This is the documentation for the v2 beta — looking for the v1 documentation?
Skip to content

MCP TypeScript SDK (V2) / @modelcontextprotocol/server-legacy / auth/providers/proxyProvider

auth/providers/proxyProvider

Classes

ProxyOAuthServerProvider

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:42

Implements an OAuth server that proxies requests to another OAuth server.

Implements

Constructors

Constructor

new ProxyOAuthServerProvider(options): ProxyOAuthServerProvider

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:63

Parameters
options

ProxyOptions

Returns

ProxyOAuthServerProvider

Properties

_endpoints

protected readonly _endpoints: ProxyEndpoints

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:43

_fetch?

protected readonly optional _fetch?: FetchLike

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:46

_getClient

protected readonly _getClient: (clientId) => Promise<{ application_type?: string; client_id: string; client_id_issued_at?: number; client_name?: string; client_secret?: string; client_secret_expires_at?: number; client_uri?: string; contacts?: string[]; grant_types?: string[]; jwks?: any; jwks_uri?: string; logo_uri?: string; policy_uri?: string; redirect_uris: string[]; response_types?: string[]; scope?: string; software_id?: string; software_statement?: string; software_version?: string; token_endpoint_auth_method?: string; tos_uri?: string; } | undefined>

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:45

Parameters
clientId

string

Returns

Promise<{ application_type?: string; client_id: string; client_id_issued_at?: number; client_name?: string; client_secret?: string; client_secret_expires_at?: number; client_uri?: string; contacts?: string[]; grant_types?: string[]; jwks?: any; jwks_uri?: string; logo_uri?: string; policy_uri?: string; redirect_uris: string[]; response_types?: string[]; scope?: string; software_id?: string; software_statement?: string; software_version?: string; token_endpoint_auth_method?: string; tos_uri?: string; } | undefined>

_verifyAccessToken

protected readonly _verifyAccessToken: (token) => Promise<AuthInfo>

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:44

Parameters
token

string

Returns

Promise<AuthInfo>

authorizationResponseIssParameterSupported

authorizationResponseIssParameterSupported: boolean = false

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:59

The proxy redirects the browser to the upstream AS's authorize endpoint with redirect_uri = params.redirectUri, so the upstream — not this proxy — issues the callback. The proxy cannot append its own iss, and any iss the upstream emits is the upstream's issuer, not issuerUrl. Advertise false so the metadata does not over-claim — a callback without iss then passes validation. Note: an upstream that does emit its own iss will still mismatch this proxy's issuer and be rejected by RFC 9207 clients regardless of this flag.

Implementation of

OAuthServerProvider.authorizationResponseIssParameterSupported

revokeToken?

optional revokeToken?: (client, request) => Promise<void>

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:61

Revokes an access or refresh token. If unimplemented, token revocation is not supported (not recommended).

If the given token is invalid or already revoked, this method should do nothing.

Parameters
client
application_type?

string = ...

OIDC Dynamic Client Registration application_type. MCP clients MUST set this to 'native' or 'web' when registering (SEP-837); the SDK defaults it from redirect_uris when omitted. Typed as string (not an enum) so that parsing an authorization server's registration response — which under RFC 7591 may echo extension values — never rejects the document on this field alone.

client_id

string = ...

client_id_issued_at?

number = ...

client_name?

string = ...

client_secret?

string = ...

client_secret_expires_at?

number = ...

client_uri?

string = ...

contacts?

string[] = ...

grant_types?

string[] = ...

jwks?

any = ...

jwks_uri?

string = ...

logo_uri?

string = OptionalSafeUrlSchema

policy_uri?

string = ...

redirect_uris

string[] = ...

response_types?

string[] = ...

scope?

string = ...

software_id?

string = ...

software_statement?

string = ...

software_version?

string = ...

token_endpoint_auth_method?

string = ...

tos_uri?

string = OptionalSafeUrlSchema

request
token

string = ...

token_type_hint?

string = ...

Returns

Promise<void>

Implementation of

OAuthServerProvider.revokeToken

skipLocalPkceValidation

skipLocalPkceValidation: boolean = true

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:48

Whether to skip local PKCE validation.

