Copyright	(C) 2025 Matthias Pall Gissurarson
License	MIT
Maintainer	mpg@mpg.is
Stability	experimental
Portability	GHC
Safe Haskell	Safe-Inferred
Language	GHC2021

MCP.Server.Auth

Contents

OAuth Configuration
Token Validation
PKCE Support
Metadata Discovery

Description

This module provides MCP-compliant OAuth 2.1 authentication with PKCE support.

Synopsis

data OAuthConfig = OAuthConfig {
- oauthEnabled :: Bool
- oauthProviders :: [OAuthProvider]
- tokenValidationEndpoint :: Maybe Text
- requireHTTPS :: Bool
- authCodeExpirySeconds :: Int
- accessTokenExpirySeconds :: Int
- supportedScopes :: [Text]
- supportedResponseTypes :: [Text]
- supportedGrantTypes :: [Text]
- supportedAuthMethods :: [Text]
- supportedCodeChallengeMethods :: [Text]
- autoApproveAuth :: Bool
- demoUserIdTemplate :: Maybe Text
- demoEmailDomain :: Text
- demoUserName :: Text
- publicClientSecret :: Maybe Text
- authCodePrefix :: Text
- refreshTokenPrefix :: Text
- clientIdPrefix :: Text
- authorizationSuccessTemplate :: Maybe Text
}
data OAuthProvider = OAuthProvider {
- providerName :: Text
- clientId :: Text
- clientSecret :: Maybe Text
- authorizationEndpoint :: Text
- tokenEndpoint :: Text
- userInfoEndpoint :: Maybe Text
- scopes :: [Text]
- grantTypes :: [OAuthGrantType]
- requiresPKCE :: Bool
- metadataEndpoint :: Maybe Text
}
data OAuthGrantType
- = AuthorizationCode
- | ClientCredentials
data TokenInfo = TokenInfo {
- active :: Bool
- scope :: Maybe Text
- clientId :: Maybe Text
- username :: Maybe Text
- tokenType :: Maybe Text
- exp :: Maybe Integer
- iat :: Maybe Integer
- nbf :: Maybe Integer
- sub :: Maybe Text
- aud :: Maybe [Text]
- iss :: Maybe Text
}
validateBearerToken :: MonadIO m => OAuthConfig -> Text -> m (Either Text TokenInfo)
extractBearerToken :: Text -> Maybe Text
data PKCEChallenge = PKCEChallenge {
- codeVerifier :: Text
- codeChallenge :: Text
- challengeMethod :: Text
}
generateCodeVerifier :: IO Text
generateCodeChallenge :: Text -> Text
validateCodeVerifier :: Text -> Text -> Bool
data OAuthMetadata = OAuthMetadata {
- issuer :: Text
- authorizationEndpoint :: Text
- tokenEndpoint :: Text
- registrationEndpoint :: Maybe Text
- userInfoEndpoint :: Maybe Text
- jwksUri :: Maybe Text
- scopesSupported :: Maybe [Text]
- responseTypesSupported :: [Text]
- grantTypesSupported :: Maybe [Text]
- tokenEndpointAuthMethodsSupported :: Maybe [Text]
- codeChallengeMethodsSupported :: Maybe [Text]
}
discoverOAuthMetadata :: MonadIO m => Text -> m (Either String OAuthMetadata)

OAuth Configuration

data OAuthConfig Source #

OAuth configuration for the MCP server

Constructors

OAuthConfig

Fields

oauthEnabled :: Bool
oauthProviders :: [OAuthProvider]
tokenValidationEndpoint :: Maybe Text
requireHTTPS :: Bool
authCodeExpirySeconds :: Int
accessTokenExpirySeconds :: Int
supportedScopes :: [Text]
supportedResponseTypes :: [Text]
supportedGrantTypes :: [Text]
supportedAuthMethods :: [Text]
supportedCodeChallengeMethods :: [Text]
autoApproveAuth :: Bool
demoUserIdTemplate :: Maybe Text
demoEmailDomain :: Text
demoUserName :: Text
publicClientSecret :: Maybe Text
authCodePrefix :: Text
refreshTokenPrefix :: Text
clientIdPrefix :: Text
authorizationSuccessTemplate :: Maybe Text

