Add server-side OAuth discovery proxy and improve auth UI

gary149 · gary149 · commit 622ae1f83971 · 2025-12-05T15:43:34.000+01:00
Introduces a server-side endpoint for OAuth metadata discovery to avoid CORS issues and support RFC 9728 probing. Updates the client service to use this proxy, adds ProtectedResourceMetadata type, and improves ServerCard UI to better indicate authentication requirements.
diff --git a/src/lib/components/mcp/ServerCard.svelte b/src/lib/components/mcp/ServerCard.svelte
@@ -44,7 +44,11 @@
 		const hasToken = tokens.has(server.id);
 		const hasConfig = configs.has(server.id);
 
-		if (!server.oauthEnabled && !hasToken && !hasConfig) return "none";
+		if (!server.oauthEnabled && !hasToken && !hasConfig) {
+			// Health check returned 401 but OAuth wasn't set up - prompt for authentication
+			if (server.authRequired) return "missing";
+			return "none";
+		}
 
 		const token = tokens.get(server.id);
 		if (!token) return "missing";
@@ -269,14 +273,18 @@
 				<div class="flex items-center gap-2 rounded bg-amber-50 px-2 py-1.5 dark:bg-amber-900/20">
 					<IconLocked class="size-4 flex-shrink-0 text-amber-600 dark:text-amber-400" />
 					<span class="flex-1 text-xs text-amber-800 dark:text-amber-200">
-						Authentication expired
+						{tokenStatus === "expired" ? "Authentication expired" : "Authentication required"}
 					</span>
 					<button
 						onclick={handleReauthenticate}
 						disabled={isReauthenticating}
 						class="rounded bg-amber-600 px-2 py-0.5 text-xs font-medium text-white hover:bg-amber-700 disabled:opacity-50 dark:bg-amber-500 dark:hover:bg-amber-600"
 					>
-						{isReauthenticating ? "..." : "Re-authenticate"}
+						{isReauthenticating
+							? "..."
+							: tokenStatus === "expired"
+								? "Re-authenticate"
+								: "Authenticate"}
 					</button>
 				</div>
 			</div>
diff --git a/src/lib/services/mcpOAuthService.ts b/src/lib/services/mcpOAuthService.ts
@@ -28,48 +28,25 @@ const FLOW_TIMEOUT_MS = 10 * 60 * 1000; // 10 minutes
 
 /**
  * Discover OAuth server metadata from MCP server URL
- * Checks /.well-known/oauth-authorization-server per RFC 8414
+ * Uses server-side proxy to avoid CORS issues with RFC 9728 discovery
  */
 export async function discoverOAuthMetadata(
 	serverUrl: string
 ): Promise<OAuthServerMetadata | null> {
 	try {
-		const url = new URL(serverUrl);
-		// Per MCP spec: discovery at authorization base URL (server URL with path removed)
-		const wellKnownUrl = `${url.origin}/.well-known/oauth-authorization-server`;
-
-		const response = await fetch(wellKnownUrl, {
-			headers: { Accept: "application/json" },
-			// Short timeout for discovery
-			signal: AbortSignal.timeout(10000),
+		const response = await fetch(`${base}/api/mcp/oauth/discover`, {
+			method: "POST",
+			headers: { "Content-Type": "application/json" },
+			body: JSON.stringify({ url: serverUrl }),
+			signal: AbortSignal.timeout(20000),
 		});
 
-		if (!response.ok) {
-			// Server doesn't support OAuth discovery - not an error
-			return null;
-		}
-
-		const metadata = (await response.json()) as OAuthServerMetadata;
-
-		// Validate required fields per OAuth 2.0 Authorization Server Metadata
-		if (!metadata.authorization_endpoint || !metadata.token_endpoint) {
-			console.warn("OAuth metadata missing required endpoints");
-			return null;
-		}
-
-		// Validate PKCE support (required by MCP OAuth 2.1)
-		if (
-			metadata.code_challenge_methods_supported &&
-			!metadata.code_challenge_methods_supported.includes("S256")
-		) {
-			console.warn("OAuth server does not support required S256 PKCE method");
-			return null;
-		}
+		if (!response.ok) return null;
 
