Class: MCP::Client::OAuth::ClientCredentialsProvider

Inherits:
Object
  • Object
show all
Includes:
StorageBackedProvider
Defined in:
lib/mcp/client/oauth/client_credentials_provider.rb

Overview

OAuth client configuration for the OAuth 2.1 ‘client_credentials` grant (machine-to-machine, no user and no browser redirect). Handed to `MCP::Client::HTTP` via the `oauth:` keyword, the same as `Provider`. The interactive Authorization Code flow lives in `Provider`; this class exists so a credentials-only client never has to supply the redirect arguments that grant has no use for, mirroring the dedicated `ClientCredentialsProvider` in the TypeScript SDK and `ClientCredentialsOAuthProvider` in the Python SDK.

Required keyword arguments:

  • ‘client_id` - String identifying the pre-registered confidential client.

  • ‘client_secret` - String shared secret. The `client_credentials` grant is for confidential clients, so a credential is mandatory.

Optional keyword arguments:

  • ‘token_endpoint_auth_method` - `“client_secret_basic”` (default) or `“client_secret_post”`. `“none”` is rejected: an unauthenticated `client_credentials` request is meaningless.

  • ‘scope` - String of space-separated scopes to request when the server’s ‘WWW-Authenticate` and the Protected Resource Metadata do not specify one.

  • ‘storage` - Object responding to `tokens`, `save_tokens(tokens)`, `client_information`, and `save_client_information(info)`. Defaults to an `InMemoryStorage`. The `client_id` / `client_secret` are written into it so the token exchange reads them through the same path as a pre-registered authorization-code client.

Defined Under Namespace

Classes: InvalidCredentialsError

Constant Summary collapse

SUPPORTED_AUTH_METHODS = 
["client_secret_basic", "client_secret_post"].freeze

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from StorageBackedProvider

#access_token, #clear_tokens!, #client_information, #save_client_information, #save_tokens, #tokens

Constructor Details

#initialize(client_id:, client_secret:, token_endpoint_auth_method: "client_secret_basic", scope: nil, storage: nil) ⇒ ClientCredentialsProvider

Returns a new instance of ClientCredentialsProvider.



44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
 
# File 'lib/mcp/client/oauth/client_credentials_provider.rb', line 44

def initialize(
  client_id:,
  client_secret:,
  token_endpoint_auth_method: "client_secret_basic",
  scope: nil,
  storage: nil
)
  if blank?(client_id)
    raise InvalidCredentialsError, "client_id is required for the client_credentials grant."
  end

  unless SUPPORTED_AUTH_METHODS.include?(token_endpoint_auth_method)
    raise InvalidCredentialsError,
      "token_endpoint_auth_method must be one of #{SUPPORTED_AUTH_METHODS.inspect} for the " \
        "client_credentials grant (got #{token_endpoint_auth_method.inspect}); an unauthenticated " \
        "client_credentials request is not allowed."
  end

  if blank?(client_secret)
    raise InvalidCredentialsError,
      "client_secret is required for the client_credentials grant with #{token_endpoint_auth_method}."
  end

  @scope = scope
  @storage = storage || InMemoryStorage.new
  @storage.save_client_information(
    "client_id" => client_id,
    "client_secret" => client_secret,
    "token_endpoint_auth_method" => token_endpoint_auth_method,
  )
end

Instance Attribute Details

#scopeObject (readonly)

Returns the value of attribute scope.



42
43
44
 
# File 'lib/mcp/client/oauth/client_credentials_provider.rb', line 42

def scope
  @scope
end

#storageObject (readonly)

Returns the value of attribute storage.



42
43
44
 
# File 'lib/mcp/client/oauth/client_credentials_provider.rb', line 42

def storage
  @storage
end

Instance Method Details

#authorization_flowObject

See ‘Provider#authorization_flow`.



77
78
79
 
# File 'lib/mcp/client/oauth/client_credentials_provider.rb', line 77

def authorization_flow
  :client_credentials
end