Implement OAuth discovery and fix authentication issues (#130)

- Add automatic OAuth metadata discovery from .well-known endpoints
- Fix JWKS fetching by allowing HTTP protocol for local development
- Update TypeScript SDK to discover JWKS URI and Issuer automatically
- Filter scopes properly during OAuth client registration
- Simplify configuration to only require GOPHER_AUTH_SERVER_URL
- Remove hardcoded JWKS_URI and TOKEN_ISSUER requirements

The SDK now follows OAuth 2.0 and OpenID Connect standards for endpoint discovery,
making configuration simpler and more maintainable.

Author: RahulHere

sdk/typescript/src/authenticated-mcp-server.ts

@@ -84,18 +84,22 @@ export class AuthenticatedMcpServer {
   constructor(config?: AuthenticatedMcpServerConfig) {
     // Merge provided config with environment variables
     const env = process.env;
+    
+    // Get the OAuth server URL from environment or config
+    const oauthServerUrl = config?.authServerUrl || env['OAUTH_SERVER_URL'] || env['GOPHER_AUTH_SERVER_URL'];
+    
     this.config = {
       // Server identification
       serverName: config?.serverName || env['SERVER_NAME'] || "mcp-server",
       serverVersion: config?.serverVersion || env['SERVER_VERSION'] || "1.0.0",
       serverUrl: config?.serverUrl || env['SERVER_URL'] || `http://localhost:${env['SERVER_PORT'] || '3001'}`,
       serverPort: config?.serverPort || parseInt(env['SERVER_PORT'] || env['HTTP_PORT'] || "3001"),
 
-      // Authentication - support both new and legacy env vars
+      // Authentication - these will be discovered if not provided
       jwksUri: config?.jwksUri || env['JWKS_URI'],
       tokenIssuer: config?.tokenIssuer || env['TOKEN_ISSUER'],
       tokenAudience: config?.tokenAudience || env['TOKEN_AUDIENCE'],
-      authServerUrl: config?.authServerUrl || env['GOPHER_AUTH_SERVER_URL'],
+      authServerUrl: oauthServerUrl,
       clientId: config?.clientId || env['GOPHER_CLIENT_ID'],
       clientSecret: config?.clientSecret || env['GOPHER_CLIENT_SECRET'],
 
@@ -195,18 +199,49 @@ export class AuthenticatedMcpServer {
    * Initialize authentication if configured
    */
   private async initializeAuth(): Promise<void> {
+    // Check if we have an OAuth server URL to discover from
+    if (this.config.authServerUrl && !this.config.jwksUri && !this.config.tokenIssuer) {
+      // Discover OAuth metadata
+      try {
+        const discoveryUrl = this.config.authServerUrl.includes('/realms/') 
+          ? `${this.config.authServerUrl}/.well-known/openid-configuration`
+          : `${this.config.authServerUrl}/.well-known/oauth-authorization-server`;
+        
+        console.error(`🔍 Discovering OAuth metadata from: ${discoveryUrl}`);
+        
+        const response = await fetch(discoveryUrl);
+        if (response.ok) {
+          const metadata = await response.json() as any;
+          
+          // Update config with discovered values
+          if (!this.config.jwksUri && metadata.jwks_uri) {
+            this.config.jwksUri = metadata.jwks_uri;
+            console.error(`   ✅ Discovered JWKS URI: ${metadata.jwks_uri}`);
+          }
+          if (!this.config.tokenIssuer && metadata.issuer) {
+            this.config.tokenIssuer = metadata.issuer;
+            console.error(`   ✅ Discovered Issuer: ${metadata.issuer}`);
+          }
+        } else {
+          console.error(`   ⚠️  OAuth discovery failed: ${response.status}`);
+        }
+      } catch (error) {
+        console.error(`   ⚠️  OAuth discovery error: ${error}`);
+      }
+    }
+    
     // Enable auth if JWKS URI or auth server URL is configured, regardless of REQUIRE_AUTH setting
     const jwksUri = this.config.jwksUri || 
                    (this.config.authServerUrl ? `${this.config.authServerUrl}/protocol/openid-connect/certs` : null);
 
