feat: add authorization handler to inject openid scope if missing, return scope in DCR response (#32)

Author: kosmoz

.vscode/launch.json

@@ -0,0 +1,15 @@
+{
+  // Use IntelliSense to learn about possible attributes.
+  // Hover to view descriptions of existing attributes.
+  // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "name": "MCP Gateway",
+      "type": "go",
+      "request": "launch",
+      "mode": "auto",
+      "program": "${workspaceFolder}"
+    }
+  ]
+}

config/config.go

@@ -20,6 +20,7 @@ type Config struct {
 type Authorization struct {
 	Server                           string `yaml:"server" json:"server"`
 	ServerMetadataProxyEnabled       bool   `yaml:"serverMetadataProxyEnabled" json:"serverMetadataProxyEnabled"`
+	AuthorizationProxyEnabled        bool   `yaml:"authorizationProxyEnabled" json:"authorizationProxyEnabled"`
 	DynamicClientRegistrationEnabled bool   `yaml:"dynamicClientRegistrationEnabled" json:"dynamicClientRegistrationEnabled"`
 }
 

examples/who-am-i/config.yaml

@@ -1,6 +1,7 @@
 host: http://localhost:9000/
 authorization:
   server: http://dex:5556/
+  authorizationProxyEnabled: true
   serverMetadataProxyEnabled: true
   dynamicClientRegistrationEnabled: true
 dexGRPCClient:

oauth/authorization.go

@@ -0,0 +1,42 @@
+package oauth
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"net/url"
+	"slices"
+	"strings"
+
+	"github.com/hyprmcp/mcp-gateway/config"
+)
+
+const AuthorizationPath = "/oauth/authorize"
+
+func NewAuthorizationHandler(config *config.Config, meta map[string]any) (http.Handler, error) {
+	supportedScopes := getSupportedScopes(meta)
+	var requiredScopes = slices.DeleteFunc(
+		[]string{"openid", "profile", "email"},
+		func(s string) bool { return !slices.Contains(supportedScopes, s) },
+	)
+
+	if authorizationEndpointStr, ok := meta["authorization_endpoint"].(string); !ok {
+		return nil, errors.New("authorization metadata is missing authorization_endpoint field")
+	} else if _, err := url.Parse(authorizationEndpointStr); err != nil {
+		return nil, fmt.Errorf("could not parse authorization endpoint: %w", err)
+	} else {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			redirectURI, _ := url.Parse(authorizationEndpointStr)
+			q := r.URL.Query()
+			scopes := q.Get("scope")
+			for _, scope := range requiredScopes {
+				if !strings.Contains(scopes, scope) {
+					scopes = strings.TrimSpace(scopes + " " + scope)
+				}
+			}
+			q.Set("scope", scopes)
+			redirectURI.RawQuery = q.Encode()
+			http.Redirect(w, r, redirectURI.String(), http.StatusFound)
+		}), nil
+	}
+}

oauth/authorization_server_metadata.go

@@ -22,12 +22,22 @@ func NewAuthorizationServerMetadataHandler(config *config.Config) http.Handler {
 			http.Error(w, "Failed to retrieve authorization server metadata", http.StatusInternalServerError)
 		}
 
-		if _, ok := metadata["registration_endpoint"]; !ok {
-			registrationURL, _ := url.Parse(config.Host.String())
-			registrationURL.Path = DynamicClientRegistrationPath
-			metadata["registration_endpoint"] = registrationURL.String()
-			log.Get(r.Context()).Info("Adding registration endpoint to authorization server metadata",
-				"url", metadata["registration_endpoint"])
+		if config.Authorization.DynamicClientRegistrationEnabled {
+			if _, ok := metadata["registration_endpoint"]; !ok {
+				registrationURI, _ := url.Parse(config.Host.String())
+				registrationURI.Path = DynamicClientRegistrationPath
+				metadata["registration_endpoint"] = registrationURI.String()
+				log.Get(r.Context()).Info("Adding registration endpoint to authorization server metadata",
+					"url", metadata["registration_endpoint"])
+			}
+		}
+
+		if config.Authorization.AuthorizationProxyEnabled {
+			authorizationURI, _ := url.Parse(config.Host.String())
+			authorizationURI.Path = AuthorizationPath
+			metadata["authorization_endpoint"] = authorizationURI.String()
+			log.Get(r.Context()).Info("Adding authorization endpoint to authorization server metadata",
+				"url", metadata["authorization_endpoint"])
 		}
 
 		w.Header().Set("Content-Type", "application/json")

oauth/dynamic_client_registration.go

@@ -4,6 +4,8 @@ import (
 	"crypto/rand"
 	"encoding/json"
 	"net/http"
+	"slices"
+	"strings"
 
