WIP dynamic client registration

jspahrsummers · jspahrsummers · commit db517069835f · 2025-02-16T20:07:30.000Z
diff --git a/src/client/auth.ts b/src/client/auth.ts
@@ -1,6 +1,8 @@
 import pkceChallenge from "pkce-challenge";
 import { z } from "zod";
 import { LATEST_PROTOCOL_VERSION } from "../types.js";
+import type { OAuthClientMetadata, OAuthClientInformation } from "../shared/auth.js";
+import { OAuthClientInformationSchema } from "../shared/auth.js";
 
 export const OAuthMetadataSchema = z
   .object({
@@ -43,43 +45,9 @@ export const OAuthTokensSchema = z
   })
   .strip();
 
-/**
- * Client metadata schema according to RFC 7591 OAuth 2.0 Dynamic Client Registration
- */
-export const OAuthClientMetadataSchema = z.object({
-  redirect_uris: z.array(z.string()),
-  token_endpoint_auth_method: z.string().optional(),
-  grant_types: z.array(z.string()).optional(),
-  response_types: z.array(z.string()).optional(),
-  client_name: z.string().optional(),
-  client_uri: z.string().optional(),
-  logo_uri: z.string().optional(),
-  scope: z.string().optional(),
-  contacts: z.array(z.string()).optional(),
-  tos_uri: z.string().optional(),
-  policy_uri: z.string().optional(),
-  jwks_uri: z.string().optional(),
-  jwks: z.any().optional(),
-  software_id: z.string().optional(),
-  software_version: z.string().optional(),
-}).passthrough();
-
-/**
- * Client information response schema according to RFC 7591
- */
-export const OAuthClientInformationSchema = z.object({
-  client_id: z.string(),
-  client_secret: z.string().optional(),
-  client_id_issued_at: z.number().optional(),
-  client_secret_expires_at: z.number().optional(),
-}).passthrough();
-
 export type OAuthMetadata = z.infer<typeof OAuthMetadataSchema>;
 export type OAuthTokens = z.infer<typeof OAuthTokensSchema>;
 
-export type OAuthClientMetadata = z.infer<typeof OAuthClientMetadataSchema>;
-export type OAuthClientInformation = z.infer<typeof OAuthClientInformationSchema>;
-
 /**
  * Implements an end-to-end OAuth client to be used with one MCP server.
  * 
diff --git a/src/server/auth.ts b/src/server/auth.ts
@@ -0,0 +1,328 @@
+import {
+  OAuthClientInformation,
+  OAuthClientMetadata,
+  OAuthClientMetadataSchema,
+  ClientRegistrationError
+} from "../shared/auth.js";
+
+/**
+ * OAuth 2.0 Client Registration Provider interface.
+ * Implementations provide storage and lifecycle management for OAuth clients.
+ */
+export interface OAuthClientRegistrationProvider {
+  /**
+   * Store a new client registration.
+   * @param metadata The client metadata to register
+   * @returns The client information including the assigned client_id
+   */
+  registerClient(metadata: OAuthClientMetadata): Promise<OAuthClientInformation>;
+  
+  /**
+   * Retrieve client information by client_id.
+   * @param clientId The client_id to look up
+   * @returns The client information or null if not found
+   */
+  getClient(clientId: string): Promise<OAuthClientInformation | null>;
+  
+  /**
+   * Update an existing client registration.
+   * @param clientId The client_id to update
+   * @param metadata The updated client metadata
+   * @returns The updated client information
+   */
+  updateClient(clientId: string, metadata: OAuthClientMetadata): Promise<OAuthClientInformation>;
+  
+  /**
+   * Delete a client registration.
+   * @param clientId The client_id to delete
+   * @returns true if the client was deleted, false if not found
+   */
+  deleteClient(clientId: string): Promise<boolean>;
+}
+
+/**
+ * In-memory implementation of OAuthClientRegistrationProvider.
+ * Useful for development and testing.
