Struct OAuthConfig 

#[non_exhaustive]
pub struct OAuthConfig {
    pub issuer: String,
    pub audience: String,
    pub jwks_uri: String,
    pub scopes: Vec<ScopeMapping>,
    pub role_claim: Option<String>,
    pub role_mappings: Vec<RoleMapping>,
    pub jwks_cache_ttl: String,
    pub proxy: Option<OAuthProxyConfig>,
    pub token_exchange: Option<TokenExchangeConfig>,
    pub ca_cert_path: Option<PathBuf>,
    pub allow_http_oauth_urls: bool,
    pub max_jwks_keys: usize,
}

OAuth 2.1 JWT configuration.

Fields (Non-exhaustive)

Non-exhaustive structs could have additional fields added in future. Therefore, non-exhaustive structs cannot be constructed in external crates using the traditional Struct { .. } syntax; cannot be matched against without a wildcard ..; and struct update syntax will not work.

issuer: String

Token issuer (iss claim). Must match exactly.

audience: String

Expected audience (aud claim). Must match exactly.

jwks_uri: String

JWKS endpoint URL (e.g. https://auth.example.com/.well-known/jwks.json).

scopes: Vec<ScopeMapping>

Scope-to-role mappings. First matching scope wins. Used when role_claim is absent (default behavior).

role_claim: Option<String>

JWT claim path to extract roles from (dot-notation for nested claims).

Examples: "scope" (default), "roles", "realm_access.roles". When set, the claim value is matched against role_mappings instead of scopes. Supports both space-separated strings and JSON arrays.

role_mappings: Vec<RoleMapping>

Claim-value-to-role mappings. Used when role_claim is set. First matching value wins.

jwks_cache_ttl: String

How long to cache JWKS keys before re-fetching. Parsed as a humantime duration (e.g. “10m”, “1h”). Default: “10m”.

proxy: Option<OAuthProxyConfig>

OAuth proxy configuration. When set, the server exposes /authorize, /token, and /register endpoints that proxy to the upstream identity provider (e.g. Keycloak).

token_exchange: Option<TokenExchangeConfig>

Token exchange configuration (RFC 8693). When set, the server can exchange an inbound MCP-scoped access token for a downstream API-scoped access token via the authorization server’s token endpoint.

ca_cert_path: Option<PathBuf>

Optional path to a PEM CA bundle for OAuth-bound HTTP traffic. Added to the system/built-in roots, not a replacement.

Scope (since 1.2.1). When the OauthHttpClient is constructed via OauthHttpClient::with_config (preferred), this CA bundle is honoured by every OAuth-bound HTTP request: the JWKS key fetch, token exchange, introspection, revocation, and the OAuth proxy handlers. Application crates may auto-populate this from their own configuration (e.g. an upstream-API CA path); any application-owned HTTP clients outside the kit must still configure their own CA trust separately. The deprecated OauthHttpClient::new no-arg constructor cannot honour this field – migrate to OauthHttpClient::with_config for full coverage.

allow_http_oauth_urls: bool

Allow plain-HTTP (non-TLS) URLs for OAuth endpoints (jwks_uri, proxy.authorize_url, proxy.token_url, proxy.introspection_url, proxy.revocation_url, token_exchange.token_url).

Default: false. Strongly discouraged in production: a network-positioned attacker can MITM JWKS responses and substitute signing keys (forging arbitrary tokens), or MITM the token / proxy endpoints to steal credentials and codes. Enable only for development against a local IdP without TLS, ideally bound to 127.0.0.1. JWKS-cache redirects to non-HTTPS targets are still rejected even when this flag is true.

max_jwks_keys: usize

Maximum number of keys accepted from a JWKS refresh response. Requests returning more keys than this are rejected fail-closed (cache remains empty / unchanged). Default: 256.

Implementations

impl OAuthConfig

pub fn builder( issuer: impl Into<String>, audience: impl Into<String>, jwks_uri: impl Into<String>, ) -> OAuthConfigBuilder

Start building an OAuthConfig with the three required fields.

All other fields default to the same values as OAuthConfig::default (empty scopes/role mappings, no proxy or token exchange, a JWKS cache TTL of 10m).

pub fn validate(&self) -> Result<(), McpxError>

Validate the URL fields against the HTTPS-only policy.

Each of jwks_uri, proxy.authorize_url, proxy.token_url, proxy.introspection_url, proxy.revocation_url, and token_exchange.token_url is parsed and its scheme checked.

Schemes other than https are rejected unless OAuthConfig::allow_http_oauth_urls is true, in which case http is also permitted (parse failures and other schemes are always rejected).

Errors

Returns crate::error::McpxError::Config when any field fails to parse or violates the scheme policy.

Trait Implementations

impl Clone for OAuthConfig

fn clone(&self) -> OAuthConfig

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for OAuthConfig

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for OAuthConfig

fn default() -> Self

Returns the “default value” for a type.

impl<'de> Deserialize<'de> for OAuthConfig

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.