Implement simplified RS+AS token mapping without DCR

Author: LucaButBoring

examples/clients/simple-auth-client-client-credentials/mcp_simple_auth_client_client_credentials/main.py

@@ -8,20 +8,20 @@
 
 import asyncio
 import os
-import threading
-import time
-import webbrowser
 from datetime import timedelta
-from http.server import BaseHTTPRequestHandler, HTTPServer
 from typing import Any
-from urllib.parse import parse_qs, urlparse
 
 from mcp.client.auth import OAuthClientProvider, TokenStorage
 from mcp.client.session import ClientSession
 from mcp.client.sse import sse_client
 from mcp.client.streamable_http import streamablehttp_client
 from mcp.shared.auth import OAuthClientInformationFull, OAuthClientMetadata, OAuthToken
 
+# Hardcoded credentials assuming a preconfigured client, to demonstrate
+# working with an AS that does not have DCR support
+MCP_CLIENT_ID = "0000000000000000000"
+MCP_CLIENT_SECRET = "aaaaaaaaaaaaaaaaaaa"
+
 
 class InMemoryTokenStorage(TokenStorage):
     """Simple in-memory token storage implementation."""
@@ -66,18 +66,16 @@ async def connect(self):
                 "grant_types": ["client_credentials"],
                 "response_types": ["code"],
                 "token_endpoint_auth_method": "client_secret_basic",
-                "scope": "identify"
+                "scope": "identify",
             }
 
             # Create OAuth authentication handler using the new interface
             oauth_auth = OAuthClientProvider(
                 server_url=self.server_url.replace("/mcp", ""),
-                client_metadata=OAuthClientMetadata.model_validate(
-                    client_metadata_dict
-                ),
+                client_metadata=OAuthClientMetadata.model_validate(client_metadata_dict),
                 storage=InMemoryTokenStorage(
-                    client_id=os.environ.get("MCP_DISCORD_CLIENT_ID"),
-                    client_secret=os.environ.get("MCP_DISCORD_CLIENT_SECRET"),
+                    client_id=MCP_CLIENT_ID,
+                    client_secret=MCP_CLIENT_SECRET,
                 ),
             )
             oauth_auth.context.client_info = OAuthClientInformationFull(
@@ -210,9 +208,7 @@ async def interactive_loop(self):
                     await self.call_tool(tool_name, arguments)
 
                 else:
-                    print(
-                        "❌ Unknown command. Try 'list', 'call <tool_name>', or 'quit'"
-                    )
+                    print("❌ Unknown command. Try 'list', 'call <tool_name>', or 'quit'")
 
             except KeyboardInterrupt:
                 print("\n\n👋 Goodbye!")

examples/servers/simple-auth-client-credentials/README.md

@@ -1,6 +1,7 @@
 # MCP OAuth Authentication Demo
 
-This example demonstrates OAuth 2.0 authentication with the Model Context Protocol as an OAuth 2.0 Resource Server using the `client_credentials` token exchange.
+This example demonstrates OAuth 2.0 authentication with the Model Context Protocol as an OAuth 2.0 Resource Server using the `client_credentials` token exchange, with
+an Authorization Server that does not support Dynamic Client Registration.
 
 ---
 
@@ -27,8 +28,8 @@ export MCP_DISCORD_CLIENT_SECRET="your_client_secret_here"
 ### Step 1: Start Authorization Server
 
 ```bash
-# Navigate to the simple-auth directory
-cd examples/servers/simple-auth
+# Navigate to the simple-auth-client-credentials directory
+cd examples/servers/simple-auth-client-credentials
 
 # Start Authorization Server on port 9000
 uv run mcp-simple-auth-as --port=9000
@@ -44,8 +45,8 @@ uv run mcp-simple-auth-as --port=9000
 ### Step 2: Start Resource Server (MCP Server)
 
 ```bash
-# In another terminal, navigate to the simple-auth directory
-cd examples/servers/simple-auth
+# In another terminal, navigate to the simple-auth-client-credentials directory
+cd examples/servers/simple-auth-client-credentials
 
 # Start Resource Server on port 8001, connected to Authorization Server
 uv run mcp-simple-auth-rs --port=8001 --auth-server=http://localhost:9000 --transport=streamable-http

examples/servers/simple-auth-client-credentials/mcp_simple_auth_client_credentials/auth_server.py

