Revert "Merge RS/AS in client_credentials example"

This reverts commit 20b5dfc.

Author: LucaButBoring

examples/servers/simple-auth-client-credentials/README.md

@@ -24,17 +24,34 @@ export MCP_DISCORD_CLIENT_SECRET="your_client_secret_here"
 
 ## Running the Servers
 
-### Step 1: Start Resource Server (MCP Server)
+### Step 1: Start Authorization Server
 
 ```bash
-# Navigate to the simple-auth-client-credentials directory
-cd examples/servers/simple-auth-client-credentials
+# Navigate to the simple-auth directory
+cd examples/servers/simple-auth
 
-# Start Resource Server on port 8001
-uv run mcp-simple-auth-rs --port=8001 --transport=streamable-http
+# Start Authorization Server on port 9000
+uv run mcp-simple-auth-as --port=9000
 ```
 
-### Step 2: Test with Client
+**What it provides:**
+
+- OAuth 2.0 flows (registration, authorization, token exchange)
+- Discord OAuth integration for user authentication
+
+---
+
+### Step 2: Start Resource Server (MCP Server)
+
+```bash
+# In another terminal, navigate to the simple-auth directory
+cd examples/servers/simple-auth
+
+# Start Resource Server on port 8001, connected to Authorization Server
+uv run mcp-simple-auth-rs --port=8001 --auth-server=http://localhost:9000 --transport=streamable-http
+```
+
+### Step 3: Test with Client
 
 ```bash
 cd examples/clients/simple-auth-client-client-credentials
@@ -55,21 +72,21 @@ curl http://localhost:8001/.well-known/oauth-protected-resource
 ```json
 {
   "resource": "http://localhost:8001",
-  "authorization_servers": ["http://localhost:8001"]
+  "authorization_servers": ["http://localhost:9000"]
 }
 ```
 
 **Client → Authorization Server:**
 
 ```bash
-curl http://localhost:8001/.well-known/oauth-authorization-server
+curl http://localhost:9000/.well-known/oauth-authorization-server
 ```
 
 ```json
 {
-  "issuer": "http://localhost:8001",
-  "authorization_endpoint": "https://discord.com/api/v10/oauth2/authorize",
-  "token_endpoint": "https://discord.com/api/v10/oauth2/token"
+  "issuer": "http://localhost:9000",
+  "authorization_endpoint": "http://localhost:9000/authorize",
+  "token_endpoint": "http://localhost:9000/token"
 }
 ```
 
@@ -82,5 +99,14 @@ curl http://localhost:8001/.well-known/oauth-authorization-server
 curl -v http://localhost:8001/.well-known/oauth-protected-resource
 
 # Test Authorization Server metadata
-curl -v http://localhost:8001/.well-known/oauth-authorization-server
+curl -v http://localhost:9000/.well-known/oauth-authorization-server
+```
+
+### Test Token Introspection
+
+```bash
+# After getting a token through OAuth flow:
+curl -X POST http://localhost:9000/introspect \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -d "token=your_access_token"
 ```

examples/servers/simple-auth-client-credentials/mcp_simple_auth_client_credentials/auth_server.py