Instances

Instances details

Generic OAuthConfig Source #
Instance details Defined in MCP.Server.Auth Associated Types type Rep OAuthConfig :: Type -> Type # Methods from :: OAuthConfig -> Rep OAuthConfig x # to :: Rep OAuthConfig x -> OAuthConfig #
Show OAuthConfig Source #
Instance details Defined in MCP.Server.Auth Methods showsPrec :: Int -> OAuthConfig -> ShowS # show :: OAuthConfig -> String # showList :: [OAuthConfig] -> ShowS #
type Rep OAuthConfig Source #
Instance details Defined in MCP.Server.Auth type Rep OAuthConfig = D1 ('MetaData "OAuthConfig" "MCP.Server.Auth" "mcp-0.3.0.0-inplace" 'False) (C1 ('MetaCons "OAuthConfig" 'PrefixI 'True) ((((S1 ('MetaSel ('Just "oauthEnabled") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 Bool) :: S1 ('MetaSel ('Just "oauthProviders") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 [OAuthProvider])) :: (S1 ('MetaSel ('Just "tokenValidationEndpoint") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Text)) :: (S1 ('MetaSel ('Just "requireHTTPS") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 Bool) :: S1 ('MetaSel ('Just "authCodeExpirySeconds") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 Int)))) :: ((S1 ('MetaSel ('Just "accessTokenExpirySeconds") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 Int) :: S1 ('MetaSel ('Just "supportedScopes") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 [Text])) :: (S1 ('MetaSel ('Just "supportedResponseTypes") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 [Text]) :: (S1 ('MetaSel ('Just "supportedGrantTypes") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 [Text]) :: S1 ('MetaSel ('Just "supportedAuthMethods") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 [Text]))))) :: (((S1 ('MetaSel ('Just "supportedCodeChallengeMethods") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 [Text]) :: S1 ('MetaSel ('Just "autoApproveAuth") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 Bool)) :: (S1 ('MetaSel ('Just "demoUserIdTemplate") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Text)) :: (S1 ('MetaSel ('Just "demoEmailDomain") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 Text) :: S1 ('MetaSel ('Just "demoUserName") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 Text)))) :: ((S1 ('MetaSel ('Just "publicClientSecret") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Text)) :: S1 ('MetaSel ('Just "authCodePrefix") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 Text)) :: (S1 ('MetaSel ('Just "refreshTokenPrefix") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 Text) :: (S1 ('MetaSel ('Just "clientIdPrefix") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 Text) :*: S1 ('MetaSel ('Just "authorizationSuccessTemplate") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Text))))))))

data OAuthProvider Source #

OAuth provider configuration (MCP-compliant)

Constructors

OAuthProvider
Fields providerName :: Text clientId :: Text clientSecret :: Maybe Text authorizationEndpoint :: Text tokenEndpoint :: Text userInfoEndpoint :: Maybe Text scopes :: [Text] grantTypes :: [OAuthGrantType] requiresPKCE :: Bool metadataEndpoint :: Maybe Text

Instances

Instances details

Generic OAuthProvider Source #
Instance details Defined in MCP.Server.Auth Associated Types type Rep OAuthProvider :: Type -> Type # Methods from :: OAuthProvider -> Rep OAuthProvider x # to :: Rep OAuthProvider x -> OAuthProvider #
Show OAuthProvider Source #
Instance details Defined in MCP.Server.Auth Methods showsPrec :: Int -> OAuthProvider -> ShowS # show :: OAuthProvider -> String # showList :: [OAuthProvider] -> ShowS #
type Rep OAuthProvider Source #
Instance details Defined in MCP.Server.Auth type Rep OAuthProvider = D1 ('MetaData "OAuthProvider" "MCP.Server.Auth" "mcp-0.3.0.0-inplace" 'False) (C1 ('MetaCons "OAuthProvider" 'PrefixI 'True) (((S1 ('MetaSel ('Just "providerName") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 Text) :: S1 ('MetaSel ('Just "clientId") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 Text)) :: (S1 ('MetaSel ('Just "clientSecret") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Text)) :: (S1 ('MetaSel ('Just "authorizationEndpoint") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 Text) :: S1 ('MetaSel ('Just "tokenEndpoint") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 Text)))) :: ((S1 ('MetaSel ('Just "userInfoEndpoint") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Text)) :: S1 ('MetaSel ('Just "scopes") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 [Text])) :: (S1 ('MetaSel ('Just "grantTypes") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 [OAuthGrantType]) :: (S1 ('MetaSel ('Just "requiresPKCE") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 Bool) :*: S1 ('MetaSel ('Just "metadataEndpoint") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Text)))))))

