slim down

Author: pcarleton

src/examples/server/demoRemoteOAuthProvider.ts

@@ -8,7 +8,6 @@ import { requireBearerAuth } from '../../server/auth/middleware/bearerAuth.js';
 import { CallToolResult, GetPromptResult, isInitializeRequest, ReadResourceResult } from '../../types.js';
 import { InMemoryEventStore } from '../shared/inMemoryEventStore.js';
 import { setupAuthServer } from './demoInMemoryOAuthProvider.js';
-import { DemoRemoteOAuthProvider } from './demoRemoteOAuthProvider.js';
 import { OAuthMetadata } from 'src/shared/auth.js';
 
 // Check for OAuth flag
@@ -182,9 +181,40 @@ if (useOAuth) {
 
   const oauthMetadata: OAuthMetadata = setupAuthServer(authServerUrl);
 
-  const remoteProvider = new DemoRemoteOAuthProvider(
-      oauthMetadata
-  );
+  const tokenVerifier = {
+    verifyAccessToken: async (token: string) => {
+      const endpoint = oauthMetadata.introspection_endpoint;
+
+      if (!endpoint) {
+        throw new Error('No token verification endpoint available in metadata');
+      }
+
+      const response = await fetch(endpoint, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/x-www-form-urlencoded',
+        },
+        body: new URLSearchParams({
+          token: token
+        }).toString()
+      });
+
+
+      if (!response.ok) {
+        throw new Error(`Invalid or expired token: ${await response.text()}`);
+      }
+
+      const data = await response.json();
+
+      // Convert the response to AuthInfo format
+      return {
+        token,
+        clientId: data.client_id,
+        scopes: data.scope ? data.scope.split(' ') : [],
+        expiresAt: data.exp,
+      };
+    }
+  }
   // Add metadata routes to the main MCP server
   app.use(mcpAuthMetadataRouter({
     oauthMetadata,
@@ -194,7 +224,7 @@ if (useOAuth) {
   }));
 
   authMiddleware = requireBearerAuth({
-    provider: remoteProvider,
+    verifier: tokenVerifier,
     requiredScopes: ['mcp:tools'],
     resourceMetadataUrl: getOAuthProtectedResourceMetadataUrl(mcpServerUrl),
   });

src/examples/server/simpleStreamableHttp.ts

@@ -1,13 +1,13 @@
 import { RequestHandler } from "express";
 import { InsufficientScopeError, InvalidTokenError, OAuthError, ServerError } from "../errors.js";
-import { OAuthServerProvider } from "../provider.js";
+import { OAuthTokenVerifier } from "../provider.js";
 import { AuthInfo } from "../types.js";
 
 export type BearerAuthMiddlewareOptions = {
   /**
    * A provider used to verify tokens.
    */
-  provider: OAuthServerProvider;
+  verifier: OAuthTokenVerifier;
 
   /**
    * Optional scopes that the token must have.
@@ -37,7 +37,7 @@ declare module "express-serve-static-core" {
  * If resourceMetadataUrl is provided, it will be included in the WWW-Authenticate header
  * for 401 responses as per the OAuth 2.0 Protected Resource Metadata spec.
  */
-export function requireBearerAuth({ provider, requiredScopes = [], resourceMetadataUrl }: BearerAuthMiddlewareOptions): RequestHandler {
+export function requireBearerAuth({ verifier, requiredScopes = [], resourceMetadataUrl }: BearerAuthMiddlewareOptions): RequestHandler {
   return async (req, res, next) => {
     try {
       const authHeader = req.headers.authorization;
@@ -50,7 +50,7 @@ export function requireBearerAuth({ provider, requiredScopes = [], resourceMetad
         throw new InvalidTokenError("Invalid Authorization header format, expected 'Bearer TOKEN'");
       }
 
-      const authInfo = await provider.verifyAccessToken(token);
+      const authInfo = await verifier.verifyAccessToken(token);
 
       // Check if token has the required scopes (if any)
       if (requiredScopes.length > 0) {
@@ -94,4 +94,4 @@ export function requireBearerAuth({ provider, requiredScopes = [], resourceMetad
       }
     }
   };
-}
+}

src/server/auth/middleware/bearerAuth.ts

@@ -69,7 +69,7 @@ export interface OAuthServerProvider {
 /**
  * Slim implementation useful for token verification
  */
-export interface TokenVerifier {
+export interface OAuthTokenVerifier {
   /**
    * Verifies an access token and returns information about it.
    */