Struct OAuthConfig 

pub struct OAuthConfig {

    pub issuer: String,
    pub audience: String,
    pub jwks_uri: Option<String>,
    pub required_scopes: Vec<String>,
    pub pass_through: bool,
    pub allowed_algorithms: Vec<Algorithm>,
    pub expected_resource: Option<String>,
    pub clock_skew_leeway: Duration,
    pub require_audience: bool,
    pub dpop_mode: DpopMode,
    pub dpop_allowed_algorithms: Vec<Algorithm>,
    pub dpop_require_ath: bool,
    pub dpop_max_clock_skew: Duration,
}

OAuth 2.1 configuration for the HTTP proxy.

Fields

issuer: String

OAuth issuer URL (e.g., https://auth.example.com). Validated against the iss claim in the JWT.

audience: String

Expected audience claim (e.g., mcp-server). Validated against the aud claim in the JWT.

jwks_uri: Option<String>

JWKS endpoint URL for public key discovery. If not provided, defaults to {issuer}/.well-known/jwks.json.

required_scopes: Vec<String>

Required OAuth scopes. All listed scopes must be present in the token. If empty, no scope checking is performed.

pass_through: bool

Whether to forward the Bearer token to the upstream MCP server. When false, the proxy strips the Authorization header before forwarding.

allowed_algorithms: Vec<Algorithm>

Allowed JWT signing algorithms. Tokens using an algorithm not in this list are rejected. Prevents algorithm confusion attacks where an attacker selects a weak algorithm (e.g., HS256 with an RSA public key as secret).

Defaults to asymmetric algorithms only: RS256, RS384, RS512, ES256, ES384, PS256, PS384, PS512, EdDSA. HMAC (HS*) algorithms are excluded because OAuth 2.1 flows use asymmetric key pairs.

expected_resource: Option<String>

Expected resource indicator (RFC 8707). When set, the JWT must contain a resource claim matching this value. This prevents a token scoped for one MCP server from being replayed against a different server.

clock_skew_leeway: Duration

Allowable clock skew when validating exp, nbf, and iat claims. Accounts for clock drift between the authorization server and this proxy.

require_audience: bool

When true, tokens without an aud claim are rejected even if the jsonwebtoken library would otherwise accept them.

dpop_mode: DpopMode

DPoP enforcement mode (off, optional, required).

dpop_allowed_algorithms: Vec<Algorithm>

Allowed algorithms for DPoP proof JWTs.

dpop_require_ath: bool

When true, require ath (access token hash) claim in DPoP proofs.

dpop_max_clock_skew: Duration

Maximum absolute clock skew for DPoP iat validation.

Implementations

impl OAuthConfig

pub fn effective_jwks_uri(&self) -> String

Resolve the JWKS URI, falling back to well-known discovery.

Trait Implementations

impl Clone for OAuthConfig

fn clone(&self) -> OAuthConfig

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for OAuthConfig

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.