oAuth metadata: switch to better-auth/plugins -> mcp plugin

Author: KKonstantinov

examples/server/src/elicitationUrlExample.ts

@@ -10,12 +10,12 @@
 import { randomUUID } from 'node:crypto';
 
 import {
+    createProtectedResourceMetadataRouter,
     getOAuthProtectedResourceMetadataUrl,
-    mcpAuthMetadataRouter,
     requireBearerAuth,
     setupAuthServer
 } from '@modelcontextprotocol/examples-shared';
-import type { CallToolResult, ElicitRequestURLParams, ElicitResult, OAuthMetadata } from '@modelcontextprotocol/server';
+import type { CallToolResult, ElicitRequestURLParams, ElicitResult } from '@modelcontextprotocol/server';
 import {
     isInitializeRequest,
     McpServer,
@@ -239,17 +239,11 @@ let authMiddleware = null;
 const mcpServerUrl = new URL(`http://localhost:${MCP_PORT}/mcp`);
 const authServerUrl = new URL(`http://localhost:${AUTH_PORT}`);
 
-const oauthMetadata: OAuthMetadata = setupAuthServer({ authServerUrl, mcpServerUrl, strictResource: true });
+setupAuthServer({ authServerUrl, mcpServerUrl, strictResource: true });
 
-// Add metadata routes to the main MCP server
-app.use(
-    mcpAuthMetadataRouter({
-        oauthMetadata,
-        resourceServerUrl: mcpServerUrl,
-        scopesSupported: ['mcp:tools'],
-        resourceName: 'MCP Demo Server'
-    })
-);
+// Add protected resource metadata route to the MCP server
+// This allows clients to discover the auth server
+app.use(createProtectedResourceMetadataRouter());
 
 authMiddleware = requireBearerAuth({
     requiredScopes: [],

examples/server/src/simpleStreamableHttp.ts

@@ -1,15 +1,14 @@
 import { randomUUID } from 'node:crypto';
 
 import {
+    createProtectedResourceMetadataRouter,
     getOAuthProtectedResourceMetadataUrl,
-    mcpAuthMetadataRouter,
     requireBearerAuth,
     setupAuthServer
 } from '@modelcontextprotocol/examples-shared';
 import type {
     CallToolResult,
     GetPromptResult,
-    OAuthMetadata,
     PrimitiveSchemaDefinition,
     ReadResourceResult,
     ResourceLink
@@ -528,17 +527,11 @@ if (useOAuth) {
     const mcpServerUrl = new URL(`http://localhost:${MCP_PORT}/mcp`);
     const authServerUrl = new URL(`http://localhost:${AUTH_PORT}`);
 
-    const oauthMetadata: OAuthMetadata = setupAuthServer({ authServerUrl, mcpServerUrl, strictResource: strictOAuth });
+    setupAuthServer({ authServerUrl, mcpServerUrl, strictResource: strictOAuth });
 
-    // Add metadata routes to the main MCP server
-    app.use(
-        mcpAuthMetadataRouter({
-            oauthMetadata,
-            resourceServerUrl: mcpServerUrl,
-            scopesSupported: ['mcp:tools'],
-            resourceName: 'MCP Demo Server'
-        })
-    );
+    // Add protected resource metadata route to the MCP server
+    // This allows clients to discover the auth server
+    app.use(createProtectedResourceMetadataRouter());
 
     authMiddleware = requireBearerAuth({
         requiredScopes: [],

examples/shared/src/auth.ts

@@ -7,7 +7,6 @@
  * For production use, configure a proper database and authentication flow.
  */
 
-import type { BetterAuthPlugin } from 'better-auth';
 import { betterAuth } from 'better-auth';
 import { mcp } from 'better-auth/plugins';
 import Database from 'better-sqlite3';
@@ -70,7 +69,7 @@ export function createDemoAuth(options: CreateDemoAuthOptions) {
             enabled: true,
             requireEmailVerification: false
         },
-        plugins: [mcpPlugin as BetterAuthPlugin]
+        plugins: [mcpPlugin]
     });
 }
 

examples/shared/src/authMiddleware.ts

@@ -3,12 +3,10 @@
  *
  * 🚨 DEMO ONLY - NOT FOR PRODUCTION
  *
- * This provides bearer auth middleware and metadata routes for MCP servers.
+ * This provides bearer auth middleware for MCP servers.
  */
 
-import type { OAuthMetadata, OAuthProtectedResourceMetadata } from '@modelcontextprotocol/server';
-import type { NextFunction, Request, Response, Router } from 'express';
-import express from 'express';
+import type { NextFunction, Request, Response } from 'express';
 
 import { verifyAccessToken } from './authServer.js';
 
