Class: MCP::Client::OAuth::ClientCredentialsProvider

Inherits:
Object
  • Object
show all
Includes:
StorageBackedProvider
Defined in:
lib/mcp/client/oauth/client_credentials_provider.rb

Overview

OAuth client configuration for the OAuth 2.1 client_credentials grant (machine-to-machine, no user and no browser redirect). Handed to MCP::Client::HTTP via the oauth: keyword, the same as Provider. The interactive Authorization Code flow lives in Provider; this class exists so a credentials-only client never has to supply the redirect arguments that grant has no use for, mirroring the dedicated ClientCredentialsProvider in the TypeScript SDK and ClientCredentialsOAuthProvider in the Python SDK.

Required keyword arguments:

  • client_id - String identifying the pre-registered confidential client.
  • client_secret - String shared secret. The client_credentials grant is for confidential clients, so a credential is mandatory.

Optional keyword arguments:

  • token_endpoint_auth_method - "client_secret_basic" (default) or "client_secret_post". "none" is rejected: an unauthenticated client_credentials request is meaningless.
  • scope - String of space-separated scopes to request when the server's WWW-Authenticate and the Protected Resource Metadata do not specify one.
  • storage - Object responding to tokens, save_tokens(tokens), client_information, and save_client_information(info). Defaults to an InMemoryStorage. The client_id / client_secret are written into it so the token exchange reads them through the same path as a pre-registered authorization-code client.

Defined Under Namespace

Classes: InvalidCredentialsError

Constant Summary collapse

SUPPORTED_AUTH_METHODS =
["client_secret_basic", "client_secret_post"].freeze

Instance Attribute Summary collapse

Instance Method Summary collapse

Methods included from StorageBackedProvider

#access_token, #clear_tokens!, #client_information, #save_client_information, #save_tokens, #tokens

Constructor Details

#initialize(client_id:, client_secret:, token_endpoint_auth_method: "client_secret_basic", scope: nil, storage: nil) ⇒ ClientCredentialsProvider

Returns a new instance of ClientCredentialsProvider.



44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# File 'lib/mcp/client/oauth/client_credentials_provider.rb', line 44

def initialize(
  client_id:,
  client_secret:,
  token_endpoint_auth_method: "client_secret_basic",
  scope: nil,
  storage: nil
)
  if blank?(client_id)
    raise InvalidCredentialsError, "client_id is required for the client_credentials grant."
  end

  unless SUPPORTED_AUTH_METHODS.include?(token_endpoint_auth_method)
    raise InvalidCredentialsError,
      "token_endpoint_auth_method must be one of #{SUPPORTED_AUTH_METHODS.inspect} for the " \
        "client_credentials grant (got #{token_endpoint_auth_method.inspect}); an unauthenticated " \
        "client_credentials request is not allowed."
  end

  if blank?(client_secret)
    raise InvalidCredentialsError,
      "client_secret is required for the client_credentials grant with #{token_endpoint_auth_method}."
  end

  @scope = scope
  @storage = storage || InMemoryStorage.new
  @storage.save_client_information(
    "client_id" => client_id,
    "client_secret" => client_secret,
    "token_endpoint_auth_method" => token_endpoint_auth_method,
  )
end

Instance Attribute Details

#scopeObject (readonly)

Returns the value of attribute scope.



42
43
44
# File 'lib/mcp/client/oauth/client_credentials_provider.rb', line 42

def scope
  @scope
end

#storageObject (readonly)

Returns the value of attribute storage.



42
43
44
# File 'lib/mcp/client/oauth/client_credentials_provider.rb', line 42

def storage
  @storage
end

Instance Method Details

#authorization_flowObject

See Provider#authorization_flow.



77
78
79
# File 'lib/mcp/client/oauth/client_credentials_provider.rb', line 77

def authorization_flow
  :client_credentials
end