MCP TypeScript SDK (V2) / @modelcontextprotocol/server-legacy / auth/providers/proxyProvider
auth/providers/proxyProvider
Classes
ProxyOAuthServerProvider
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:42
Implements an OAuth server that proxies requests to another OAuth server.
Implements
Constructors
Constructor
new ProxyOAuthServerProvider(
options):ProxyOAuthServerProvider
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:63
Parameters
options
Returns
Properties
_endpoints
protectedreadonly_endpoints:ProxyEndpoints
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:43
_fetch?
protectedreadonlyoptional_fetch?:FetchLike
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:46
_getClient
protectedreadonly_getClient: (clientId) =>Promise<{application_type?:string;client_id:string;client_id_issued_at?:number;client_name?:string;client_secret?:string;client_secret_expires_at?:number;client_uri?:string;contacts?:string[];grant_types?:string[];jwks?:any;jwks_uri?:string;logo_uri?:string;policy_uri?:string;redirect_uris:string[];response_types?:string[];scope?:string;software_id?:string;software_statement?:string;software_version?:string;token_endpoint_auth_method?:string;tos_uri?:string; } |undefined>
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:45
Parameters
clientId
string
Returns
Promise<{ application_type?: string; client_id: string; client_id_issued_at?: number; client_name?: string; client_secret?: string; client_secret_expires_at?: number; client_uri?: string; contacts?: string[]; grant_types?: string[]; jwks?: any; jwks_uri?: string; logo_uri?: string; policy_uri?: string; redirect_uris: string[]; response_types?: string[]; scope?: string; software_id?: string; software_statement?: string; software_version?: string; token_endpoint_auth_method?: string; tos_uri?: string; } | undefined>
_verifyAccessToken
protectedreadonly_verifyAccessToken: (token) =>Promise<AuthInfo>
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:44
Parameters
token
string
Returns
Promise<AuthInfo>
authorizationResponseIssParameterSupported
authorizationResponseIssParameterSupported:
boolean=false
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:59
The proxy redirects the browser to the upstream AS's authorize endpoint with redirect_uri = params.redirectUri, so the upstream — not this proxy — issues the callback. The proxy cannot append its own iss, and any iss the upstream emits is the upstream's issuer, not issuerUrl. Advertise false so the metadata does not over-claim — a callback without iss then passes validation. Note: an upstream that does emit its own iss will still mismatch this proxy's issuer and be rejected by RFC 9207 clients regardless of this flag.
Implementation of
OAuthServerProvider.authorizationResponseIssParameterSupported
revokeToken?
optionalrevokeToken?: (client,request) =>Promise<void>
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:61
Revokes an access or refresh token. If unimplemented, token revocation is not supported (not recommended).
If the given token is invalid or already revoked, this method should do nothing.
Parameters
client
application_type?
string = ...
OIDC Dynamic Client Registration application_type. MCP clients MUST set this to 'native' or 'web' when registering (SEP-837); the SDK defaults it from redirect_uris when omitted. Typed as string (not an enum) so that parsing an authorization server's registration response — which under RFC 7591 may echo extension values — never rejects the document on this field alone.
client_id
string = ...
client_id_issued_at?
number = ...
client_name?
string = ...
client_secret?
string = ...
client_secret_expires_at?
number = ...
client_uri?
string = ...
contacts?
string[] = ...
grant_types?
string[] = ...
jwks?
any = ...
jwks_uri?
string = ...
logo_uri?
string = OptionalSafeUrlSchema
policy_uri?
string = ...
redirect_uris
string[] = ...
response_types?
string[] = ...
scope?
string = ...
software_id?
string = ...
software_statement?
string = ...
software_version?
string = ...
token_endpoint_auth_method?
string = ...
tos_uri?
string = OptionalSafeUrlSchema
request
token
string = ...
token_type_hint?
string = ...
Returns
Promise<void>
Implementation of
OAuthServerProvider.revokeToken
skipLocalPkceValidation
skipLocalPkceValidation:
boolean=true
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:48
Whether to skip local PKCE validation.
If true, the server will not perform PKCE validation locally and will pass the code_verifier to the upstream server.
