ExMCP.Authorization.DiscoveryFlow (ex_mcp v0.9.0)

View Source

Full 401 -> discovery -> auth orchestrator for MCP OAuth.

Coordinates the complete flow from discovering authorization server metadata to obtaining an access token, supporting both client_secret and private_key_jwt authentication methods.

Summary

Types

auth_method()
config()

Functions

execute(config)

Executes the full discovery-to-token flow.

Types

auth_method()

@type auth_method() :: :client_secret | :private_key_jwt

config()

@type config() :: %{
  :resource_url => String.t(),
  :client_id => String.t(),
  :auth_method => auth_method(),
  optional(:client_secret) => String.t(),
  optional(:private_key) => JOSE.JWK.t(),
  optional(:alg) => String.t(),
  optional(:kid) => String.t(),
  optional(:scopes) => [String.t()],
  optional(:resource) => String.t() | [String.t()],
  optional(:http_client) => module()
}

Functions

execute(config)

@spec execute(config()) :: {:ok, map()} | {:error, term()}

Executes the full discovery-to-token flow.

  1. Discovers the authorization server via Protected Resource Metadata (RFC 9728)
  2. Fetches AS metadata via OIDC Discovery / RFC 8414
  3. Selects authentication method based on config and server capabilities
  4. Obtains an access token via client credentials flow

Config

  • :resource_url (required) - The MCP server resource URL
  • :client_id (required) - OAuth client identifier
  • :auth_method (required) - :client_secret or :private_key_jwt
  • :client_secret - Required when auth_method is :client_secret
  • :private_key - Required when auth_method is :private_key_jwt
  • :alg - Signing algorithm for JWT auth (default: "RS256")
  • :kid - Key ID for JWT auth
  • :scopes - Requested scopes
  • :resource - RFC 8707 resource parameter(s)
  • :http_client - Custom HTTP client module for OIDC discovery