()),
+                    )
+                    return JSONResponse(metadata)
+            except Exception as e:
+                logger.error(f"Failed to fetch Scalekit metadata: {e}")
+                return JSONResponse(
+                    {
+                        "error": "server_error",
+                        "error_description": f"Failed to fetch Scalekit metadata: {e}",
+                    },
+                    status_code=500,
+                )
+
+        # Add Scalekit authorization server metadata forwarding
+        routes.append(
+            Route(
+                "/.well-known/oauth-authorization-server",
+                endpoint=oauth_authorization_server_metadata,
+                methods=["GET"],
+            )
+        )
+
+        return routes