 	"github.com/dexidp/dex/api/v2"
 	"github.com/hyprmcp/mcp-gateway/config"
@@ -21,9 +23,10 @@ type ClientInformation struct {
 	ClientName            string   `json:"client_name,omitempty"`
 	RedirectURIs          []string `json:"redirect_uris"`
 	LogoURI               string   `json:"logo_uri,omitempty"`
+	Scope                 string   `json:"scope,omitempty"`
 }
 
-func NewDynamicClientRegistrationHandler(config *config.Config) (http.Handler, error) {
+func NewDynamicClientRegistrationHandler(config *config.Config, meta map[string]any) (http.Handler, error) {
 	grpcClient, err := grpc.NewClient(
 		config.DexGRPCClient.Addr,
 		grpc.WithTransportCredentials(insecure.NewCredentials()),
@@ -61,13 +64,19 @@ func NewDynamicClientRegistrationHandler(config *config.Config) (http.Handler, e
 		w.WriteHeader(http.StatusCreated)
 		w.Header().Set("Content-Type", "application/json")
 
-		err = json.NewEncoder(w).Encode(ClientInformation{
+		resp := ClientInformation{
 			ClientID:     clientResponse.Client.Id,
 			ClientSecret: clientResponse.Client.Secret,
 			ClientName:   clientResponse.Client.Name,
 			RedirectURIs: clientResponse.Client.RedirectUris,
 			LogoURI:      clientResponse.Client.LogoUrl,
-		})
+		}
+
+		if scopesSupported := getSupportedScopes(meta); len(scopesSupported) > 0 {
+			resp.Scope = strings.Join(scopesSupported, " ")
+		}
+
+		err = json.NewEncoder(w).Encode(resp)
 		if err != nil {
 			log.Get(r.Context()).Error(err, "Failed to encode response")
 		}
@@ -79,3 +88,18 @@ func NewDynamicClientRegistrationHandler(config *config.Config) (http.Handler, e
 func genRandom() string {
 	return rand.Text()
 }
+
+func getSupportedScopes(meta map[string]any) []string {
+	if scopesSupported, ok := meta["scopes_supported"].([]any); ok {
+		scopesSupportedStr := make([]string, 0, len(scopesSupported))
+		for _, v := range scopesSupported {
+			if s, ok := v.(string); ok {
+				scopesSupportedStr = append(scopesSupportedStr, s)
+			}
+		}
+
+		return slices.Clip(scopesSupportedStr)
+	}
+
+	return nil
+}

oauth/oauth.go

@@ -17,8 +17,9 @@ import (
 )
 
 type Manager struct {
-	jwkSet jwk.Set
-	config *config.Config
+	jwkSet         jwk.Set
+	config         *config.Config
+	authServerMeta map[string]any
 }
 
 func NewManager(ctx context.Context, config *config.Config) (*Manager, error) {
@@ -35,7 +36,7 @@ func NewManager(ctx context.Context, config *config.Config) (*Manager, error) {
 	} else if s, err := cache.CachedSet(jwksURI); err != nil {
 		return nil, fmt.Errorf("jwks cache set error: %w", err)
 	} else {
-		return &Manager{jwkSet: s, config: config}, nil
+		return &Manager{jwkSet: s, config: config, authServerMeta: meta}, nil
 	}
 }
 
@@ -47,14 +48,22 @@ func (mgr *Manager) Register(mux *http.ServeMux) error {
 	}
 
 	if mgr.config.Authorization.DynamicClientRegistrationEnabled {
-		if handler, err := NewDynamicClientRegistrationHandler(mgr.config); err != nil {
+		if handler, err := NewDynamicClientRegistrationHandler(mgr.config, mgr.authServerMeta); err != nil {
 			return err
 		} else {
 			rateLimiter := httprate.LimitByRealIP(3, 10*time.Minute)
 			mux.Handle(DynamicClientRegistrationPath, rateLimiter(handler))
 		}
 	}
 
+	if mgr.config.Authorization.AuthorizationProxyEnabled {
+		if handler, err := NewAuthorizationHandler(mgr.config, mgr.authServerMeta); err != nil {
+			return err
+		} else {
+			mux.Handle(AuthorizationPath, handler)
+		}
+	}
+
 	return nil
 }