@@ -13,26 +13,43 @@
 
 import asyncio
 import logging
+import secrets
+from base64 import b64decode, b64encode
 
 import click
 from pydantic import AnyHttpUrl, BaseModel
+from pydantic_settings import BaseSettings, SettingsConfigDict
 from starlette.applications import Starlette
 from starlette.endpoints import HTTPEndpoint
 from starlette.requests import Request
 from starlette.responses import JSONResponse, Response
 from starlette.routing import Route
+from starlette.types import Receive, Scope, Send
 from uvicorn import Config, Server
 
 from mcp.server.auth.handlers.metadata import MetadataHandler
-from mcp.server.auth.routes import cors_middleware, create_auth_routes
-from mcp.server.auth.settings import AuthSettings, ClientRegistrationOptions
+from mcp.server.auth.routes import cors_middleware
 from mcp.shared._httpx_utils import create_mcp_http_client
-from mcp.shared.auth import OAuthMetadata
+from mcp.shared.auth import OAuthMetadata, OAuthToken
 
 logger = logging.getLogger(__name__)
 
-API_BASE = "https://discord.com"
-API_ENDPOINT = f"{API_BASE}/api/v10"
+API_ENDPOINT = "https://discord.com/api/v10"
+
+
+class DiscordOAuthSettings(BaseSettings):
+    """Discord OAuth settings."""
+
+    model_config = SettingsConfigDict(env_prefix="MCP_")
+
+    # Discord OAuth settings - MUST be provided via environment variables
+    discord_client_id: str | None = None
+    discord_client_secret: str | None = None
+
+    # Discord OAuth URL
+    discord_token_url: str = f"{API_ENDPOINT}/oauth2/token"
+
+    discord_scope: str = "identify"
 
 
 class AuthServerSettings(BaseModel):
@@ -43,35 +60,176 @@ class AuthServerSettings(BaseModel):
     port: int = 9000
     server_url: AnyHttpUrl = AnyHttpUrl("http://localhost:9000")
 