NOTE: This should only be true if the upstream server is performing the actual PKCE validation.
Implementation of
OAuthServerProvider.skipLocalPkceValidation
Accessors
clientsStore
Get Signature
get clientsStore():
OAuthRegisteredClientsStore
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:102
A store used to read information about registered OAuth clients.
Returns
Implementation of
OAuthServerProvider.clientsStore
Methods
authorize()
authorize(
client,params,res):Promise<void>
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:128
Begins the authorization flow, which can either be implemented by this server itself or via redirection to a separate authorization server.
This server must eventually issue a redirect with an authorization response or an error response to the given redirect URI. Per OAuth 2.1:
- In the successful case, the redirect MUST include the
codeandstate(if present) query parameters. - In the error case, the redirect MUST include the
errorquery parameter, and MAY include an optionalerror_descriptionquery parameter.
RFC 9207: the bundled authorizationHandler appends iss only to res.redirect(...) calls you issue on the supplied res to params.redirectUri, so an implementation that redirects that way requires no change. If you emit the Location header another way (e.g. res.writeHead(302, { Location: ... })), or issue the final callback redirect from a different response (e.g. after a separate consent step), append params.issuer as iss yourself, or set OAuthServerProvider.authorizationResponseIssParameterSupported to false so the metadata does not over-claim.
Parameters
client
application_type?
string = ...
OIDC Dynamic Client Registration application_type. MCP clients MUST set this to 'native' or 'web' when registering (SEP-837); the SDK defaults it from redirect_uris when omitted. Typed as string (not an enum) so that parsing an authorization server's registration response — which under RFC 7591 may echo extension values — never rejects the document on this field alone.
client_id
string = ...
client_id_issued_at?
number = ...
client_name?
string = ...
client_secret?
string = ...
client_secret_expires_at?
number = ...
client_uri?
string = ...
contacts?
string[] = ...
grant_types?
string[] = ...
jwks?
any = ...
jwks_uri?
string = ...
logo_uri?
string = OptionalSafeUrlSchema
policy_uri?
string = ...
redirect_uris
string[] = ...
response_types?
string[] = ...
scope?
string = ...
software_id?
string = ...
software_statement?
string = ...
software_version?
string = ...
token_endpoint_auth_method?
string = ...
tos_uri?
string = OptionalSafeUrlSchema
params
res
Response
Returns
Promise<void>
Implementation of
challengeForAuthorizationCode()
challengeForAuthorizationCode(
_client,_authorizationCode):Promise<string>
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:148
Returns the codeChallenge that was used when the indicated authorization began.
Parameters
_client
application_type?
string = ...
OIDC Dynamic Client Registration application_type. MCP clients MUST set this to 'native' or 'web' when registering (SEP-837); the SDK defaults it from redirect_uris when omitted. Typed as string (not an enum) so that parsing an authorization server's registration response — which under RFC 7591 may echo extension values — never rejects the document on this field alone.
client_id
string = ...
client_id_issued_at?
number = ...
client_name?
string = ...
client_secret?
string = ...
client_secret_expires_at?
number = ...
client_uri?
string = ...
contacts?
string[] = ...
grant_types?
string[] = ...
jwks?
any = ...
jwks_uri?
string = ...
logo_uri?
string = OptionalSafeUrlSchema
policy_uri?
string = ...
redirect_uris
string[] = ...
response_types?
string[] = ...
scope?
string = ...
software_id?
string = ...
software_statement?
string = ...
software_version?
string = ...
token_endpoint_auth_method?
string = ...
tos_uri?
string = OptionalSafeUrlSchema
_authorizationCode
string
Returns
Promise<string>
Implementation of
OAuthServerProvider.challengeForAuthorizationCode
exchangeAuthorizationCode()
exchangeAuthorizationCode(
client,authorizationCode,codeVerifier?,redirectUri?,resource?):Promise<{access_token:string;expires_in?:number;id_token?:string;refresh_token?:string;scope?:string;token_type:string; }>
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:154
Exchanges an authorization code for an access token.
Parameters
client
application_type?
string = ...