If true, the server will not perform PKCE validation locally and will pass the code_verifier to the upstream server.

NOTE: This should only be true if the upstream server is performing the actual PKCE validation.

Implementation of

OAuthServerProvider.skipLocalPkceValidation

Accessors

clientsStore
Get Signature

get clientsStore(): OAuthRegisteredClientsStore

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:102

A store used to read information about registered OAuth clients.

Returns

OAuthRegisteredClientsStore

Implementation of

OAuthServerProvider.clientsStore

Methods

authorize()

authorize(client, params, res): Promise<void>

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:128

Begins the authorization flow, which can either be implemented by this server itself or via redirection to a separate authorization server.

This server must eventually issue a redirect with an authorization response or an error response to the given redirect URI. Per OAuth 2.1:

  • In the successful case, the redirect MUST include the code and state (if present) query parameters.
  • In the error case, the redirect MUST include the error query parameter, and MAY include an optional error_description query parameter.

RFC 9207: the bundled authorizationHandler appends iss only to res.redirect(...) calls you issue on the supplied res to params.redirectUri, so an implementation that redirects that way requires no change. If you emit the Location header another way (e.g. res.writeHead(302, { Location: ... })), or issue the final callback redirect from a different response (e.g. after a separate consent step), append params.issuer as iss yourself, or set OAuthServerProvider.authorizationResponseIssParameterSupported to false so the metadata does not over-claim.

Parameters
client
application_type?

string = ...

OIDC Dynamic Client Registration application_type. MCP clients MUST set this to 'native' or 'web' when registering (SEP-837); the SDK defaults it from redirect_uris when omitted. Typed as string (not an enum) so that parsing an authorization server's registration response — which under RFC 7591 may echo extension values — never rejects the document on this field alone.

client_id

string = ...

client_id_issued_at?

number = ...

client_name?

string = ...

client_secret?

string = ...

client_secret_expires_at?

number = ...

client_uri?

string = ...

contacts?

string[] = ...

grant_types?

string[] = ...

jwks?

any = ...

jwks_uri?

string = ...

logo_uri?

string = OptionalSafeUrlSchema

policy_uri?

string = ...

redirect_uris

string[] = ...

response_types?

string[] = ...

scope?

string = ...

software_id?

string = ...

software_statement?

string = ...

software_version?

string = ...

token_endpoint_auth_method?

string = ...

tos_uri?

string = OptionalSafeUrlSchema

params

AuthorizationParams

res

Response

Returns

Promise<void>

Implementation of

OAuthServerProvider.authorize

challengeForAuthorizationCode()

challengeForAuthorizationCode(_client, _authorizationCode): Promise<string>

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:148

Returns the codeChallenge that was used when the indicated authorization began.

Parameters
_client
application_type?

string = ...

OIDC Dynamic Client Registration application_type. MCP clients MUST set this to 'native' or 'web' when registering (SEP-837); the SDK defaults it from redirect_uris when omitted. Typed as string (not an enum) so that parsing an authorization server's registration response — which under RFC 7591 may echo extension values — never rejects the document on this field alone.

client_id

string = ...

client_id_issued_at?

number = ...

client_name?

string = ...

client_secret?

string = ...

client_secret_expires_at?

number = ...

client_uri?

string = ...

contacts?

string[] = ...

grant_types?

string[] = ...

jwks?

any = ...

jwks_uri?

string = ...

logo_uri?

string = OptionalSafeUrlSchema

policy_uri?

string = ...

redirect_uris

string[] = ...

response_types?

string[] = ...

scope?

string = ...

software_id?

string = ...

software_statement?

string = ...

software_version?

string = ...

token_endpoint_auth_method?

string = ...

tos_uri?

string = OptionalSafeUrlSchema

_authorizationCode

string

Returns

Promise<string>

Implementation of

OAuthServerProvider.challengeForAuthorizationCode

exchangeAuthorizationCode()

exchangeAuthorizationCode(client, authorizationCode, codeVerifier?, redirectUri?, resource?): Promise<{ access_token: string; expires_in?: number; id_token?: string; refresh_token?: string; scope?: string; token_type: string; }>

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:154

Exchanges an authorization code for an access token.

Parameters
client
application_type?

string = ...

