Class: Mcp::Auth::WellKnownController

Inherits:
ActionController::Base
  • Object
show all
Defined in:
app/controllers/mcp/auth/well_known_controller.rb

Instance Method Summary collapse

Instance Method Details

#authorization_serverObject

RFC 8414: OAuth 2.0 Authorization Server Metadata



28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
 
# File 'app/controllers/mcp/auth/well_known_controller.rb', line 28

def authorization_server
  supported_scopes = Mcp::Auth::ScopeRegistry.available_scopes.keys

  metadata = {
    issuer: authorization_server_url,
    authorization_endpoint: "#{authorization_server_url}/oauth/authorize",
    token_endpoint: "#{authorization_server_url}/oauth/token",
    registration_endpoint: "#{authorization_server_url}/oauth/register",
    revocation_endpoint: "#{authorization_server_url}/oauth/revoke",
    introspection_endpoint: "#{authorization_server_url}/oauth/introspect",

    # Supported features
    scopes_supported: supported_scopes.uniq,
    response_types_supported: %w[code],
    grant_types_supported: %w[authorization_code refresh_token],
    code_challenge_methods_supported: %w[S256], # PKCE required
    token_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post none],

    # RFC 8707: Resource Indicators
    resource_parameter_supported: true,

    # OAuth 2.1 features
    authorization_response_iss_parameter_supported: true,
    require_pushed_authorization_requests: false,
    require_signed_request_object: false,

    # Token revocation and introspection require client authentication
    # (RFC 7009 §2.1 / RFC 7662 §2.1) — `none` is intentionally not offered.
    revocation_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post],
    introspection_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post]
  }

  render json: metadata, status: :ok, content_type: 'application/json'
end

#jwksObject

JWKS endpoint. Returns the active public key as a JWK when the configured signing algorithm is asymmetric (RS256/ES256). HMAC keys are NEVER published — for HS256 this stays an empty key set.



91
92
93
94
 
# File 'app/controllers/mcp/auth/well_known_controller.rb', line 91

def jwks
  keys = Mcp::Auth::Services::TokenService.signing_jwks_export
  render json: { keys: keys }, status: :ok, content_type: 'application/json'
end

#openid_configurationObject

OpenID Connect Discovery



64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
 
# File 'app/controllers/mcp/auth/well_known_controller.rb', line 64

def openid_configuration
  # Get all registered scopes plus openid, profile, email
  supported_scopes = Mcp::Auth::ScopeRegistry.available_scopes.keys + %w[openid profile email]

  metadata = {
    issuer: authorization_server_url,
    authorization_endpoint: "#{authorization_server_url}/oauth/authorize",
    token_endpoint: "#{authorization_server_url}/oauth/token",
    registration_endpoint: "#{authorization_server_url}/oauth/register",
    jwks_uri: "#{authorization_server_url}/.well-known/jwks.json",
    userinfo_endpoint: "#{authorization_server_url}/oauth/userinfo",

    scopes_supported: supported_scopes.uniq,
    response_types_supported: %w[code],
    grant_types_supported: %w[authorization_code refresh_token],
    code_challenge_methods_supported: %w[S256],
    token_endpoint_auth_methods_supported: %w[client_secret_basic client_secret_post none],
    subject_types_supported: %w[public],
    id_token_signing_alg_values_supported: [Mcp::Auth.configuration&.token_signing_algorithm || 'HS256']
  }

  render json: metadata, status: :ok, content_type: 'application/json'
end

#protected_resourceObject

RFC 9728: OAuth 2.0 Protected Resource Metadata



11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
 
# File 'app/controllers/mcp/auth/well_known_controller.rb', line 11

def protected_resource
  resource_url = canonical_resource_url

  metadata = {
    resource: resource_url,
    authorization_servers: [authorization_server_url],
    scopes_supported: Mcp::Auth::ScopeRegistry.available_scopes.keys,
    bearer_methods_supported: %w[header],
    resource_documentation: mcp_documentation_url,
    resource_parameter_supported: true, # RFC 8707 support
    authorization_response_iss_parameter_supported: true # OAuth 2.1
  }

  render json: metadata, status: :ok, content_type: 'application/json'
end