ExMCP.Authorization.FullOAuthFlow (ex_mcp v0.9.0)

View Source

Full OAuth 2.1 authorization code flow with PKCE for MCP.

Orchestrates the complete browser-based OAuth flow:

  1. Discover Protected Resource Metadata (RFC 9728)
  2. Discover Authorization Server metadata (RFC 8414 / OIDC)
  3. Dynamic Client Registration (RFC 7591) if no client_id
  4. Authorization Code flow with PKCE (RFC 7636)
  5. Local redirect URI server to receive callback
  6. Token exchange at token endpoint

This is used when a server returns 401 and the client has no pre-existing credentials. For clients with credentials, use ExMCP.Authorization.DiscoveryFlow instead.

Usage

{:ok, token} = FullOAuthFlow.execute(%{
  resource_url: "http://localhost:3000/mcp",
  redirect_port: 0  # auto-assign port
})

Summary

Types

config()

Functions

execute(config)

Execute the full OAuth flow.

Types

config()

@type config() :: %{
  :resource_url => String.t(),
  optional(:client_id) => String.t(),
  optional(:client_secret) => String.t(),
  optional(:redirect_port) => non_neg_integer(),
  optional(:scopes) => [String.t()],
  optional(:resource) => String.t() | [String.t()],
  optional(:http_client) => module(),
  optional(:www_authenticate) => String.t()
}

Functions

execute(config)

@spec execute(config()) :: {:ok, map()} | {:error, term()}

Execute the full OAuth flow.

Returns {:ok, %{access_token: "...", ...}} on success.