-def create_authorization_server(server_settings: AuthServerSettings) -> Starlette:
+
+# Hardcoded credentials assuming a preconfigured client, to demonstrate
+# working with an AS that does not have DCR support
+MCP_CLIENT_ID = "0000000000000000000"
+MCP_CLIENT_SECRET = "aaaaaaaaaaaaaaaaaaa"
+
+# Map of MCP server tokens to Discord API tokens
+TOKEN_MAP: dict[str, str] = {}
+
+
+class TokenEndpoint(HTTPEndpoint):
+    # Map of MCP client IDs to Discord client IDs
+    client_map: dict[str, str] = {}
+    client_credentials: dict[str, str] = {}
+
+    discord_client_credentials: dict[str, str] = {}
+
+    def __init__(self, scope: Scope, receive: Receive, send: Send):
+        super().__init__(scope, receive, send)
+        self.discord_settings = DiscordOAuthSettings()
+
+        assert self.discord_settings.discord_client_id is not None, "Discord client ID not set"
+        assert self.discord_settings.discord_client_secret is not None, "Discord client secret not set"
+
+        # Assume a preconfigured client ID to demonstrate working with an AS that does not have DCR support
+        self.client_map = {
+            MCP_CLIENT_ID: self.discord_settings.discord_client_id,
+        }
+        self.client_credentials = {
+            MCP_CLIENT_ID: MCP_CLIENT_SECRET,
+        }
+        self.discord_client_credentials = {
+            self.discord_settings.discord_client_id: self.discord_settings.discord_client_secret,
+        }
+
+    async def post(self, request: Request) -> Response:
+        # Get client_id and client_secret from Basic auth header
+        auth_header = request.headers.get("Authorization", "")
+        if not auth_header.startswith("Basic "):
+            return JSONResponse({"error": "Invalid authorization header"}, status_code=401)
+        auth_header_encoded = auth_header.split(" ")[1]
+        auth_header_raw = b64decode(auth_header_encoded).decode("utf-8")
+        client_id, client_secret = auth_header_raw.split(":")
+
+        # Validate MCP client
+        if client_id not in self.client_map:
+            return JSONResponse({"error": "Invalid client"}, status_code=401)
+        # Check if client secret matches
+        if client_secret != self.client_credentials[client_id]:
+            return JSONResponse({"error": "Invalid client secret"}, status_code=401)
+
+        # Get mapped credentials
+        discord_client_id = self.client_map[client_id]
+        discord_client_secret = self.discord_client_credentials[discord_client_id]
+
+        # Get request data (application/x-www-form-urlencoded)
+        data = await request.form()
+
+        # Validate scopes
+        scopes = str(data.get("scope", "")).split(" ")
+        if not set(scopes).issubset(set(self.discord_settings.discord_scope.split(" "))):
+            return JSONResponse({"error": "Invalid scope"}, status_code=400)
+
+        # Set credentials in HTTP client
+        headers = {
+            "Authorization": f"Basic {b64encode(f'{discord_client_id}:{discord_client_secret}'.encode()).decode()}"
+        }
+
+        # Create HTTP client
+        async with create_mcp_http_client() as http_client:
+            # Forward request to Discord API
+            method = getattr(http_client, request.method.lower())
+            response = await method(self.discord_settings.discord_token_url, data=data, headers=headers)
+            if response.status_code != 200:
+                body = await response.aread()
+                return Response(body, status_code=response.status_code, headers=response.headers)
+
+            # Generate MCP access token
+            mcp_token = f"mcp_{secrets.token_hex(32)}"
+
+            # Store mapped access token
+            TOKEN_MAP[mcp_token] = response.json()["access_token"]
+
+            # Return response
+            return JSONResponse(
+                OAuthToken(
+                    access_token=mcp_token,
+                    token_type="Bearer",
+                    expires_in=response.json()["expires_in"],
+                    scope=self.discord_settings.discord_scope,
+                ).model_dump(),
+                status_code=response.status_code,
+            )
+
+
+class DiscordAPIProxy(HTTPEndpoint):
+    """Proxy for Discord API."""
+
+    async def get(self, request: Request) -> Response:
+        """Proxy GET requests to Discord API."""
+        return await self.handle(request)
+
+    async def post(self, request: Request) -> Response:
+        """Proxy POST requests to Discord API."""
+        return await self.handle(request)
+
+    async def handle(self, request: Request) -> Response:
+        """Proxy requests to Discord API."""
+        path = request.url.path[len("/discord") :]
+        query = request.url.query
+
+        # Get access token from Authorization header
+        access_token = request.headers.get("Authorization", "").split(" ")[1]
+        if not access_token:
+            return JSONResponse({"error": "Missing access token"}, status_code=401)
+
+        # Map access token to Discord access token
+        access_token = TOKEN_MAP.get(access_token, None)
+        if not access_token:
+            return JSONResponse({"error": "Invalid access token"}, status_code=401)
+
+        # Set mapped access token in HTTP client
+        headers = {"Authorization": f"Bearer {access_token}"}
+
+        # Create HTTP client
+        async with create_mcp_http_client() as http_client:
+            # Forward request to Discord API
+            response = await http_client.get(f"{API_ENDPOINT}{path}?{query}", headers=headers)
+
+            # Return response
+            return JSONResponse(response.json(), status_code=response.status_code)
+
+
+def create_authorization_server(
+    server_settings: AuthServerSettings, discord_settings: DiscordOAuthSettings
+) -> Starlette:
     """Create the Authorization Server application."""
 
     routes = [
         # Create RFC 8414 authorization server metadata endpoint
         Route(
             "/.well-known/oauth-authorization-server",
             endpoint=cors_middleware(
-                MetadataHandler(metadata=OAuthMetadata(
-                    issuer=server_settings.server_url,
-                    authorization_endpoint=AnyHttpUrl(f"{API_ENDPOINT}/oauth2/authorize"),
-                    token_endpoint=AnyHttpUrl(f"{API_ENDPOINT}/oauth2/token"),
-                    token_endpoint_auth_methods_supported=["client_secret_basic"],
-                    response_types_supported=["code"],
-                    grant_types_supported=["client_credentials"],
-                    scopes_supported=["identify"]
-                )).handle,
+                MetadataHandler(
+                    metadata=OAuthMetadata(
+                        issuer=server_settings.server_url,
+                        authorization_endpoint=AnyHttpUrl(f"{server_settings.server_url}authorize"),
+                        token_endpoint=AnyHttpUrl(f"{server_settings.server_url}token"),
+                        token_endpoint_auth_methods_supported=["client_secret_basic"],
+                        response_types_supported=["code"],
+                        grant_types_supported=["client_credentials"],
+                        scopes_supported=[discord_settings.discord_scope],
+                    )
+                ).handle,
                 ["GET", "OPTIONS"],
             ),
             methods=["GET", "OPTIONS"],
         ),
+        # Create OAuth 2.0 token endpoint
+        Route("/token", TokenEndpoint),
+        # Create API proxy endpoint
+        Route("/discord/{path:path}", DiscordAPIProxy),
     ]
 
     return Starlette(routes=routes)
 
