ExMCP.Authorization.IdJagHandler (ex_mcp v0.9.0)

View Source

Server-side handler for processing ID-JAG tokens in JWT bearer grants.

Used by MCP authorization servers to validate incoming ID-JAG assertions and issue access tokens in the enterprise-managed authorization flow.

Summary

Functions

fetch_idp_keys(jwks_uri)

Fetches JWKS from an IdP's jwks_uri endpoint.

handle_grant(opts)

Processes a JWT bearer grant containing an ID-JAG.

Functions

fetch_idp_keys(jwks_uri)

@spec fetch_idp_keys(String.t()) :: {:ok, [JOSE.JWK.t()]} | {:error, term()}

Fetches JWKS from an IdP's jwks_uri endpoint.

handle_grant(opts)

@spec handle_grant(keyword()) :: {:ok, map()} | {:error, term()}

Processes a JWT bearer grant containing an ID-JAG.

  1. Extracts and identifies the ID-JAG assertion
  2. Identifies the IdP from the iss claim
  3. Fetches/caches IdP JWKS
  4. Validates the ID-JAG
  5. Returns validated claims for access token issuance

Options

  • :assertion (required) - The JWT bearer assertion (ID-JAG)
  • :expected_audience (required) - This AS's issuer URI
  • :expected_resource (required) - The MCP server resource URI
  • :trusted_idps (required) - Map of trusted IdP issuers to their config Each IdP config should have :jwks_uri or :jwks (list of JWKs)
  • :jwks_cache - Optional cache (map of issuer -> JWKs) for performance
  • :max_lifetime - Maximum ID-JAG lifetime (default: 600)