@@ -78,43 +76,6 @@ export function requireBearerAuth(
     };
 }
 
-export interface McpAuthMetadataRouterOptions {
-    oauthMetadata: OAuthMetadata;
-    resourceServerUrl: URL;
-    scopesSupported?: string[];
-    resourceName?: string;
-}
-
-/**
- * Creates an Express router that serves OAuth and Protected Resource metadata.
- */
-export function mcpAuthMetadataRouter(options: McpAuthMetadataRouterOptions): Router {
-    const { oauthMetadata, resourceServerUrl, scopesSupported = ['mcp:tools'], resourceName } = options;
-
-    const router = express.Router();
-
-    // OAuth Protected Resource Metadata (RFC 9728)
-    const protectedResourceMetadata: OAuthProtectedResourceMetadata = {
-        resource: resourceServerUrl.toString(),
-        authorization_servers: [oauthMetadata.issuer],
-        scopes_supported: scopesSupported,
-        resource_name: resourceName
-    };
-
-    // Serve protected resource metadata
-    router.get('/.well-known/oauth-protected-resource', (req: Request, res: Response) => {
-        res.json(protectedResourceMetadata);
-    });
-
-    // Also serve at the MCP-specific path
-    const mcpPath = new URL(resourceServerUrl.pathname, resourceServerUrl).pathname;
-    router.get(`${mcpPath}/.well-known/oauth-protected-resource`, (req: Request, res: Response) => {
-        res.json(protectedResourceMetadata);
-    });
-
-    return router;
-}
-
 /**
  * Helper to get the protected resource metadata URL from a server URL.
  */

examples/shared/src/authServer.ts

@@ -11,7 +11,8 @@
 
 import type { OAuthMetadata } from '@modelcontextprotocol/core';
 import { toNodeHandler } from 'better-auth/node';
-import type { Request, Response as ExpressResponse } from 'express';
+import { oAuthDiscoveryMetadata, oAuthProtectedResourceMetadata } from 'better-auth/plugins';
+import type { Request, Response as ExpressResponse, Router } from 'express';
 import express from 'express';
 
 import type { DemoAuth } from './auth.js';
@@ -132,19 +133,10 @@ export function setupAuthServer(options: SetupAuthServerOptions): OAuthMetadata
     // This handles: authorization, token, client registration, etc.
     authApp.all('/api/auth/*', toNodeHandler(auth));
 
-    // OAuth metadata endpoints at well-known paths
-    // Some clients may not parse WWW-Authenticate header and need these
-    authApp.get('/.well-known/oauth-authorization-server', (_req, res) => {
-        res.json(createOAuthMetadata(authServerUrl));
-    });
-
-    authApp.get('/.well-known/oauth-protected-resource', (_req, res) => {
-        res.json({
-            resource: mcpServerUrl.toString(),
-            authorization_servers: [authServerUrl.toString().replace(/\/$/, '')],
-            scopes_supported: ['openid', 'profile', 'email', 'mcp:tools']
-        });
-    });
+    // OAuth metadata endpoints using better-auth's built-in handlers
+    // See: https://www.better-auth.com/docs/plugins/mcp#oauth-discovery-metadata
+    authApp.get('/.well-known/oauth-authorization-server', toNodeHandler(oAuthDiscoveryMetadata(auth)));
+    authApp.get('/.well-known/oauth-protected-resource', toNodeHandler(oAuthProtectedResourceMetadata(auth)));
 
     // Start the auth server
     const authPort = parseInt(authServerUrl.port, 10);
@@ -162,6 +154,25 @@ export function setupAuthServer(options: SetupAuthServerOptions): OAuthMetadata
     return createOAuthMetadata(authServerUrl);
 }
 
+/**
+ * Creates an Express router that serves OAuth Protected Resource Metadata
+ * on the MCP server using better-auth's built-in handler.
+ *
+ * This is needed because MCP clients discover the auth server by first
+ * fetching protected resource metadata from the MCP server.
+ *
+ * See: https://www.better-auth.com/docs/plugins/mcp#oauth-protected-resource-metadata
+ */
+export function createProtectedResourceMetadataRouter(): Router {
+    const auth = getAuth();
+    const router = express.Router();
+
+    // Serve at the standard well-known path
+    router.get('/.well-known/oauth-protected-resource', toNodeHandler(oAuthProtectedResourceMetadata(auth)));
+
+    return router;
+}
+
 /**
  * Creates OAuth 2.0 Authorization Server Metadata (RFC 8414)
  */

examples/shared/src/index.ts

@@ -3,9 +3,9 @@ export type { CreateDemoAuthOptions, DemoAuth } from './auth.js';
 export { createDemoAuth } from './auth.js';
 
 // Auth middleware
-export type { McpAuthMetadataRouterOptions, RequireBearerAuthOptions } from './authMiddleware.js';
-export { getOAuthProtectedResourceMetadataUrl, mcpAuthMetadataRouter, requireBearerAuth } from './authMiddleware.js';
+export type { RequireBearerAuthOptions } from './authMiddleware.js';
+export { getOAuthProtectedResourceMetadataUrl, requireBearerAuth } from './authMiddleware.js';
 
 // Auth server setup
 export type { AuthServerResult, SetupAuthServerOptions } from './authServer.js';
-export { getAuth, setupAuthServer, verifyAccessToken } from './authServer.js';
+export { createProtectedResourceMetadataRouter, getAuth, setupAuthServer, verifyAccessToken } from './authServer.js';