Struct OAuthProxyConfig 

#[non_exhaustive]
pub struct OAuthProxyConfig {
    pub authorize_url: String,
    pub token_url: String,
    pub client_id: String,
    pub client_secret: Option<SecretString>,
    pub introspection_url: Option<String>,
    pub revocation_url: Option<String>,
    pub expose_admin_endpoints: bool,
    pub require_auth_on_admin_endpoints: bool,
}

Configuration for proxying OAuth 2.1 flows to an upstream identity provider.

When present, the MCP server exposes /authorize, /token, and /register endpoints that proxy to the upstream identity provider (e.g. Keycloak). MCP clients see this server as the authorization server and perform a standard Authorization Code + PKCE flow.

Fields (Non-exhaustive)

Non-exhaustive structs could have additional fields added in future. Therefore, non-exhaustive structs cannot be constructed in external crates using the traditional Struct { .. } syntax; cannot be matched against without a wildcard ..; and struct update syntax will not work.

authorize_url: String

Upstream authorization endpoint (e.g. https://keycloak.example.com/realms/myrealm/protocol/openid-connect/auth).

token_url: String

Upstream token endpoint (e.g. https://keycloak.example.com/realms/myrealm/protocol/openid-connect/token).

client_id: String

OAuth client_id registered at the upstream identity provider.

client_secret: Option<SecretString>

OAuth client_secret (for confidential clients). Omit for public clients.

introspection_url: Option<String>

Optional upstream RFC 7662 introspection endpoint. When set and Self::expose_admin_endpoints is true, the server exposes a local /introspect endpoint that proxies to it.

revocation_url: Option<String>

Optional upstream RFC 7009 revocation endpoint. When set and Self::expose_admin_endpoints is true, the server exposes a local /revoke endpoint that proxies to it.

expose_admin_endpoints: bool

Whether to expose the OAuth admin endpoints (/introspect, /revoke) and advertise them in the authorization-server metadata document.

Default: false. These endpoints are unauthenticated at the transport layer (the OAuth proxy router is mounted outside the MCP auth middleware) and proxy directly to the upstream IdP. If enabled, you are responsible for restricting access at the network boundary (firewall, reverse proxy, mTLS) or by routing the entire rmcp-server-kit process behind an authenticated ingress. Leaving this false (the default) makes the endpoints return 404.

require_auth_on_admin_endpoints: bool

Require the normal authentication middleware before the local /introspect and /revoke proxy endpoints are reached.

Default: false for backward compatibility. New deployments should set this to true when exposing admin endpoints.

Implementations

impl OAuthProxyConfig

pub fn builder( authorize_url: impl Into<String>, token_url: impl Into<String>, client_id: impl Into<String>, ) -> OAuthProxyConfigBuilder

Start building an OAuthProxyConfig with the three required upstream fields.

Optional settings (client_secret, introspection_url, revocation_url, expose_admin_endpoints) default to their Default values and can be set via the corresponding builder methods.

Trait Implementations

impl Clone for OAuthProxyConfig

fn clone(&self) -> OAuthProxyConfig

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for OAuthProxyConfig

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for OAuthProxyConfig

fn default() -> OAuthProxyConfig

Returns the “default value” for a type.

impl<'de> Deserialize<'de> for OAuthProxyConfig

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.