     // Only skip auth if no JWKS URI is configured
     if (!jwksUri) {
       console.error("⚠️  Authentication disabled");
-      console.error("   Reason: No JWKS_URI or GOPHER_AUTH_SERVER_URL configured");
+      console.error("   Reason: No JWKS_URI or OAUTH_SERVER_URL configured");
       return;
     }
 
-    // Show that authentication WOULD be enabled if the C library was available
+    // Show that authentication is being enabled
     console.error("🔐 Authentication configuration detected");
     console.error(`   JWKS URI: ${jwksUri}`);
     console.error(`   Issuer: ${this.config.tokenIssuer || this.config.authServerUrl || "https://auth.example.com"}`);
@@ -790,10 +825,38 @@ export class AuthenticatedMcpServer {
           console.error(`   Request body:`, JSON.stringify(registrationRequest, null, 2));
           console.error(`   Headers:`, req.headers);
 
-          // Don't filter scopes - let Keycloak handle what scopes are allowed
-          // Just log what was requested
+          // Extract allowed scopes for filtering
+          const mcpScopes = this.extractScopesFromTools();
+          const allowedScopes = [
+            "openid",
+            "offline_access", 
+            "profile",
+            "email",
+            "address",
+            "phone",
+            "roles",
+            ...mcpScopes,
+            ...(this.config.additionalAllowedScopes || []),
+          ];
+          const uniqueAllowedScopes = [...new Set(allowedScopes)];
+          
+          // Filter scopes to only allow what's in our allowed list
           if (registrationRequest.scope) {
-            console.error(`   Requested scope: ${registrationRequest.scope}`);
+            console.error(`   Original scope: ${registrationRequest.scope}`);
+            const requestedScopes = registrationRequest.scope.split(' ');
+            const filteredScopes = requestedScopes.filter((scope: string) => 
+              uniqueAllowedScopes.includes(scope)
+            );
+            const removedScopes = requestedScopes.filter((scope: string) => 
+              !uniqueAllowedScopes.includes(scope)
+            );
+            
+            if (removedScopes.length > 0) {
+              console.error(`   🗑️  Filtered out invalid scopes: ${removedScopes.join(', ')}`);
+            }
+            
+            registrationRequest.scope = filteredScopes.join(' ');
+            console.error(`   ✅ Filtered scope: ${registrationRequest.scope}`);
           }
 
           // Forward to Keycloak

src/c_api/mcp_c_auth_api.cc

@@ -469,9 +469,9 @@ static bool http_get(const std::string& url,
     curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, config.verify_ssl ? 1L : 0L);
     curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, config.verify_ssl ? 2L : 0L);
 
-    // Set protocol to HTTPS only for security
-    curl_easy_setopt(curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTPS);
-    curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTPS);
+    // Set protocol to HTTP and HTTPS (allow both for local development)
+    curl_easy_setopt(curl, CURLOPT_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
+    curl_easy_setopt(curl, CURLOPT_REDIR_PROTOCOLS, CURLPROTO_HTTP | CURLPROTO_HTTPS);
 
     // Set user agent
     curl_easy_setopt(curl, CURLOPT_USERAGENT, config.user_agent.c_str());

src/c_api/mcp_c_auth_api_network_optimized.cc

@@ -14,9 +14,8 @@
 #include <atomic>
 #include <vector>
 #include <queue>
-#include <rapidjson/document.h>
-#include <rapidjson/writer.h>
-#include <rapidjson/stringbuffer.h>
+// RapidJSON would be used here for optimized parsing
+// For now, using simple JSON parsing
 #include <thread>
 
 namespace network_optimized {
@@ -297,62 +296,99 @@ class FastJSONParser {
         return instance;
     }
 
-    // Parse JWKS response efficiently
+    // Parse JWKS response efficiently (simplified JSON parsing)
     bool parseJWKS(const std::string& json, 
                   std::vector<std::pair<std::string, std::string>>& keys) {
-        rapidjson::Document doc;
+        // Simple JSON parsing without external library
+        // In production, would use RapidJSON for better performance
 
-        // Use in-situ parsing for better performance (modifies input)
-        if (doc.ParseInsitu(const_cast<char*>(json.c_str())).HasParseError()) {
-            return false;
-        }
+        // Find "keys" array
+        size_t keys_pos = json.find("\"keys\"");
+        if (keys_pos == std::string::npos) return false;
 