data OAuthGrantType Source #

OAuth grant types supported by MCP

Constructors

AuthorizationCode
ClientCredentials

Instances

Instances details

Generic OAuthGrantType Source #
Instance details Defined in MCP.Server.Auth Associated Types type Rep OAuthGrantType :: Type -> Type # Methods from :: OAuthGrantType -> Rep OAuthGrantType x # to :: Rep OAuthGrantType x -> OAuthGrantType #
Show OAuthGrantType Source #
Instance details Defined in MCP.Server.Auth Methods showsPrec :: Int -> OAuthGrantType -> ShowS # show :: OAuthGrantType -> String # showList :: [OAuthGrantType] -> ShowS #
Eq OAuthGrantType Source #
Instance details Defined in MCP.Server.Auth Methods (==) :: OAuthGrantType -> OAuthGrantType -> Bool # (/=) :: OAuthGrantType -> OAuthGrantType -> Bool #
type Rep OAuthGrantType Source #
Instance details Defined in MCP.Server.Auth type Rep OAuthGrantType = D1 ('MetaData "OAuthGrantType" "MCP.Server.Auth" "mcp-0.3.0.0-inplace" 'False) (C1 ('MetaCons "AuthorizationCode" 'PrefixI 'False) (U1 :: Type -> Type) :+: C1 ('MetaCons "ClientCredentials" 'PrefixI 'False) (U1 :: Type -> Type))

Token Validation

data TokenInfo Source #

Token introspection response

Constructors

TokenInfo
Fields active :: Bool scope :: Maybe Text clientId :: Maybe Text username :: Maybe Text tokenType :: Maybe Text exp :: Maybe Integer iat :: Maybe Integer nbf :: Maybe Integer sub :: Maybe Text aud :: Maybe [Text] iss :: Maybe Text

Instances

Instances details

FromJSON TokenInfo Source #
Instance details Defined in MCP.Server.Auth Methods parseJSON :: Value -> Parser TokenInfo # parseJSONList :: Value -> Parser [TokenInfo] # omittedField :: Maybe TokenInfo #
Generic TokenInfo Source #
Instance details Defined in MCP.Server.Auth Associated Types type Rep TokenInfo :: Type -> Type # Methods from :: TokenInfo -> Rep TokenInfo x # to :: Rep TokenInfo x -> TokenInfo #
Show TokenInfo Source #
Instance details Defined in MCP.Server.Auth Methods showsPrec :: Int -> TokenInfo -> ShowS # show :: TokenInfo -> String # showList :: [TokenInfo] -> ShowS #
type Rep TokenInfo Source #
Instance details Defined in MCP.Server.Auth type Rep TokenInfo = D1 ('MetaData "TokenInfo" "MCP.Server.Auth" "mcp-0.3.0.0-inplace" 'False) (C1 ('MetaCons "TokenInfo" 'PrefixI 'True) (((S1 ('MetaSel ('Just "active") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 Bool) :: S1 ('MetaSel ('Just "scope") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Text))) :: (S1 ('MetaSel ('Just "clientId") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Text)) :: (S1 ('MetaSel ('Just "username") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Text)) :: S1 ('MetaSel ('Just "tokenType") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Text))))) :: ((S1 ('MetaSel ('Just "exp") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Integer)) :: (S1 ('MetaSel ('Just "iat") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Integer)) :: S1 ('MetaSel ('Just "nbf") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Integer)))) :: (S1 ('MetaSel ('Just "sub") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Text)) :: (S1 ('MetaSel ('Just "aud") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe [Text])) :: S1 ('MetaSel ('Just "iss") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Text)))))))

validateBearerToken :: MonadIO m => OAuthConfig -> Text -> m (Either Text TokenInfo) Source #

Validate a bearer token

extractBearerToken :: Text -> Maybe Text Source #

Extract Bearer token from Authorization header

PKCE Support

data PKCEChallenge Source #

PKCE challenge data

Constructors

PKCEChallenge
Fields codeVerifier :: Text codeChallenge :: Text challengeMethod :: Text

