Module oauth2

turbomcp_auth

Module oauth2 

Source
Expand description

OAuth 2.1 Implementation

This module provides an OAuth 2.1 implementation with:

  • Authorization Code flow with PKCE (RFC 7636)
  • Refresh tokens
  • Resource Indicators (RFC 8707) - MCP Required
  • Protected Resource Metadata (RFC 9728) - MCP Required
  • Dynamic Client Registration (RFC 7591)
  • DPoP integration (RFC 9449)

§Submodules

  • client - OAuth2Client for basic operations
  • resource - RFC 8707 Resource Indicators (MCP required)
  • validation - URI and security validation

§MCP Compliance

This implementation follows MCP specification requirements:

  • RFC 8707 resource parameters MUST be included in all OAuth flows
  • Tokens MUST be bound to specific MCP servers via audience claims
  • PKCE MUST be used for authorization code flows

Re-exports§

pub use client::OAuth2Client;
pub use dcr::DcrBuilder;
pub use dcr::DcrClient;
pub use dcr::RegistrationRequest;
pub use dcr::RegistrationResponse;
pub use resource::validate_resource_uri;
pub use validation::*;

Modules§

client
OAuth 2.1 Client Implementation
dcr
OAuth 2.0 Dynamic Client Registration (RFC 7591)
resource
RFC 8707 Resource Indicators for OAuth 2.0
validation
OAuth 2.1 Validation Functions