Feat: Separate authorization server and resource server on client auth flow (#416)

* add type and schema for protected resource metadata

* add private variable to keep track of
authorization server url to avoid fetching Protected Resource Metadata every time

* change auth flow to use authroization server and
add function to discover protected resource metadata

* add/modify tests for new added auth functions

* modify test to use the authorization server

* remove unused variable

* add resource parameter when building auth url

* Change resource to use the protected resource metadata

* resolve typo.

Co-authored-by: Paul Carleton <[email protected]>

* Update src/client/sse.ts import.

Co-authored-by: Paul Carleton <[email protected]>

* remove log.

Co-authored-by: Paul Carleton <[email protected]>

* Update section title.

Co-authored-by: Paul Carleton <[email protected]>

* remove log.

Co-authored-by: Paul Carleton <[email protected]>

* remove resource parameter.

Co-authored-by: Paul Carleton <[email protected]>

* remove resource parameter.

Co-authored-by: Paul Carleton <[email protected]>

* remove resource parameter.

Co-authored-by: Paul Carleton <[email protected]>

* remove resource parameter.

Co-authored-by: Paul Carleton <[email protected]>

* remove resource parameter.

Co-authored-by: Paul Carleton <[email protected]>

* remove resource parameter.

Co-authored-by: Paul Carleton <[email protected]>

* remove resource parameter.

Co-authored-by: Paul Carleton <[email protected]>

* remove resource parameter.

Co-authored-by: Paul Carleton <[email protected]>

* remove resource parameter.

Co-authored-by: Paul Carleton <[email protected]>

* make backwards compatibile

* s/resourceServerUrl/serverUrl/g for backwards compat

* fix test comment

---------

Co-authored-by: itsuki <[email protected]>
Co-authored-by: Paul Carleton <[email protected]>
Co-authored-by: Paul Carleton <[email protected]>

Author: 3 people

src/client/auth.test.ts

@@ -4,6 +4,10 @@ import {
   exchangeAuthorization,
   refreshAuthorization,
   registerClient,
+  discoverOAuthProtectedResourceMetadata,
+  extractResourceMetadataUrl,
+  auth,
+  type OAuthClientProvider,
 } from "./auth.js";
 
 // Mock fetch globally
@@ -15,6 +19,165 @@ describe("OAuth Authorization", () => {
     mockFetch.mockReset();
   });
 