+ */
+export class InMemoryClientRegistrationProvider implements OAuthClientRegistrationProvider {
+  private clients: Map<string, {
+    metadata: OAuthClientMetadata;
+    info: OAuthClientInformation;
+  }> = new Map();
+  
+  private generateClientId(): string {
+    return `client_${Math.random().toString(36).substring(2, 15)}`;
+  }
+  
+  async registerClient(metadata: OAuthClientMetadata): Promise<OAuthClientInformation> {
+    // Generate a client_id and optional client_secret
+    const clientId = this.generateClientId();
+    const clientSecret = metadata.token_endpoint_auth_method === "none" 
+      ? undefined 
+      : `secret_${Math.random().toString(36).substring(2, 15)}`;
+    
+    const now = Math.floor(Date.now() / 1000);
+    
+    const clientInfo: OAuthClientInformation = {
+      client_id: clientId,
+      client_id_issued_at: now,
+      ...clientSecret && { 
+        client_secret,
+        client_secret_expires_at: 0 // Never expires
+      }
+    };
+    
+    this.clients.set(clientId, {
+      metadata,
+      info: clientInfo
+    });
+    
+    return clientInfo;
+  }
+  
+  async getClient(clientId: string): Promise<OAuthClientInformation | null> {
+    const client = this.clients.get(clientId);
+    return client ? client.info : null;
+  }
+  
+  async updateClient(clientId: string, metadata: OAuthClientMetadata): Promise<OAuthClientInformation> {
+    const client = this.clients.get(clientId);
+    if (!client) {
+      throw new Error(`Client ${clientId} not found`);
+    }
+    
+    // Update metadata but keep the same client_id and secret
+    this.clients.set(clientId, {
+      metadata,
+      info: client.info
+    });
+    
+    return client.info;
+  }
+  
+  async deleteClient(clientId: string): Promise<boolean> {
+    return this.clients.delete(clientId);
+  }
+}
+
+/**
+ * RFC 7591 Client Registration options.
+ */
+export interface ClientRegistrationOptions {
+  /**
+   * The provider that handles client registration storage.
+   */
+  provider: OAuthClientRegistrationProvider;
+  
+  /**
+   * Optional function to validate client metadata beyond the basic schema validation.
+   * Return true to accept, or throw an error with details about the rejection.
+   */
+  validateMetadata?: (metadata: OAuthClientMetadata) => Promise<boolean>;
+  
+  /**
+   * Initial access token validator function.
+   * If provided, requests to the registration endpoint must include a valid token.
+   * @param token The bearer token from the Authorization header
+   * @returns true if the token is valid, false otherwise
+   */
+  validateInitialAccessToken?: (token: string) => Promise<boolean>;
+}
+
+
+/**
+ * Client registration configuration information for the .well-known/oauth-authorization-server endpoint.
+ */
+export interface RegistrationEndpointConfig {
+  registration_endpoint: string;
+  registration_endpoint_auth_methods_supported?: string[];
+  require_initial_access_token?: boolean;
+}
+
+/**
+ * RFC 7591 handler for registering OAuth clients.
+ * This implements the server-side logic for the Dynamic Client Registration Protocol.
+ */
+export class ClientRegistrationHandler {
+  private options: ClientRegistrationOptions;
+  
+  constructor(options: ClientRegistrationOptions) {
+    this.options = options;
+  }
+  
+  /**
+   * Handle a client registration request.