 
-async def run_server(server_settings: AuthServerSettings):
+async def run_server(server_settings: AuthServerSettings, discord_settings: DiscordOAuthSettings):
     """Run the Authorization Server."""
-    auth_server = create_authorization_server(server_settings)
+    auth_server = create_authorization_server(server_settings, discord_settings)
 
     config = Config(
         auth_server,
@@ -86,7 +244,9 @@ async def run_server(server_settings: AuthServerSettings):
     logger.info("=" * 80)
     logger.info(f"Server URL: {server_settings.server_url}")
     logger.info("Endpoints:")
-    logger.info(f"  - OAuth Metadata: {server_settings.server_url}/.well-known/oauth-authorization-server")
+    logger.info(f"  - OAuth Metadata: {server_settings.server_url}.well-known/oauth-authorization-server")
+    logger.info(f"  - Token Exchange: {server_settings.server_url}token")
+    logger.info(f"  - Discord API Proxy: {server_settings.server_url}discord")
     logger.info("")
     logger.info("=" * 80)
 
@@ -112,7 +272,9 @@ def main(port: int) -> int:
         server_url=AnyHttpUrl(server_url),
     )
 
-    asyncio.run(run_server(server_settings))
+    discord_settings = DiscordOAuthSettings()
+
+    asyncio.run(run_server(server_settings, discord_settings))
     return 0
 
 

examples/servers/simple-auth-client-credentials/mcp_simple_auth_client_credentials/server.py

@@ -19,11 +19,11 @@
 
 from .token_verifier import IntrospectionTokenVerifier
 
-
 logger = logging.getLogger(__name__)
 
 API_ENDPOINT = "https://discord.com/api/v10"
 
+
 class ResourceServerSettings(BaseSettings):
     """Settings for the MCP Resource Server."""
 
@@ -36,8 +36,8 @@ class ResourceServerSettings(BaseSettings):
 
     # Authorization Server settings
     auth_server_url: AnyHttpUrl = AnyHttpUrl("http://localhost:9000")
-    auth_server_introspection_endpoint: str = f"{API_ENDPOINT}/oauth2/@me"
-    auth_server_discord_user_endpoint: str = f"{API_ENDPOINT}/users/@me"
+    auth_server_introspection_endpoint: str = "http://localhost:9000/discord/oauth2/@me"
+    auth_server_discord_user_endpoint: str = "http://localhost:9000/discord/users/@me"
 
     # MCP settings
     mcp_scope: str = "identify"
@@ -151,8 +151,8 @@ def main(port: int, auth_server: str, transport: Literal["sse", "streamable-http
             port=port,
             server_url=AnyHttpUrl(server_url),
             auth_server_url=auth_server_url,
-            auth_server_introspection_endpoint=f"{API_ENDPOINT}/oauth2/@me",
-            auth_server_discord_user_endpoint=f"{API_ENDPOINT}/users/@me",
+            auth_server_introspection_endpoint=f"{auth_server_url}discord/oauth2/@me",
+            auth_server_discord_user_endpoint=f"{auth_server_url}discord/users/@me",
         )
     except ValueError as e:
         logger.error(f"Configuration error: {e}")
@@ -168,9 +168,9 @@ def main(port: int, auth_server: str, transport: Literal["sse", "streamable-http
         logger.info(f"🌐 Server URL: {settings.server_url}")
         logger.info(f"🔑 Authorization Server: {settings.auth_server_url}")
         logger.info("📋 Endpoints:")
-        logger.info(f"   ┌─ Protected Resource Metadata: {settings.server_url}/.well-known/oauth-protected-resource")
+        logger.info(f"   ┌─ Protected Resource Metadata: {settings.server_url}.well-known/oauth-protected-resource")
         mcp_path = "sse" if transport == "sse" else "mcp"
-        logger.info(f"   ├─ MCP Protocol: {settings.server_url}/{mcp_path}")
+        logger.info(f"   ├─ MCP Protocol: {settings.server_url}{mcp_path}")
         logger.info(f"   └─ Token Introspection: {settings.auth_server_introspection_endpoint}")
         logger.info("")
         logger.info("🛠️  Available Tools:")