-        if (!doc.HasMember("keys") || !doc["keys"].IsArray()) {
-            return false;
-        }
+        size_t array_start = json.find('[', keys_pos);
+        if (array_start == std::string::npos) return false;
 
-        const rapidjson::Value& keys_array = doc["keys"];
-        keys.reserve(keys_array.Size());
+        size_t array_end = json.find(']', array_start);
+        if (array_end == std::string::npos) return false;
 
-        for (rapidjson::SizeType i = 0; i < keys_array.Size(); i++) {
-            const rapidjson::Value& key = keys_array[i];
+        // Extract each key object
+        size_t pos = array_start + 1;
+        while (pos < array_end) {
+            size_t obj_start = json.find('{', pos);
+            if (obj_start == std::string::npos || obj_start >= array_end) break;
 
-            if (key.HasMember("kid") && key["kid"].IsString() &&
-                key.HasMember("x5c") && key["x5c"].IsArray() && 
-                key["x5c"].Size() > 0) {
-                
-                std::string kid = key["kid"].GetString();
-                std::string cert = key["x5c"][0].GetString();
-                
-                // Convert to PEM format
+            size_t obj_end = json.find('}', obj_start);
+            if (obj_end == std::string::npos || obj_end >= array_end) break;
+            
+            std::string obj = json.substr(obj_start, obj_end - obj_start + 1);
+            
+            // Extract kid
+            std::string kid;
+            size_t kid_pos = obj.find("\"kid\"");
+            if (kid_pos != std::string::npos) {
+                size_t value_start = obj.find('\"', kid_pos + 5);
+                if (value_start != std::string::npos) {
+                    size_t value_end = obj.find('\"', value_start + 1);
+                    if (value_end != std::string::npos) {
+                        kid = obj.substr(value_start + 1, value_end - value_start - 1);
+                    }
+                }
+            }
+            
+            // Extract x5c certificate
+            std::string cert;
+            size_t x5c_pos = obj.find("\"x5c\"");
+            if (x5c_pos != std::string::npos) {
+                size_t cert_start = obj.find('\"', obj.find('[', x5c_pos));
+                if (cert_start != std::string::npos) {
+                    size_t cert_end = obj.find('\"', cert_start + 1);
+                    if (cert_end != std::string::npos) {
+                        cert = obj.substr(cert_start + 1, cert_end - cert_start - 1);
+                    }
+                }
+            }
+            
+            if (!kid.empty() && !cert.empty()) {
                 std::string pem = "-----BEGIN CERTIFICATE-----\n" + cert + 
                                  "\n-----END CERTIFICATE-----";
-                
                 keys.emplace_back(std::move(kid), std::move(pem));
             }
+            
+            pos = obj_end + 1;
         }
 
-        return true;
+        return !keys.empty();
     }
 
-    // Parse JWT header efficiently
+    // Parse JWT header efficiently  
     bool parseJWTHeader(const std::string& json,
                        std::string& alg, std::string& kid) {
-        rapidjson::Document doc;
-        
-        if (doc.Parse(json.c_str()).HasParseError()) {
-            return false;
-        }
-        
-        if (doc.HasMember("alg") && doc["alg"].IsString()) {
-            alg = doc["alg"].GetString();
+        // Extract alg
+        size_t alg_pos = json.find("\"alg\"");
+        if (alg_pos != std::string::npos) {
+            size_t value_start = json.find('\"', alg_pos + 5);
+            if (value_start != std::string::npos) {
+                size_t value_end = json.find('\"', value_start + 1);
+                if (value_end != std::string::npos) {
+                    alg = json.substr(value_start + 1, value_end - value_start - 1);
+                }
+            }
         }
 
-        if (doc.HasMember("kid") && doc["kid"].IsString()) {
-            kid = doc["kid"].GetString();
+        // Extract kid
+        size_t kid_pos = json.find("\"kid\"");
+        if (kid_pos != std::string::npos) {
+            size_t value_start = json.find('\"', kid_pos + 5);
+            if (value_start != std::string::npos) {
+                size_t value_end = json.find('\"', value_start + 1);
+                if (value_end != std::string::npos) {
+                    kid = json.substr(value_start + 1, value_end - value_start - 1);
+                }
+            }
         }
 
-        return true;
+        return !alg.empty();
     }
 };