Expand description
OAuth 2.1 JWKS cache, token validation, and token exchange helpers. OAuth 2.1 JWT bearer token validation with JWKS caching.
When enabled, Bearer tokens that look like JWTs (three base64-separated
segments with a valid JSON header containing "alg") are validated
against a JWKS fetched from the configured Authorization Server.
Token scopes are mapped to RBAC roles via explicit configuration.
§OAuth 2.1 Proxy
When OAuthConfig::proxy is set, the MCP server acts as an OAuth 2.1
authorization server facade, proxying /authorize and /token to an
upstream identity provider (e.g. Keycloak). MCP clients discover this server as the
authorization server via Protected Resource Metadata (RFC 9728) and
perform the standard Authorization Code + PKCE flow transparently.
Structs§
- Client
Cert Config - Client certificate paths for mTLS-based client authentication at the token exchange endpoint.
- Exchanged
Token - Successful response from an RFC 8693 token exchange.
- Jwks
Cache - Thread-safe JWKS key cache with automatic refresh.
- OAuth
Config - OAuth 2.1 JWT configuration.
- OAuth
Config Builder - Builder for
OAuthConfig. - OAuth
Proxy Config - Configuration for proxying OAuth 2.1 flows to an upstream identity provider.
- OAuth
Proxy Config Builder - Builder for
OAuthProxyConfig. - Oauth
Http Client - HTTP client used by
exchange_tokenand the OAuth 2.1 proxy handlers (handle_token,handle_introspect,handle_revoke). - Role
Mapping - Maps a JWT claim value to an RBAC role name.
Used with
OAuthConfig::role_claimfor non-scope-based role extraction (e.g. Keycloakrealm_access.roles, Azure ADroles). - Scope
Mapping - Maps an OAuth scope string to an RBAC role name.
- Token
Exchange Config - Configuration for RFC 8693 token exchange.
Enums§
- JwtValidation
Failure - Coarse JWT validation failure classification for auth diagnostics.
Functions§
- authorization_
server_ metadata - Build the Authorization Server Metadata JSON response (RFC 8414).
- exchange_
token - Exchange an inbound access token for a downstream access token via RFC 8693 token exchange.
- handle_
authorize - Handle
GET /authorize- redirect to the upstream authorize URL. - handle_
introspect - Handle
POST /introspect- RFC 7662 token introspection proxy. - handle_
register - Handle
POST /register- return the pre-configuredclient_id. - handle_
revoke - Handle
POST /revoke- RFC 7009 token revocation proxy. - handle_
token - Handle
POST /token- proxy the token request to the upstream provider. - looks_
like_ jwt - Returns true if the token looks like a JWT (3 dot-separated segments
where the first segment decodes to JSON containing
"alg"). - protected_
resource_ metadata - Build the Protected Resource Metadata JSON response.