+   * 
+   * @param metadata The client metadata from the request
+   * @param authHeader Optional Authorization header value (for initial access token)
+   * @returns Client information or error response
+   */
+  async handleRegistration(
+    metadata: unknown,
+    authHeader?: string
+  ): Promise<OAuthClientInformation | ClientRegistrationError> {
+    // Validate initial access token if required
+    if (this.options.validateInitialAccessToken) {
+      if (!authHeader) {
+        return {
+          error: "invalid_client",
+          error_description: "Initial access token required"
+        };
+      }
+      
+      const match = /^Bearer\s+(.+)$/.exec(authHeader);
+      if (!match) {
+        return {
+          error: "invalid_client",
+          error_description: "Invalid authorization header format, expected 'Bearer TOKEN'"
+        };
+      }
+      
+      const token = match[1];
+      const isValid = await this.options.validateInitialAccessToken(token);
+      if (!isValid) {
+        return {
+          error: "invalid_token",
+          error_description: "Invalid initial access token"
+        };
+      }
+    }
+    
+    // Validate metadata against the schema
+    const result = OAuthClientMetadataSchema.safeParse(metadata);
+    
+    if (!result.success) {
+      return {
+        error: "invalid_client_metadata",
+        error_description: `Invalid client metadata: ${result.error.message}`
+      };
+    }
+    
+    const validatedMetadata = result.data;
+    
+    // Additional custom validation if provided
+    if (this.options.validateMetadata) {
+      try {
+        await this.options.validateMetadata(validatedMetadata);
+      } catch (error) {
+        return {
+          error: "invalid_client_metadata",
+          error_description: error instanceof Error 
+            ? error.message 
+            : "Client metadata validation failed"
+        };
+      }
+    }
+    
+    try {
+      // Register the client
+      const clientInfo = await this.options.provider.registerClient(validatedMetadata);
+      return clientInfo;
+    } catch (error) {
+      return {
+        error: "server_error",
+        error_description: error instanceof Error
+          ? error.message
+          : "Failed to register client"
+      };
+    }
+  }
+  
+  /**
+   * Handle a client update request.
+   * 
+   * @param clientId The client_id to update
+   * @param metadata The updated client metadata
+   * @param authHeader Authorization header value for client authentication
+   * @returns Updated client information or error response
+   */
+  async handleUpdate(
+    clientId: string,
+    metadata: unknown,
+    _authHeader: string
+  ): Promise<OAuthClientInformation | ClientRegistrationError> {
+    // TODO: Implement client authentication validation
+    
+    // Validate metadata
+    const result = OAuthClientMetadataSchema.safeParse(metadata);
+    
+    if (!result.success) {
+      return {
+        error: "invalid_client_metadata",
+        error_description: `Invalid client metadata: ${result.error.message}`
+      };
+    }
+    
+    const validatedMetadata = result.data;
+    
+    // Additional custom validation if provided
+    if (this.options.validateMetadata) {
+      try {
+        await this.options.validateMetadata(validatedMetadata);
+      } catch (error) {
+        return {
+          error: "invalid_client_metadata",
+          error_description: error instanceof Error 
+            ? error.message 
+            : "Client metadata validation failed"
+        };
+      }
+    }
+    
+    try {
+      // Verify client exists first
+      const existingClient = await this.options.provider.getClient(clientId);
+      if (!existingClient) {
+        return {
+          error: "invalid_client",
+          error_description: "Client not found"
+        };
+      }
+      
+      // Update the client
+      const clientInfo = await this.options.provider.updateClient(clientId, validatedMetadata);
+      return clientInfo;
+    } catch (error) {
+      return {
+        error: "server_error",
+        error_description: error instanceof Error
+          ? error.message
+          : "Failed to update client"
+      };
+    }
+  }
+  
+  /**
+   * Handle a client deletion request.
+   * 
+   * @param clientId The client_id to delete
+   * @param authHeader Authorization header value for client authentication
+   * @returns Success message or error response
+   */
+  async handleDelete(
+    clientId: string,
+    _authHeader: string
+  ): Promise<{ success: true } | ClientRegistrationError> {
+    // TODO: Implement client authentication validation
+    
+    try {
+      const success = await this.options.provider.deleteClient(clientId);
+      
+      if (!success) {
+        return {
+          error: "invalid_client",
+          error_description: "Client not found"
+        };
+      }
+      
+      return { success: true };
+    } catch (error) {
+      return {
+        error: "server_error",
+        error_description: error instanceof Error
+          ? error.message
+          : "Failed to delete client"
+      };
+    }
+  }
+}
diff --git a/src/shared/auth.ts b/src/shared/auth.ts
