ExMCP.Authorization.EnterpriseFlow (ex_mcp v0.9.0)
View SourceClient-side enterprise SSO orchestrator for MCP.
Implements the enterprise-managed authorization flow using ID-JAG:
- (Pre-step) User authenticates with IdP via OIDC → obtains ID token
- Token Exchange at IdP: exchange ID token for ID-JAG
- JWT Bearer Grant at AS: present ID-JAG to get access token
Summary
Functions
Executes the enterprise-managed authorization flow.
Discovers the IdP's OIDC endpoints and builds an authorization URL for Step 1.
Types
Functions
Executes the enterprise-managed authorization flow.
Takes an OIDC ID token (from a prior authentication step) and:
- Discovers the AS token endpoint if not provided
- Exchanges the ID token for an ID-JAG at the IdP
- Presents the ID-JAG to the AS via JWT bearer grant to get an access token
Config
:id_token(required) - OIDC ID token from prior authentication:idp_token_endpoint(required) - IdP's token endpoint for token exchange:as_issuer(required) - Authorization server's issuer URI:as_token_endpoint- AS token endpoint (discovered if not provided):resource_url- MCP server resource URL:client_id- OAuth client identifier:scope- Requested scope:http_client- Custom HTTP client module for discovery
Discovers the IdP's OIDC endpoints and builds an authorization URL for Step 1.
This is a helper for initiating the OIDC authentication step before the enterprise flow can proceed.
Options
:idp_issuer(required) - The IdP's issuer URI:client_id(required) - OAuth client identifier at the IdP:redirect_uri(required) - Callback URI for OIDC code flow:scope- Requested OIDC scopes (default: "openid"):state- CSRF state parameter:nonce- OIDC nonce parameter:http_client- Custom HTTP client module