Instances

Instances details

Generic PKCEChallenge Source #
Instance details Defined in MCP.Server.Auth Associated Types type Rep PKCEChallenge :: Type -> Type # Methods from :: PKCEChallenge -> Rep PKCEChallenge x # to :: Rep PKCEChallenge x -> PKCEChallenge #
Show PKCEChallenge Source #
Instance details Defined in MCP.Server.Auth Methods showsPrec :: Int -> PKCEChallenge -> ShowS # show :: PKCEChallenge -> String # showList :: [PKCEChallenge] -> ShowS #
type Rep PKCEChallenge Source #
Instance details Defined in MCP.Server.Auth type Rep PKCEChallenge = D1 ('MetaData "PKCEChallenge" "MCP.Server.Auth" "mcp-0.3.0.0-inplace" 'False) (C1 ('MetaCons "PKCEChallenge" 'PrefixI 'True) (S1 ('MetaSel ('Just "codeVerifier") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 Text) :: (S1 ('MetaSel ('Just "codeChallenge") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 Text) :: S1 ('MetaSel ('Just "challengeMethod") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 Text))))

generateCodeVerifier :: IO Text Source #

Generate a cryptographically secure code verifier for PKCE

generateCodeChallenge :: Text -> Text Source #

Generate code challenge from verifier using SHA256 (S256 method)

validateCodeVerifier :: Text -> Text -> Bool Source #

Validate PKCE code verifier against challenge

Metadata Discovery

data OAuthMetadata Source #

OAuth metadata (from discovery endpoint)

Constructors

OAuthMetadata
Fields issuer :: Text authorizationEndpoint :: Text tokenEndpoint :: Text registrationEndpoint :: Maybe Text userInfoEndpoint :: Maybe Text jwksUri :: Maybe Text scopesSupported :: Maybe [Text] responseTypesSupported :: [Text] grantTypesSupported :: Maybe [Text] tokenEndpointAuthMethodsSupported :: Maybe [Text] codeChallengeMethodsSupported :: Maybe [Text]

Instances

Instances details

FromJSON OAuthMetadata Source #
Instance details Defined in MCP.Server.Auth Methods parseJSON :: Value -> Parser OAuthMetadata # parseJSONList :: Value -> Parser [OAuthMetadata] # omittedField :: Maybe OAuthMetadata #
ToJSON OAuthMetadata Source #
Instance details Defined in MCP.Server.Auth Methods toJSON :: OAuthMetadata -> Value # toEncoding :: OAuthMetadata -> Encoding # toJSONList :: [OAuthMetadata] -> Value # toEncodingList :: [OAuthMetadata] -> Encoding # omitField :: OAuthMetadata -> Bool #
Generic OAuthMetadata Source #
Instance details Defined in MCP.Server.Auth Associated Types type Rep OAuthMetadata :: Type -> Type # Methods from :: OAuthMetadata -> Rep OAuthMetadata x # to :: Rep OAuthMetadata x -> OAuthMetadata #
Show OAuthMetadata Source #
Instance details Defined in MCP.Server.Auth Methods showsPrec :: Int -> OAuthMetadata -> ShowS # show :: OAuthMetadata -> String # showList :: [OAuthMetadata] -> ShowS #
type Rep OAuthMetadata Source #
Instance details Defined in MCP.Server.Auth type Rep OAuthMetadata = D1 ('MetaData "OAuthMetadata" "MCP.Server.Auth" "mcp-0.3.0.0-inplace" 'False) (C1 ('MetaCons "OAuthMetadata" 'PrefixI 'True) (((S1 ('MetaSel ('Just "issuer") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 Text) :: S1 ('MetaSel ('Just "authorizationEndpoint") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 Text)) :: (S1 ('MetaSel ('Just "tokenEndpoint") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 Text) :: (S1 ('MetaSel ('Just "registrationEndpoint") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Text)) :: S1 ('MetaSel ('Just "userInfoEndpoint") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Text))))) :: ((S1 ('MetaSel ('Just "jwksUri") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe Text)) :: (S1 ('MetaSel ('Just "scopesSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe [Text])) :: S1 ('MetaSel ('Just "responseTypesSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 [Text]))) :: (S1 ('MetaSel ('Just "grantTypesSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe [Text])) :: (S1 ('MetaSel ('Just "tokenEndpointAuthMethodsSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe [Text])) :: S1 ('MetaSel ('Just "codeChallengeMethodsSupported") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedLazy) (Rec0 (Maybe [Text])))))))

discoverOAuthMetadata :: MonadIO m => Text -> m (Either String OAuthMetadata) Source #

Discover OAuth metadata from a well-known endpoint