/**
* postgres-mcp - Authorization Server Discovery
*
* RFC 8414 Authorization Server Metadata discovery.
*/
import type { AuthServerDiscoveryConfig, AuthorizationServerMetadata } from './types.js';
import { AuthServerDiscoveryError } from './errors.js';
import { logger } from '../utils/logger.js';
/**
* Authorization Server Discovery (RFC 8414)
*/
export class AuthorizationServerDiscovery {
private readonly config: AuthServerDiscoveryConfig;
private metadataCache: AuthorizationServerMetadata | null = null;
private cacheTime = 0;
constructor(config: AuthServerDiscoveryConfig) {
this.config = {
...config,
cacheTtl: config.cacheTtl ?? 3600,
timeout: config.timeout ?? 5000
};
}
/**
* Discover authorization server metadata
*/
async discover(): Promise<AuthorizationServerMetadata> {
const now = Date.now();
const cacheTtlMs = (this.config.cacheTtl ?? 3600) * 1000;
// Check cache
if (this.metadataCache && (now - this.cacheTime) < cacheTtlMs) {
return this.metadataCache;
}
try {
// RFC 8414: well-known endpoint - append to base URL path
const baseUrl = this.config.authServerUrl.endsWith('/')
? this.config.authServerUrl.slice(0, -1)
: this.config.authServerUrl;
const wellKnownUrl = `${baseUrl}/.well-known/oauth-authorization-server`;
const controller = new AbortController();
const timeoutId = setTimeout(() => { controller.abort(); }, this.config.timeout);
const response = await fetch(wellKnownUrl, {
method: 'GET',
headers: { 'Accept': 'application/json' },
signal: controller.signal
});
clearTimeout(timeoutId);
if (!response.ok) {
throw new Error(`HTTP ${response.status.toString()}: ${response.statusText}`);
}
const metadata = await response.json() as AuthorizationServerMetadata;
// Validate required fields
if (!metadata.issuer || !metadata.token_endpoint) {
throw new Error('Invalid metadata: missing required fields');
}
// Cache the metadata
this.metadataCache = metadata;
this.cacheTime = now;
logger.debug('Auth server metadata discovered', { issuer: metadata.issuer });
return metadata;
} catch (error) {
logger.error('Auth server discovery failed', {
url: this.config.authServerUrl,
error: String(error)
});
throw new AuthServerDiscoveryError(
`Failed to discover auth server at ${this.config.authServerUrl}: ${String(error)}`
);
}
}
/**
* Get JWKS URI from discovered metadata
*/
async getJwksUri(): Promise<string> {
const metadata = await this.discover();
if (!metadata.jwks_uri) {
throw new AuthServerDiscoveryError('Auth server metadata does not include jwks_uri');
}
return metadata.jwks_uri;
}
/**
* Get token endpoint from discovered metadata
*/
async getTokenEndpoint(): Promise<string> {
const metadata = await this.discover();
return metadata.token_endpoint;
}
/**
* Get registration endpoint (if available)
*/
async getRegistrationEndpoint(): Promise<string | undefined> {
const metadata = await this.discover();
return metadata.registration_endpoint;
}
/**
* Check if auth server supports a specific grant type
*/
async supportsGrantType(grantType: string): Promise<boolean> {
const metadata = await this.discover();
return metadata.grant_types_supported?.includes(grantType) ?? false;
}
/**
* Invalidate cache
*/
invalidateCache(): void {
this.metadataCache = null;
this.cacheTime = 0;
}
}
/**
* Create an authorization server discovery instance
*/
export function createAuthServerDiscovery(config: AuthServerDiscoveryConfig): AuthorizationServerDiscovery {
return new AuthorizationServerDiscovery(config);
}
