Adds authorization handling mechanisms

mazinesy · mazinesy · commit 6c8384257f19 · 2025-06-02T11:58:43.000-04:00
diff --git a/lib/mcp.rb b/lib/mcp.rb
@@ -30,6 +30,7 @@
 require_relative "mcp/auth/server/providers/mcp_authorization_server_provider"
 require_relative "mcp/auth/server/handlers/metadata_handler"
 require_relative "mcp/auth/server/handlers/registration_handler"
+require_relative "mcp/auth/server/handlers/authorization_handler"
 
 module MCP
   class << self
diff --git a/lib/mcp/auth/errors.rb b/lib/mcp/auth/errors.rb
@@ -9,6 +9,8 @@ class InvalidGrantsError < StandardError; end
 
       class InvalidRedirectUriError < StandardError; end
 
+      class MissingClientIdError < StandardError; end
+
       class RegistrationError < StandardError
         INVALID_REDIRECT_URI = "invalid_redirect_uri"
         INVALID_CLIENT_METADATA = "invalid_client_metadata"
@@ -38,6 +40,12 @@ def initialize(error_code:, message: nil)
           super(message)
           @error_code = error_code
         end
+
+        class << self
+          def invalid_request(message)
+            AuthorizationError.new(error_code: INVALID_REQUEST, message:)
+          end
+        end
       end
 
       class TokenError < StandardError
diff --git a/lib/mcp/auth/models.rb b/lib/mcp/auth/models.rb
@@ -115,33 +115,22 @@ def initialize(
           @software_version = software_version
         end
 
-        def validate_scope(requested_scope)
-          return if requested_scope.nil? || requested_scope.empty?
-
-          requested_scopes = requested_scope.split(" ")
+        def validate_scopes!(requested_scopes)
           allowed_scopes = @scope.nil? ? [] : @scope.split(" ")
 
           requested_scopes.each do |s|
             unless allowed_scopes.include?(s)
               raise Errors::InvalidScopeError, "Client was not registered with scope '#{s}'"
             end
           end
-
-          requested_scopes
         end
 
-        def validate_redirect_uri(redirect_uri)
-          if redirect_uri
-            unless @redirect_uris.include?(redirect_uri)
-              raise Errors::InvalidRedirectUriError, "Redirect URI '#{redirect_uri}' not registered for client"
-            end
+        def valid_redirect_uri?(redirect_uri)
+          @redirect_uris.include?(redirect_uri)
+        end
 
-            redirect_uri_str
-          elsif @redirect_uris.one?
-            @redirect_uris.first
-          else
-            raise Errors::InvalidRedirectUriError, "redirect_uri must be specified when client has multiple registered URIs"
-          end
+        def multiple_redirect_uris?
+          @redirect_uris.size > 1
         end
       end
 
