Add OAuth Protected Resource Metadata (PRM) handler (#75)

* prm metadata handler

* comment fixing

* export prm functions from index

* add changeset

* consistent JSON response formatting

* use PRM schema from mcp ts library

* include .js in import

* Add PRM docs to readme

Author: allenzhou101

.changeset/ripe-mails-doubt.md

@@ -0,0 +1,5 @@
+---
+"@vercel/mcp-adapter": minor
+---
+
+Add RFC 9728 OAuth Protected Resource Metadata handler

README.md

@@ -223,25 +223,22 @@ When implementing authorization in MCP, you must define the OAuth [Protected Res
 Create a new file at `app/.well-known/oauth-protected-resource/route.ts`:
 
 ```typescript
-export async function GET(req: Request) {
-  const origin = new URL(req.url).origin;
-  
-  return Response.json({
-    resource: `${origin}`,
-    authorization_servers: [`https://authorization-server-issuer.com`],
-    scopes_supported: ["openid"],
-    resource_name: "MCP Server",
-    resource_documentation: `${origin}/docs`
-  });
-}
+import {
+  protectedResourceHandler,
+  metadataCorsOptionsRequestHandler,
+} from '@vercel/mcp-adapter'
+
+const handler = protectedResourceHandler({
+  // Specify the Issuer URL of the associated Authorization Server 
+  authServerUrls: ["https://auth-server.com"]
+})
+
+export { handler as GET, metadataCorsOptionsRequestHandler as OPTIONS }
 ```
 
 This endpoint provides:
 - `resource`: The URL of your MCP server
 - `authorization_servers`: Array of OAuth authorization server Issuer URLs that can issue valid tokens
-- `scopes_supported`: Array of OAuth scopes supported by your server
-- `resource_name`: Human-readable name for your MCP server
-- `resource_documentation`: URL to your server's documentation
 
 The path to this endpoint should match the `resourceMetadataPath` option in your `withMcpAuth` configuration,
 which by default is `/.well-known/oauth-protected-resource` (the full URL will be `https://your-domain.com/.well-known/oauth-protected-resource`).

src/index.ts

@@ -2,3 +2,9 @@
 export { default as createMcpHandler } from "./next";
 
 export { withMcpAuth as experimental_withMcpAuth } from "./next/auth-wrapper";
+
+export {
+  protectedResourceHandler,
+  generateProtectedResourceMetadata,
+  metadataCorsOptionsRequestHandler,
+} from "./next/auth-metadata";

src/next/auth-metadata.ts

@@ -0,0 +1,86 @@
+import { OAuthProtectedResourceMetadata } from "@modelcontextprotocol/sdk/shared/auth.js";
+
+/**
+ * CORS headers for OAuth Protected Resource Metadata endpoint.
+ * Configured to allow any origin to make the endpoint accessible to web-based MCP clients.
+ */
+const corsHeaders = {
+    "Access-Control-Allow-Origin": "*",
+    "Access-Control-Allow-Methods": "GET, OPTIONS",
+    "Access-Control-Allow-Headers": "*",
+    "Access-Control-Max-Age": "86400",
+};
+
+/**
+ * OAuth 2.0 Protected Resource Metadata endpoint based on RFC 9728.
+ * @see https://datatracker.ietf.org/doc/html/rfc9728
+ * 
+ * @param authServerUrls - Array of issuer URLs of the OAuth 2.0 Authorization Servers. 
+ *                        These should match the "issuer" field in the authorization servers' 
+ *                        OAuth metadata (RFC 8414).
+ */
+export function protectedResourceHandler({
+    authServerUrls,
+}: {
+    authServerUrls: string[];
+}) {
+    return (req: Request) => {
+        const origin = new URL(req.url).origin;
+
+        const metadata = generateProtectedResourceMetadata({
+            authServerUrls,
+            resourceUrl: origin,
+        });
+
+        return new Response(JSON.stringify(metadata), {
+            headers: {
+                ...corsHeaders,
+                "Cache-Control": "max-age=3600",
+                "Content-Type": "application/json",
+            },
+        });
+    };
+}
+
+/**
+ * Generates protected resource metadata for the given auth server urls and
+ * resource server url.
+ *
+ * @param authServerUrls - Array of issuer URLs of the authorization servers. Each URL should 
+ *                        match the "issuer" field in the respective authorization server's 
+ *                        OAuth metadata (RFC 8414).
+ * @param resourceUrl - URL of the resource server
+ * @param additionalMetadata - Additional metadata fields to include in the response
+ * @returns Protected resource metadata, serializable to JSON
+ */
+export function generateProtectedResourceMetadata({
+    authServerUrls,
+    resourceUrl,
+    additionalMetadata,
+}: {
+    authServerUrls: string[];
+    resourceUrl: string;
+    additionalMetadata?: Partial<OAuthProtectedResourceMetadata>;
+}): OAuthProtectedResourceMetadata {
+    return Object.assign(
+        {
+            resource: resourceUrl,
+            authorization_servers: authServerUrls
+        },
+        additionalMetadata
+    );
+}
+
+/**
+ * CORS options request handler for OAuth metadata endpoints.
+ * Necessary for MCP clients that operate in web browsers.
+ */
+export function metadataCorsOptionsRequestHandler() {
+    return () => {
+        return new Response(null, {
+            status: 200,
+            headers: corsHeaders,
+        });
+    };
+}
+