@@ -0,0 +1,120 @@
+"""
+Authorization Server for MCP Split Demo.
+
+This server handles OAuth flows, client registration, and token issuance.
+Can be replaced with enterprise authorization servers like Auth0, Entra ID, etc.
+
+NOTE: this is a simplified example for demonstration purposes.
+This is not a production-ready implementation.
+
+Usage:
+    python -m mcp_simple_auth.auth_server --port=9000
+"""
+
+import asyncio
+import logging
+
+import click
+from pydantic import AnyHttpUrl, BaseModel
+from starlette.applications import Starlette
+from starlette.endpoints import HTTPEndpoint
+from starlette.requests import Request
+from starlette.responses import JSONResponse, Response
+from starlette.routing import Route
+from uvicorn import Config, Server
+
+from mcp.server.auth.handlers.metadata import MetadataHandler
+from mcp.server.auth.routes import cors_middleware, create_auth_routes
+from mcp.server.auth.settings import AuthSettings, ClientRegistrationOptions
+from mcp.shared._httpx_utils import create_mcp_http_client
+from mcp.shared.auth import OAuthMetadata
+
+logger = logging.getLogger(__name__)
+
+API_BASE = "https://discord.com"
+API_ENDPOINT = f"{API_BASE}/api/v10"
+
+
+class AuthServerSettings(BaseModel):
+    """Settings for the Authorization Server."""
+
+    # Server settings
+    host: str = "localhost"
+    port: int = 9000
+    server_url: AnyHttpUrl = AnyHttpUrl("http://localhost:9000")
+
+def create_authorization_server(server_settings: AuthServerSettings) -> Starlette:
+    """Create the Authorization Server application."""
+
+    routes = [
+        # Create RFC 8414 authorization server metadata endpoint
+        Route(
+            "/.well-known/oauth-authorization-server",
+            endpoint=cors_middleware(
+                MetadataHandler(metadata=OAuthMetadata(
+                    issuer=server_settings.server_url,
+                    authorization_endpoint=AnyHttpUrl(f"{API_ENDPOINT}/oauth2/authorize"),
+                    token_endpoint=AnyHttpUrl(f"{API_ENDPOINT}/oauth2/token"),
+                    token_endpoint_auth_methods_supported=["client_secret_basic"],
+                    response_types_supported=["code"],
+                    grant_types_supported=["client_credentials"],
+                    scopes_supported=["identify"]
+                )).handle,
+                ["GET", "OPTIONS"],
+            ),
+            methods=["GET", "OPTIONS"],
+        ),
+    ]
+
+    return Starlette(routes=routes)
+
+
+async def run_server(server_settings: AuthServerSettings):
+    """Run the Authorization Server."""
+    auth_server = create_authorization_server(server_settings)
+
+    config = Config(
+        auth_server,
+        host=server_settings.host,
+        port=server_settings.port,
+        log_level="info",
+    )
+    server = Server(config)
+
+    logger.info("=" * 80)
+    logger.info("MCP AUTHORIZATION PROXY SERVER")
+    logger.info("=" * 80)
+    logger.info(f"Server URL: {server_settings.server_url}")
+    logger.info("Endpoints:")
+    logger.info(f"  - OAuth Metadata: {server_settings.server_url}/.well-known/oauth-authorization-server")
+    logger.info("")
+    logger.info("=" * 80)
+
+    await server.serve()
+
+
+@click.command()
+@click.option("--port", default=9000, help="Port to listen on")
+def main(port: int) -> int:
+    """
+    Run the MCP Authorization Server.
+
+    This server handles OAuth flows and can be used by multiple Resource Servers.
+    """
+    logging.basicConfig(level=logging.INFO)
+
+    # Create server settings
+    host = "localhost"
+    server_url = f"http://{host}:{port}"
+    server_settings = AuthServerSettings(
+        host=host,
+        port=port,
+        server_url=AnyHttpUrl(server_url),
+    )
+
+    asyncio.run(run_server(server_settings))
+    return 0
+
+
+if __name__ == "__main__":
+    main()  # type: ignore[call-arg]

examples/servers/simple-auth-client-credentials/mcp_simple_auth_client_credentials/server.py

@@ -5,24 +5,17 @@
     python -m mcp_simple_auth.server --port=8001
 """
 
-import asyncio
 import logging
 from typing import Any, Literal
 
 import click
 import httpx
 from pydantic import AnyHttpUrl
 from pydantic_settings import BaseSettings, SettingsConfigDict
-from starlette.applications import Starlette
-from starlette.routing import Mount, Route
-from uvicorn import Config, Server
 
-from mcp.server.auth.handlers.metadata import MetadataHandler
 from mcp.server.auth.middleware.auth_context import get_access_token
-from mcp.server.auth.routes import cors_middleware
 from mcp.server.auth.settings import AuthSettings
 from mcp.server.fastmcp.server import FastMCP
-from mcp.shared.auth import OAuthMetadata
 
 from .token_verifier import IntrospectionTokenVerifier
 
@@ -40,10 +33,9 @@ class ResourceServerSettings(BaseSettings):
     host: str = "localhost"
     port: int = 8001
     server_url: AnyHttpUrl = AnyHttpUrl("http://localhost:8001")
-    transport: Literal["sse", "streamable-http"] = "streamable-http"
 
     # Authorization Server settings
-    auth_server_url: AnyHttpUrl = AnyHttpUrl("http://localhost:8001")
+    auth_server_url: AnyHttpUrl = AnyHttpUrl("http://localhost:9000")
     auth_server_introspection_endpoint: str = f"{API_ENDPOINT}/oauth2/@me"
     auth_server_discord_user_endpoint: str = f"{API_ENDPOINT}/users/@me"
 
@@ -55,7 +47,7 @@ def __init__(self, **data):
         super().__init__(**data)
 