diff --git a/lib/mcp/auth/server/handlers/authorization_handler.rb b/lib/mcp/auth/server/handlers/authorization_handler.rb
@@ -0,0 +1,192 @@
+# frozen_string_literal: true
+
+require_relative "../../errors"
+require_relative "../../server/provider"
+
+module MCP
+  module Auth
+    module Server
+      module Handlers
+        class AuthorizationRequest
+          attr_reader :client_id,
+            :redirect_uri,
+            :code_challenge_method,
+            :code_challenge,
+            :response_type,
+            :state,
+            :scope
+
+          def initialize(
+            client_id: nil,
+            redirect_uri: nil,
+            code_challenge_method: nli,
+            response_type: nil,
+            code_challenge: nil,
+            state: nil,
+            scope: nil
+          )
+            if client_id.nil?
+              raise Errors::AuthorizationError.invalid_request("client_id must be defined")
+            end
+
+            if response_type != "code"
+              raise Errors::AuthorizationError.new(
+                error_code: Errors::AuthorizationError::UNSUPPORTED_RESPONSE_TYPE,
+                message: "response_type must be 'code'",
+              )
+            end
+
+            if code_challenge_method != "S256"
+              raise Errors::AuthorizationError.invalid_request("code_challenge_method must be 'S256'")
+            end
+
+            if code_challenge.nil?
+              raise Errors::AuthorizationError.invalid_request("code_challenge must be defined")
+            end
+
+            @client_id = client_id
+            @code_challenge = code_challenge
+            @code_challenge_method = code_challenge_method
+            @response_type = response_type
+            @redirect_uri = redirect_uri
+            @state = state
+            @scope = scope
+          end
+
+          def scopes_array
+            return [] if @scope.nil?
+
+            @scope.split(" ")
+          end
+
+          def redirect_uri_provided?
+            !@redirect_uri.nil?
+          end
+        end
+
+        class AuthorizationHandler
+          def initialize(
+            auth_server_provider:,
+            request_parser:
+          )
+            @auth_server_provider = auth_server_provider
+            @request_parser = request_parser
+          end
+
+          def handle(request)
+            # implements authorization requests for grant_type=code;
+            # See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1
+            # For error handling, refer to https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
+            params_h = as_params_h(request) || {}
+            client_info, redirect_uri, auth_error = get_client_and_redirect_uri(params_h)
+            return bad_request_error(params_h:, auth_error:) if auth_error
+
+            begin
+              auth_request = AuthorizationRequest.new(**params_h)
+              scopes = auth_request.scopes_array
+              client_info.validate_scopes!(scopes)
+
+              auth_params = AuthorizationParams.new(
+                state: auth_request.state,
+                scopes:,
+                code_challenge: auth_request.code_challenge,
+                redirect_uri:,
+                redirect_uri_provided_explicitly: auth_request.redirect_uri_provided?,
+                response_type: auth_request.response_type,
+              )
+
+              location = @auth_server_provider.authorize(client_info:, auth_params:)
+              headers = {
+                "Cache-Control": "no-store",
+                "Location": location,
+              }
+              [302, headers, nil]
+            rescue => e
+              error_code = case e
+              in Errors::InvalidScopeError then Errors::AuthorizationError::INVALID_SCOPE
+              in Errors::AuthorizationError then e.error_code
+              else
+                Errors::AuthorizationError::SERVER_ERROR
+              end
+
+              redirect_response_error(
+                redirect_uri:,
+                error_code:,
+                error_description: e.message,
+                params_h:,
+              )
+            end
+          end
+
+          private
+
+          def as_params_h(request)
+            @request_parser.get?(request) ? @request_parser.parse_query_params(request) : @request_parser.parse_body(request)
+          end
+
+          # Validates the client_id and redirect_uri parameters from the authorization request.
+          # Returns a tuple of [client_info, redirect_uri, error] where:
+          # - client_info is the OAuthClientInformationFull for the client if found and valid
+          # - redirect_uri is a string derived from the params and client
+          # - error is an AuthorizationError if validation fails, nil otherwise
+          #
+          # @param params_h [Hash] The authorization request parameters
+          # @return [OAuthClientInformationFull, String, AuthorizationError] Tuple of client_info, redirect_uri, error
+          def get_client_and_redirect_uri(params_h)
+            client_id = params_h[:client_id]
+            if client_id.nil?
+              return [nil, nil, Errors::AuthorizationError.invalid_request("client_id must be defined")]
+            end
+
+            client_info = @auth_server_provider.get_client(client_id)
+            if client_info.nil?
+              return [nil, nil, Errors::AuthorizationError.invalid_request("client '#{client_id}' not found")]
+            end
+
+            redirect_uri = params_h[:redirect_uri]
+            if client_info.multiple_redirect_uris? && redirect_uri.nil?
+              return [nil, nil, Errors::AuthorizationError.invalid_request("redirect_uri must be defined because client defines multiple options")]
+            end
+
+            redirect_uri ||= client_info.redirect_uris.first
+            if redirect_uri.nil?
+              return [
+                nil,
+                nil,
+                Errors::AuthorizationError.new(
+                  error_code: Errors::AuthorizationError::SERVER_ERROR, message: "unable to select a redirect_uri",
+                ),
+              ]
+            end
+
+            unless client_info.valid_redirect_uri?(redirect_uri)
+              return [client_info, nil, Errors::AuthorizationError.invalid_request("invalid redirect_uri")]
+            end
+
+            [client_info, redirect_uri, nil]
+          end
+
+          def redirect_response_error(
+            redirect_uri:,
+            error_code:,
+            error_description:,
+            params_h:
+          )
+          end
+
+          def bad_request_error(
+            params_h:,
+            auth_error:
+          )
+            body = { error: auth_error.error_code, error_description: auth_error.message }
+            if params_h[:state]
+              body[:state] = params_h[:state]
+            end
+
+            [400, { "Cache-Control": "no-store" }, body]
+          end
+        end
+      end
+    end
+  end
+end
diff --git a/lib/mcp/auth/server/provider.rb b/lib/mcp/auth/server/provider.rb
@@ -10,18 +10,21 @@ class AuthorizationParams
           :scopes,
           :code_challenge,
           :redirect_uri,
-          :redirect_uri_provided_explicitly
+          :redirect_uri_provided_explicitly,
+          :response_type
 
         def initialize(
-          state: nil,
-          scopes: nil,
           code_challenge:,
           redirect_uri:,
-          redirect_uri_provided_explicitly:
+          redirect_uri_provided_explicitly:,
+          response_type:,
+          state: nil,
+          scopes: nil
         )
           @state = state
           @scopes = scopes
           @code_challenge = code_challenge
+          @response_type = response_type
           @redirect_uri = redirect_uri
           @redirect_uri_provided_explicitly = redirect_uri_provided_explicitly
         end
@@ -93,7 +96,7 @@ def initialize(
         end
       end
 