+  describe("extractResourceMetadataUrl", () => {
+    it("returns resource metadata url when present", async () => {
+      const resourceUrl = "https://resource.example.com/.well-known/oauth-protected-resource"
+      const mockResponse = {
+        headers: {
+          get: jest.fn((name) => name === "WWW-Authenticate" ? `Bearer realm="mcp", resource_metadata="${resourceUrl}"` : null),
+        }
+      } as unknown as Response
+
+      expect(extractResourceMetadataUrl(mockResponse)).toEqual(new URL(resourceUrl));
+    });
+
+    it("returns undefined if not bearer", async () => {
+      const resourceUrl = "https://resource.example.com/.well-known/oauth-protected-resource"
+      const mockResponse = {
+        headers: {
+          get: jest.fn((name) => name === "WWW-Authenticate" ? `Basic realm="mcp", resource_metadata="${resourceUrl}"` : null),
+        }
+      } as unknown as Response
+
+      expect(extractResourceMetadataUrl(mockResponse)).toBeUndefined();
+    });
+
+    it("returns undefined if resource_metadata not present", async () => {
+      const mockResponse = {
+        headers: {
+          get: jest.fn((name) => name === "WWW-Authenticate" ? `Basic realm="mcp"` : null),
+        }
+      } as unknown as Response
+
+      expect(extractResourceMetadataUrl(mockResponse)).toBeUndefined();
+    });
+
+    it("returns undefined on invalid url", async () => {
+      const resourceUrl = "invalid-url"
+      const mockResponse = {
+        headers: {
+          get: jest.fn((name) => name === "WWW-Authenticate" ? `Basic realm="mcp", resource_metadata="${resourceUrl}"` : null),
+        }
+      } as unknown as Response
+
+      expect(extractResourceMetadataUrl(mockResponse)).toBeUndefined();
+    });
+  });
+
+  describe("discoverOAuthProtectedResourceMetadata", () => {
+    const validMetadata = {
+      resource: "https://resource.example.com",
+      authorization_servers: ["https://auth.example.com"],
+    };
+
+    it("returns metadata when discovery succeeds", async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        json: async () => validMetadata,
+      });
+
+      const metadata = await discoverOAuthProtectedResourceMetadata("https://resource.example.com");
+      expect(metadata).toEqual(validMetadata);
+      const calls = mockFetch.mock.calls;
+      expect(calls.length).toBe(1);
+      const [url] = calls[0];
+      expect(url.toString()).toBe("https://resource.example.com/.well-known/oauth-protected-resource");
+    });
+
+    it("returns metadata when first fetch fails but second without MCP header succeeds", async () => {
+      // Set up a counter to control behavior
+      let callCount = 0;
+
+      // Mock implementation that changes behavior based on call count
+      mockFetch.mockImplementation((_url, _options) => {
+        callCount++;
+
+        if (callCount === 1) {
+          // First call with MCP header - fail with TypeError (simulating CORS error)
+          // We need to use TypeError specifically because that's what the implementation checks for
+          return Promise.reject(new TypeError("Network error"));
+        } else {
+          // Second call without header - succeed
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => validMetadata
+          });
+        }
+      });
+
+      // Should succeed with the second call
+      const metadata = await discoverOAuthProtectedResourceMetadata("https://resource.example.com");
+      expect(metadata).toEqual(validMetadata);
+
+      // Verify both calls were made
+      expect(mockFetch).toHaveBeenCalledTimes(2);
+
+      // Verify first call had MCP header
+      expect(mockFetch.mock.calls[0][1]?.headers).toHaveProperty("MCP-Protocol-Version");
+    });
+
+    it("throws an error when all fetch attempts fail", async () => {
+      // Set up a counter to control behavior
+      let callCount = 0;
+
+      // Mock implementation that changes behavior based on call count
+      mockFetch.mockImplementation((_url, _options) => {
+        callCount++;
+
+        if (callCount === 1) {
+          // First call - fail with TypeError
+          return Promise.reject(new TypeError("First failure"));
+        } else {
+          // Second call - fail with different error
+          return Promise.reject(new Error("Second failure"));
+        }
+      });
+
+      // Should fail with the second error
+      await expect(discoverOAuthProtectedResourceMetadata("https://resource.example.com"))
+        .rejects.toThrow("Second failure");
+
+      // Verify both calls were made
+      expect(mockFetch).toHaveBeenCalledTimes(2);
+    });
+
+    it("throws on 404 errors", async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: false,
+        status: 404,
+      });
+
+      await expect(discoverOAuthProtectedResourceMetadata("https://resource.example.com"))
+        .rejects.toThrow("Resource server does not implement OAuth 2.0 Protected Resource Metadata.");
+    });
+
+    it("throws on non-404 errors", async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: false,
+        status: 500,
+      });
+
+      await expect(discoverOAuthProtectedResourceMetadata("https://resource.example.com"))
+        .rejects.toThrow("HTTP 500");
+    });
+
+    it("validates metadata schema", async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        status: 200,
+        json: async () => ({
+          // Missing required fields
+          scopes_supported: ["email", "mcp"],
+        }),
+      });
+
+      await expect(discoverOAuthProtectedResourceMetadata("https://resource.example.com"))
+        .rejects.toThrow();
+    });
+  });
+
   describe("discoverOAuthMetadata", () => {
     const validMetadata = {
       issuer: "https://auth.example.com",
@@ -158,6 +321,7 @@ describe("OAuth Authorization", () => {
       const { authorizationUrl, codeVerifier } = await startAuthorization(
         "https://auth.example.com",
         {
+          metadata: undefined,
           clientInformation: validClientInfo,
           redirectUrl: "http://localhost:3000/callback",
         }
@@ -503,4 +667,101 @@ describe("OAuth Authorization", () => {
       ).rejects.toThrow("Dynamic client registration failed");
     });
   });
+
+  describe("auth function", () => {
+    const mockProvider: OAuthClientProvider = {
+      get redirectUrl() { return "http://localhost:3000/callback"; },
+      get clientMetadata() {
+        return {
+          redirect_uris: ["http://localhost:3000/callback"],
+          client_name: "Test Client",
+        };
+      },
+      clientInformation: jest.fn(),
+      tokens: jest.fn(),
+      saveTokens: jest.fn(),
+      redirectToAuthorization: jest.fn(),
+      saveCodeVerifier: jest.fn(),
+      codeVerifier: jest.fn(),
+    };
+
+    beforeEach(() => {
+      jest.clearAllMocks();
+    });
+
+    it("falls back to /.well-known/oauth-authorization-server when no protected-resource-metadata", async () => {
+      // Setup: First call to protected resource metadata fails (404)
+      // Second call to auth server metadata succeeds
+      let callCount = 0;
+      mockFetch.mockImplementation((url) => {
+        callCount++;
+
+        const urlString = url.toString();
+
+        if (callCount === 1 && urlString.includes("/.well-known/oauth-protected-resource")) {
+          // First call - protected resource metadata fails with 404
+          return Promise.resolve({
+            ok: false,
+            status: 404,
+          });
+        } else if (callCount === 2 && urlString.includes("/.well-known/oauth-authorization-server")) {
+          // Second call - auth server metadata succeeds
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => ({
+              issuer: "https://auth.example.com",
+              authorization_endpoint: "https://auth.example.com/authorize",
+              token_endpoint: "https://auth.example.com/token",
+              registration_endpoint: "https://auth.example.com/register",
+              response_types_supported: ["code"],
+              code_challenge_methods_supported: ["S256"],
+            }),
+          });
+        } else if (callCount === 3 && urlString.includes("/register")) {
+          // Third call - client registration succeeds
+          return Promise.resolve({
+            ok: true,
+            status: 200,
+            json: async () => ({
+              client_id: "test-client-id",
+              client_secret: "test-client-secret",
+              client_id_issued_at: 1612137600,
+              client_secret_expires_at: 1612224000,
+              redirect_uris: ["http://localhost:3000/callback"],
+              client_name: "Test Client",
+            }),
+          });
+        }
+
+        return Promise.reject(new Error(`Unexpected fetch call: ${urlString}`));
+      });
+
+      // Mock provider methods
+      (mockProvider.clientInformation as jest.Mock).mockResolvedValue(undefined);
+      (mockProvider.tokens as jest.Mock).mockResolvedValue(undefined);
+      mockProvider.saveClientInformation = jest.fn();
+
+      // Call the auth function
+      const result = await auth(mockProvider, {
+        serverUrl: "https://resource.example.com",
+      });
+
+      // Verify the result
+      expect(result).toBe("REDIRECT");
+
+      // Verify the sequence of calls
+      expect(mockFetch).toHaveBeenCalledTimes(3);
+
+      // First call should be to protected resource metadata
+      expect(mockFetch.mock.calls[0][0].toString()).toBe(
+        "https://resource.example.com/.well-known/oauth-protected-resource"
+      );
+
+      // Second call should be to oauth metadata
+      expect(mockFetch.mock.calls[1][0].toString()).toBe(
+        "https://resource.example.com/.well-known/oauth-authorization-server"
+      );
+    });
+  });
 });