 
-def create_resource_server(settings: ResourceServerSettings) -> Starlette:
+def create_resource_server(settings: ResourceServerSettings) -> FastMCP:
     """
     Create MCP Resource Server.
     """
@@ -67,8 +59,10 @@ def create_resource_server(settings: ResourceServerSettings) -> Starlette:
     )
 
     # Create FastMCP server as a Resource Server
-    resource_server = FastMCP(
+    app = FastMCP(
         name="MCP Resource Server",
+        host=settings.host,
+        port=settings.port,
         debug=True,
         token_verifier=token_verifier,
         auth=AuthSettings(
@@ -99,14 +93,14 @@ async def get_discord_user_data() -> dict[str, Any]:
 
             return response.json()
 
-    @resource_server.tool()
+    @app.tool()
     async def get_user_profile() -> dict[str, Any]:
         """
         Get the authenticated user's Discord profile information.
         """
         return await get_discord_user_data()
 
-    @resource_server.tool()
+    @app.tool()
     async def get_user_info() -> dict[str, Any]:
         """
         Get information about the currently authenticated user.
@@ -127,53 +121,12 @@ async def get_user_info() -> dict[str, Any]:
             "authorization_server": str(settings.auth_server_url),
         }
 
-    # Create Starlette app to mount the MCP server and host RFC8414
-    # metadata to jump to Discord's authorization server
-    app = Starlette(
-        debug=True,
-        routes=[
-            Route(
-                "/.well-known/oauth-authorization-server",
-                endpoint=cors_middleware(
-                    MetadataHandler(metadata=OAuthMetadata(
-                        issuer=settings.server_url,
-                        authorization_endpoint=AnyHttpUrl(f"{API_ENDPOINT}/oauth2/authorize"),
-                        token_endpoint=AnyHttpUrl(f"{API_ENDPOINT}/oauth2/token"),
-                        token_endpoint_auth_methods_supported=["client_secret_basic"],
-                        response_types_supported=["code"],
-                        grant_types_supported=["client_credentials"],
-                        scopes_supported=["identify"]
-                    )).handle,
-                    ["GET", "OPTIONS"],
-                ),
-                methods=["GET", "OPTIONS"],
-            ),
-            Mount(
-                "/",
-                app=resource_server.streamable_http_app() if settings.transport == "streamable-http" else resource_server.sse_app()
-            ),
-        ],
-        lifespan=lambda app: resource_server.session_manager.run(),
-    )
-
     return app
 
 
-async def run_server(settings: ResourceServerSettings):
-    mcp_server = create_resource_server(settings)
-    config = Config(
-        mcp_server,
-        host=settings.host,
-        port=settings.port,
-        log_level="info",
-    )
-    server = Server(config)
-    await server.serve()
-
-
 @click.command()
 @click.option("--port", default=8001, help="Port to listen on")
-@click.option("--auth-server", default="http://localhost:8001", help="Authorization Server URL")
+@click.option("--auth-server", default="http://localhost:9000", help="Authorization Server URL")
 @click.option(
     "--transport",
     default="streamable-http",
@@ -200,14 +153,15 @@ def main(port: int, auth_server: str, transport: Literal["sse", "streamable-http
             auth_server_url=auth_server_url,
             auth_server_introspection_endpoint=f"{API_ENDPOINT}/oauth2/@me",
             auth_server_discord_user_endpoint=f"{API_ENDPOINT}/users/@me",
-            transport=transport,
         )
     except ValueError as e:
         logger.error(f"Configuration error: {e}")
         logger.error("Make sure to provide a valid Authorization Server URL")
         return 1
 
     try:
+        mcp_server = create_resource_server(settings)
+
         logger.info("=" * 80)
         logger.info("📦 MCP RESOURCE SERVER")
         logger.info("=" * 80)
@@ -228,7 +182,7 @@ def main(port: int, auth_server: str, transport: Literal["sse", "streamable-http
         logger.info("=" * 80)
 
         # Run the server - this should block and keep running
-        asyncio.run(run_server(settings))
+        mcp_server.run(transport=transport)
         logger.info("Server stopped")
         return 0
     except Exception as e:

examples/servers/simple-auth-client-credentials/pyproject.toml

@@ -19,6 +19,7 @@ dependencies = [
 
 [project.scripts]
 mcp-simple-auth-rs = "mcp_simple_auth_client_credentials.server:main"
+mcp-simple-auth-as = "mcp_simple_auth_client_credentials.auth_server:main"
 
 [build-system]
 requires = ["hatchling"]