Introduce new resource and issuer mandatory configurations

Author: pavinduLakshan

examples/express-mcp-server/src/index.ts

@@ -12,6 +12,7 @@ const port = process.env.PORT || 3000;
 const mcpAuthServer = new McpAuthServer({
   baseUrl: process.env.BASE_URL as string,
   issuer: process.env.ISSUER as string,
+  resource: process.env.RESOURCE as string,
 });
 
 app.use(express.json());

examples/express-mcp-vet-ai-assist-app/package.json

@@ -32,18 +32,20 @@
     "@asgardeo/mcp-express": "workspace:*",
     "@modelcontextprotocol/inspector": "^0.11.0",
     "@modelcontextprotocol/sdk": "^1.11.0",
+    "cors": "^2.8.5",
     "dotenv": "^16.3.1",
     "express": "^4.18.2",
     "tailwindcss": "^4.1.5",
     "zod": "^3.24.4"
   },
   "devDependencies": {
-    "@wso2/eslint-plugin": "https://gitpkg.now.sh/brionmario/wso2-ui-configs/packages/eslint-plugin?4ee6f6be232d7631999d709a86b91612f1d34ce7",
-    "@wso2/prettier-config": "https://gitpkg.now.sh/brionmario/wso2-ui-configs/packages/prettier-config?4ee6f6be232d7631999d709a86b91612f1d34ce7",
+    "@types/cors": "^2.8.17",
     "@types/express": "^4.17.21",
     "@types/node": "^20.10.0",
-    "nodemon": "^3.0.2",
+    "@wso2/eslint-plugin": "https://gitpkg.now.sh/brionmario/wso2-ui-configs/packages/eslint-plugin?4ee6f6be232d7631999d709a86b91612f1d34ce7",
+    "@wso2/prettier-config": "https://gitpkg.now.sh/brionmario/wso2-ui-configs/packages/prettier-config?4ee6f6be232d7631999d709a86b91612f1d34ce7",
     "eslint": "8.57.0",
+    "nodemon": "^3.0.2",
     "ts-node": "^10.9.2",
     "typescript": "^5.3.3"
   }

examples/express-mcp-vet-ai-assist-app/src/index.ts

@@ -21,6 +21,7 @@ import {McpAuthServer} from '@asgardeo/mcp-express';
 import {McpServer} from '@modelcontextprotocol/sdk/server/mcp';
 import {StreamableHTTPServerTransport} from '@modelcontextprotocol/sdk/server/streamableHttp';
 import {isInitializeRequest} from '@modelcontextprotocol/sdk/types';
+import cors from 'cors';
 import {config} from 'dotenv';
 import express, {Express, Request, Response} from 'express';
 import {z} from 'zod';
@@ -32,8 +33,10 @@ const app: Express = express();
 const mcpAuthServer: McpAuthServer = new McpAuthServer({
   baseUrl: process.env.BASE_URL as string,
   issuer: process.env.ISSUER as string,
+  resource: process.env.RESOURCE as string,
 });
 
+app.use(cors());
 app.use(express.json());
 app.use(mcpAuthServer.router());
 

packages/mcp-express/src/middlewares/bearerAuthMiddleware.ts

@@ -46,7 +46,13 @@ export default function bearerAuthMiddleware(options: McpAuthOptions) {
 
     const token: string = parts[1];
 