-      class OAuthAuthorizationServerProvider
+      module OAuthAuthorizationServerProvider
         # Retrieves client information by client ID.
         # Implementors MAY raise NotImplementedError if dynamic client registration is
         # disabled in ClientRegistrationOptions.
@@ -142,11 +145,11 @@ def register_client(client_info)
         # entropy, and MUST generate an authorization code with at least 128 bits of entropy.
         # See https://datatracker.ietf.org/doc/html/rfc6749#section-10.10.
         #
-        # @param client [MCP::Auth::Models::OAuthClientInformationFull] The client requesting authorization.
-        # @param params [MCP::Auth::Server::AuthorizationParams] The parameters of the authorization request.
+        # @param client_info [MCP::Auth::Models::OAuthClientInformationFull] The client requesting authorization.
+        # @param params      [MCP::Auth::Server::AuthorizationParams] The parameters of the authorization request.
         # @return [String] A URL to redirect the client to for authorization.
         # @raise [MCP::Auth::Errors::AuthorizeError] If the authorization request is invalid.
-        def authorize(client_info, params)
+        def authorize(client_info:, auth_params:)
           raise NotImplementedError, "#{self.class.name}#authorize is not implemented"
         end
 
diff --git a/lib/mcp/auth/server/providers/mcp_authorization_server_provider.rb b/lib/mcp/auth/server/providers/mcp_authorization_server_provider.rb
@@ -1,17 +1,50 @@
 # frozen_string_literal: true
 
+require "securerandom"
+require_relative "../../../serialization_utils"
 require_relative "../client_registry"
 require_relative "../state_registry"
+require_relative "../provider"
 
 module MCP
   module Auth
     module Server
       module Providers
-        class McpAuthorizationServerProvider < OAuthAuthorizationServerProvider
+        class McpAuthServerSettings
+          attr_reader :client_id,
+            :client_secret,
+            :auth_server_scopes,
+            :auth_server_authorization_endpoint,
+            :auth_server_token_endpoint,
+            :mcp_callback_endpoint
+
+          def initialize(
+            client_id:,
+            client_secret:,
+            auth_server_scopes:,
+            auth_server_authorization_endpoint:,
+            auth_server_token_endpoint:,
+            mcp_callback_endpoint:
+          )
+            @client_id = client_id
+            @client_secret = client_secret
+            @auth_server_scopes = auth_server_scopes
+            @auth_server_authorization_endpoint = auth_server_authorization_endpoint
+            @auth_server_token_endpoint = auth_server_token_endpoint
+            @mcp_callback_endpoint = mcp_callback_endpoint
+          end
+        end
+
+        class McpAuthorizationServerProvider
+          include OAuthAuthorizationServerProvider
+          include SerializationUtils
+
           def initialize(
+            auth_server_settings:,
             client_registry: nil,
             state_registry: nil
           )
+            @settings = auth_server_settings
             @client_registry = client_registry || InMemoryClientRegistry.new
             @state_registry = state_registry || InMemoryStateRegistry.new
           end
@@ -23,6 +56,23 @@ def get_client(client_id)
           def register_client(client_info)
             @client_registry.create(client_info)
           end
+
+          def authorize(client_info:, auth_params:)
+            state = auth_params.state || SecureRandom.hex(16)
+
+            @state_registry.create(state, to_h(auth_params))
+
+            auth_url = URI(@settings.auth_server_authorization_endpoint)
+            auth_url.query = URI.encode_www_form([
+              ["client_id", @settings.client_id],
+              ["redirect_uri", @settings.mcp_callback_endpoint],
+              ["scope", @settings.auth_server_scopes],
+              ["state", state],
+              ["response_type", auth_params.response_type],
+            ])
+
+            auth_url.to_s
+          end
         end
       end
     end
diff --git a/lib/mcp/auth/server/request_parser.rb b/lib/mcp/auth/server/request_parser.rb