OIDC Dynamic Client Registration application_type. MCP clients MUST set this to 'native' or 'web' when registering (SEP-837); the SDK defaults it from redirect_uris when omitted. Typed as string (not an enum) so that parsing an authorization server's registration response — which under RFC 7591 may echo extension values — never rejects the document on this field alone.
client_id
string = ...
client_id_issued_at?
number = ...
client_name?
string = ...
client_secret?
string = ...
client_secret_expires_at?
number = ...
client_uri?
string = ...
contacts?
string[] = ...
grant_types?
string[] = ...
jwks?
any = ...
jwks_uri?
string = ...
logo_uri?
string = OptionalSafeUrlSchema
policy_uri?
string = ...
redirect_uris
string[] = ...
response_types?
string[] = ...
scope?
string = ...
software_id?
string = ...
software_statement?
string = ...
software_version?
string = ...
token_endpoint_auth_method?
string = ...
tos_uri?
string = OptionalSafeUrlSchema
authorizationCode
string
codeVerifier?
string
redirectUri?
string
resource?
URL
Returns
Promise<{ access_token: string; expires_in?: number; id_token?: string; refresh_token?: string; scope?: string; token_type: string; }>
Implementation of
OAuthServerProvider.exchangeAuthorizationCode
exchangeRefreshToken()
exchangeRefreshToken(
client,refreshToken,scopes?,resource?):Promise<{access_token:string;expires_in?:number;id_token?:string;refresh_token?:string;scope?:string;token_type:string; }>
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:200
Exchanges a refresh token for an access token.
Parameters
client
application_type?
string = ...
OIDC Dynamic Client Registration application_type. MCP clients MUST set this to 'native' or 'web' when registering (SEP-837); the SDK defaults it from redirect_uris when omitted. Typed as string (not an enum) so that parsing an authorization server's registration response — which under RFC 7591 may echo extension values — never rejects the document on this field alone.
client_id
string = ...
client_id_issued_at?
number = ...
client_name?
string = ...
client_secret?
string = ...
client_secret_expires_at?
number = ...
client_uri?
string = ...
contacts?
string[] = ...
grant_types?
string[] = ...
jwks?
any = ...
jwks_uri?
string = ...
logo_uri?
string = OptionalSafeUrlSchema
policy_uri?
string = ...
redirect_uris
string[] = ...
response_types?
string[] = ...
scope?
string = ...
software_id?
string = ...
software_statement?
string = ...
software_version?
string = ...
token_endpoint_auth_method?
string = ...
tos_uri?
string = OptionalSafeUrlSchema
refreshToken
string
scopes?
string[]
resource?
URL
Returns
Promise<{ access_token: string; expires_in?: number; id_token?: string; refresh_token?: string; scope?: string; token_type: string; }>
Implementation of
OAuthServerProvider.exchangeRefreshToken
verifyAccessToken()
verifyAccessToken(
token):Promise<AuthInfo>
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:241
Verifies an access token and returns information about it.
Parameters
token
string
Returns
Promise<AuthInfo>
Implementation of
OAuthServerProvider.verifyAccessToken
Type Aliases
ProxyEndpoints
ProxyEndpoints =
object
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:10
Properties
authorizationUrl
authorizationUrl:
string
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:11
registrationUrl?
optionalregistrationUrl?:string
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:14
revocationUrl?
optionalrevocationUrl?:string
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:13
tokenUrl
tokenUrl:
string
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:12
ProxyOptions
ProxyOptions =
object
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:17
Properties
endpoints
endpoints:
ProxyEndpoints
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:21
Individual endpoint URLs for proxying specific OAuth operations
fetch?
optionalfetch?:FetchLike
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:36
Custom fetch implementation used for all network requests.
getClient
getClient: (
clientId) =>Promise<OAuthClientInformationFull|undefined>
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:31
Function to fetch client information from the upstream server
Parameters
clientId
string
Returns
Promise<OAuthClientInformationFull | undefined>
verifyAccessToken
verifyAccessToken: (
token) =>Promise<AuthInfo>
Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:26
Function to verify access tokens and return auth info
Parameters
token
string
Returns
Promise<AuthInfo>