OIDC Dynamic Client Registration application_type. MCP clients MUST set this to 'native' or 'web' when registering (SEP-837); the SDK defaults it from redirect_uris when omitted. Typed as string (not an enum) so that parsing an authorization server's registration response — which under RFC 7591 may echo extension values — never rejects the document on this field alone.

client_id

string = ...

client_id_issued_at?

number = ...

client_name?

string = ...

client_secret?

string = ...

client_secret_expires_at?

number = ...

client_uri?

string = ...

contacts?

string[] = ...

grant_types?

string[] = ...

jwks?

any = ...

jwks_uri?

string = ...

logo_uri?

string = OptionalSafeUrlSchema

policy_uri?

string = ...

redirect_uris

string[] = ...

response_types?

string[] = ...

scope?

string = ...

software_id?

string = ...

software_statement?

string = ...

software_version?

string = ...

token_endpoint_auth_method?

string = ...

tos_uri?

string = OptionalSafeUrlSchema

authorizationCode

string

codeVerifier?

string

redirectUri?

string

resource?

URL

Returns

Promise<{ access_token: string; expires_in?: number; id_token?: string; refresh_token?: string; scope?: string; token_type: string; }>

Implementation of

OAuthServerProvider.exchangeAuthorizationCode

exchangeRefreshToken()

exchangeRefreshToken(client, refreshToken, scopes?, resource?): Promise<{ access_token: string; expires_in?: number; id_token?: string; refresh_token?: string; scope?: string; token_type: string; }>

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:200

Exchanges a refresh token for an access token.

Parameters
client
application_type?

string = ...

OIDC Dynamic Client Registration application_type. MCP clients MUST set this to 'native' or 'web' when registering (SEP-837); the SDK defaults it from redirect_uris when omitted. Typed as string (not an enum) so that parsing an authorization server's registration response — which under RFC 7591 may echo extension values — never rejects the document on this field alone.

client_id

string = ...

client_id_issued_at?

number = ...

client_name?

string = ...

client_secret?

string = ...

client_secret_expires_at?

number = ...

client_uri?

string = ...

contacts?

string[] = ...

grant_types?

string[] = ...

jwks?

any = ...

jwks_uri?

string = ...

logo_uri?

string = OptionalSafeUrlSchema

policy_uri?

string = ...

redirect_uris

string[] = ...

response_types?

string[] = ...

scope?

string = ...

software_id?

string = ...

software_statement?

string = ...

software_version?

string = ...

token_endpoint_auth_method?

string = ...

tos_uri?

string = OptionalSafeUrlSchema

refreshToken

string

scopes?

string[]

resource?

URL

Returns

Promise<{ access_token: string; expires_in?: number; id_token?: string; refresh_token?: string; scope?: string; token_type: string; }>

Implementation of

OAuthServerProvider.exchangeRefreshToken

verifyAccessToken()

verifyAccessToken(token): Promise<AuthInfo>

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:241

Verifies an access token and returns information about it.

Parameters
token

string

Returns

Promise<AuthInfo>

Implementation of

OAuthServerProvider.verifyAccessToken

Type Aliases

ProxyEndpoints

ProxyEndpoints = object

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:10

Properties

authorizationUrl

authorizationUrl: string

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:11

registrationUrl?

optional registrationUrl?: string

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:14

revocationUrl?

optional revocationUrl?: string

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:13

tokenUrl

tokenUrl: string

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:12


ProxyOptions

ProxyOptions = object

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:17

Properties

endpoints

endpoints: ProxyEndpoints

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:21

Individual endpoint URLs for proxying specific OAuth operations

fetch?

optional fetch?: FetchLike

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:36

Custom fetch implementation used for all network requests.

getClient

getClient: (clientId) => Promise<OAuthClientInformationFull | undefined>

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:31

Function to fetch client information from the upstream server

Parameters
clientId

string

Returns

Promise<OAuthClientInformationFull | undefined>

verifyAccessToken

verifyAccessToken: (token) => Promise<AuthInfo>

Defined in: packages/server-legacy/src/auth/providers/proxyProvider.ts:26

Function to verify access tokens and return auth info

Parameters
token

string

Returns

Promise<AuthInfo>