-		return metadata;
+		const data = await response.json();
+		return data.metadata ?? null;
 	} catch (error) {
-		// Discovery failure is not an error - server may not require OAuth
-		console.debug("OAuth discovery failed (server may not require OAuth):", error);
+		console.debug("OAuth discovery failed:", error);
 		return null;
 	}
 }
diff --git a/src/lib/types/McpOAuth.ts b/src/lib/types/McpOAuth.ts
@@ -92,3 +92,15 @@ export interface ClientRegistrationResponse {
 	client_id_issued_at?: number;
 	client_secret_expires_at?: number;
 }
+
+/**
+ * Protected Resource Metadata (RFC 9728)
+ */
+export interface ProtectedResourceMetadata {
+	resource: string;
+	authorization_servers?: string[];
+	scopes_supported?: string[];
+	bearer_methods_supported?: string[];
+	resource_name?: string;
+	resource_documentation?: string;
+}
diff --git a/src/routes/api/mcp/oauth/discover/+server.ts b/src/routes/api/mcp/oauth/discover/+server.ts
@@ -0,0 +1,124 @@
+import type { RequestHandler } from "./$types";
+import { isValidUrl } from "$lib/server/urlSafety";
+
+interface DiscoveryRequest {
+	url: string;
+}
+
+interface OAuthServerMetadata {
+	issuer: string;
+	authorization_endpoint: string;
+	token_endpoint: string;
+	registration_endpoint?: string;
+	scopes_supported?: string[];
+	response_types_supported?: string[];
+	code_challenge_methods_supported?: string[];
+	token_endpoint_auth_methods_supported?: string[];
+	grant_types_supported?: string[];
+}
+
+interface ProtectedResourceMetadata {
+	resource: string;
+	authorization_servers?: string[];
+	scopes_supported?: string[];
+}
+
+function parseResourceMetadataUrl(wwwAuthenticate: string): string | null {
+	const match = wwwAuthenticate.match(/resource_metadata="([^"]+)"/);
+	return match?.[1] ?? null;
+}
+
+async function fetchJson<T>(url: string, signal: AbortSignal): Promise<T | null> {
+	try {
+		const response = await fetch(url, {
+			headers: { Accept: "application/json" },
+			signal,
+		});
+		if (!response.ok) return null;
+		return (await response.json()) as T;
+	} catch {
+		return null;
+	}
+}
+
+async function fetchAuthServerMetadata(
+	issuerUrl: string,
+	signal: AbortSignal
+): Promise<OAuthServerMetadata | null> {
+	const url = new URL(issuerUrl);
+	const wellKnownUrl = `${url.origin}/.well-known/oauth-authorization-server`;
+	const metadata = await fetchJson<OAuthServerMetadata>(wellKnownUrl, signal);
+
+	if (!metadata?.authorization_endpoint || !metadata?.token_endpoint) return null;
+	if (
+		metadata.code_challenge_methods_supported &&
+		!metadata.code_challenge_methods_supported.includes("S256")
+	) {
+		return null;
+	}
+	return metadata;
+}
+
+export const POST: RequestHandler = async ({ request }) => {
+	const controller = new AbortController();
+	const timeoutId = setTimeout(() => controller.abort(), 15000);
+
+	try {
+		const body: DiscoveryRequest = await request.json();
+		const { url } = body;
+
+		if (!url || !isValidUrl(url)) {
+			return new Response(JSON.stringify({ error: "Invalid URL" }), {
+				status: 400,
+				headers: { "Content-Type": "application/json" },
+			});
+		}
+
+		// RFC 9728: Probe the server to get resource_metadata from WWW-Authenticate
+		const probeResponse = await fetch(url, {
+			method: "GET",
+			signal: controller.signal,
+		});
+
+		if (probeResponse.status === 401) {
+			const wwwAuth = probeResponse.headers.get("www-authenticate") ?? "";
+			const prmUrl = parseResourceMetadataUrl(wwwAuth);
+
+			if (prmUrl) {
+				const prm = await fetchJson<ProtectedResourceMetadata>(prmUrl, controller.signal);
+				if (prm?.authorization_servers?.[0]) {
+					const metadata = await fetchAuthServerMetadata(
+						prm.authorization_servers[0],
+						controller.signal
+					);
+					if (metadata) {
+						clearTimeout(timeoutId);
+						return new Response(JSON.stringify({ metadata }), {
+							headers: { "Content-Type": "application/json" },
+						});
+					}
+				}
+			}
+		}
+
+		// Fallback: same-origin well-known
+		const metadata = await fetchAuthServerMetadata(url, controller.signal);
+		clearTimeout(timeoutId);
+
+		if (metadata) {
+			return new Response(JSON.stringify({ metadata }), {
+				headers: { "Content-Type": "application/json" },
+			});
+		}
+
+		return new Response(JSON.stringify({ metadata: null }), {
+			headers: { "Content-Type": "application/json" },
+		});
+	} catch (error) {
+		clearTimeout(timeoutId);
+		return new Response(
+			JSON.stringify({ error: error instanceof Error ? error.message : "Discovery failed" }),
+			{ status: 500, headers: { "Content-Type": "application/json" } }
+		);
+	}
+};