-    const issuerBase: string | undefined = options?.baseUrl;
+    const baseUrl: string | undefined = options?.baseUrl;
+    const issuer: string | undefined = options?.issuer;
+    const endpoints:
+      | {
+          jwks?: string | undefined;
+        }
+      | undefined = options?.endpoints;
 
     const TOKEN_VALIDATION_CONFIG: {
       jwksUri: string;
@@ -56,11 +62,11 @@ export default function bearerAuthMiddleware(options: McpAuthOptions) {
         issuer: string;
       };
     } = {
-      jwksUri: `${issuerBase}/oauth2/jwks`,
+      jwksUri: `${baseUrl}${endpoints?.jwks ?? '/oauth2/jwks'}`,
       options: {
         audience: options?.audience,
         clockTolerance: 60,
-        issuer: `${options.issuer}`,
+        issuer,
       },
     };
 

packages/mcp-express/src/routes/auth.ts

@@ -23,23 +23,34 @@ import {getProtectedResourceMetadata} from '../controllers/protected-resource';
 
 export default function AuthRouter(options: McpAuthOptions): express.Router {
   const router: express.Router = express.Router();
-  const {baseUrl, issuer} = options;
+  const {baseUrl, issuer, resource} = options;
   if (!baseUrl) {
     throw new Error('baseUrl must be provided');
   }
 
+  if (!issuer) {
+    throw new Error('issuer must be provided');
+  }
+
+  if (!resource) {
+    throw new Error('resource must be provided');
+  }
+
+  const resourceUrlPathComponent: string | undefined = undefined; // new URL(options?.resource).pathname;
+
   router.use(
-    PROTECTED_RESOURCE_URL,
+    resourceUrlPathComponent ? PROTECTED_RESOURCE_URL + resourceUrlPathComponent : PROTECTED_RESOURCE_URL,
     getProtectedResourceMetadata({
       authorizationServers: [issuer],
-      resource: 'https://api.example.com',
+      resource,
     }),
   );
 
   router.use(
     AUTHORIZATION_SERVER_METADATA_URL,
     getAuthorizationServerMetadata({
       baseUrl,
+      issuer,
     }),
   );
 

packages/mcp-node/src/models/authorization-server.ts

@@ -55,6 +55,16 @@ export interface AuthorizationServerMetadata {
 export interface AuthorizationServerMetadataOptions {
   /** The base URL of the authorization server */
   baseUrl: string;
+  endpoints?: {
+    // URL path of the authorization endpoint
+    authorize?: string;
+    // URL of the JWK Set document
+    jwks?: string;
+    // URL path of the token endpoint
+    token?: string;
+  };
+  // URL path of the issuer endpoint
+  issuer: string;
   /** Optional URL pointing to the service documentation */
   serviceDocumentation?: string;
 }

packages/mcp-node/src/models/mcp-auth.ts

@@ -19,5 +19,10 @@
 export interface McpAuthOptions {
   audience?: string;
   baseUrl: string;
+  endpoints?: {
+    jwks?: string;
+    token?: string;
+  };
   issuer: string;
+  resource: string;
 }

packages/mcp-node/src/utils/generate-authorization-server-metadata.ts

@@ -28,11 +28,13 @@ import {AuthorizationServerMetadata, AuthorizationServerMetadataOptions} from '.
 export default function generateAuthorizationServerMetadata(
   options: AuthorizationServerMetadataOptions,
 ): AuthorizationServerMetadata {
+  const {issuer, endpoints} = options;
+
   const metadata: AuthorizationServerMetadata = {
-    authorization_endpoint: `${options.baseUrl}/oauth2/authorize`,
-    issuer: `${options.baseUrl}/oauth2/token`,
+    authorization_endpoint: `${options.baseUrl}${endpoints?.authorize ?? '/oauth2/authorize'}`,
+    issuer: `${issuer}`,
     response_types_supported: ['code'],
-    token_endpoint: `${options.baseUrl}/oauth2/token`,
+    token_endpoint: `${options.baseUrl}${endpoints?.token ?? '/oauth2/token'}`,
   };
 
   // TODO: Check this further.
@@ -57,7 +59,7 @@ export default function generateAuthorizationServerMetadata(
   }
 
   // TODO: Check this further.
-  metadata.jwks_uri = `${options.baseUrl}/oauth/jwks`;
+  metadata.jwks_uri = `${options.baseUrl}${endpoints?.jwks ?? '/oauth/jwks'}`;
 
   return metadata;
 }