OAuth Implementation based on middleware

Author: Volodymyr Panivko

composer.json

@@ -47,7 +47,8 @@
     "psr/simple-cache": "^2.0 || ^3.0",
     "symfony/cache": "^5.4 || ^6.4 || ^7.3 || ^8.0",
     "symfony/console": "^5.4 || ^6.4 || ^7.3 || ^8.0",
-    "symfony/process": "^5.4 || ^6.4 || ^7.3 || ^8.0"
+    "symfony/process": "^5.4 || ^6.4 || ^7.3 || ^8.0",
+    "ext-openssl": "*"
   },
   "autoload": {
     "psr-4": {

examples/server/oauth-keycloak/server.php

@@ -11,7 +11,7 @@
 
 declare(strict_types=1);
 
-require_once dirname(__DIR__, 3).'/vendor/autoload.php';
+require_once dirname(__DIR__).'/bootstrap.php';
 
 use Http\Discovery\Psr17Factory;
 use Laminas\HttpHandlerRunner\Emitter\SapiEmitter;
@@ -21,30 +21,20 @@
 use Mcp\Server\Transport\Middleware\JwtTokenValidator;
 use Mcp\Server\Transport\Middleware\ProtectedResourceMetadata;
 use Mcp\Server\Transport\StreamableHttpTransport;
-use Psr\Log\AbstractLogger;
 
-// Configuration from environment
+// Configuration
 // External URL is what clients use and what appears in tokens
-$keycloakExternalUrl = getenv('KEYCLOAK_EXTERNAL_URL') ?: 'http://localhost:8180';
+$keycloakExternalUrl = 'http://localhost:8180';
 // Internal URL is how this server reaches Keycloak (Docker network)
-$keycloakInternalUrl = getenv('KEYCLOAK_INTERNAL_URL') ?: 'http://keycloak:8080';
-$keycloakRealm = getenv('KEYCLOAK_REALM') ?: 'mcp';
-$mcpAudience = getenv('MCP_AUDIENCE') ?: 'mcp-server';
+$keycloakInternalUrl = 'http://keycloak:8080';
+$keycloakRealm = 'mcp';
+$mcpAudience = 'mcp-server';
 
 // Issuer is what appears in the token (external URL)
 $issuer = rtrim($keycloakExternalUrl, '/').'/realms/'.$keycloakRealm;
 // JWKS URI uses internal URL to reach Keycloak within Docker network
 $jwksUri = rtrim($keycloakInternalUrl, '/').'/realms/'.$keycloakRealm.'/protocol/openid-connect/certs';
 
-// Create logger
-$logger = new class extends AbstractLogger {
-    public function log($level, \Stringable|string $message, array $context = []): void
-    {
-        $logMessage = sprintf("[%s] %s\n", strtoupper($level), $message);
-        error_log($logMessage);
-    }
-};
-
 // Create PSR-17 factory
 $psr17Factory = new Psr17Factory();
 $request = $psr17Factory->createServerRequestFromGlobals();
@@ -77,15 +67,15 @@ public function log($level, \Stringable|string $message, array $context = []): v
 // Build MCP server
 $server = Server::builder()
     ->setServerInfo('OAuth Keycloak Example', '1.0.0')
-    ->setLogger($logger)
-    ->setSession(new FileSessionStore('/tmp/mcp-sessions'))
+    ->setLogger(logger())
+    ->setSession(new FileSessionStore(__DIR__.'/sessions'))
     ->setDiscovery(__DIR__)
     ->build();
 
 // Create transport with authorization middleware
 $transport = new StreamableHttpTransport(
     $request,
-    logger: $logger,
+    logger: logger(),
     middlewares: [$authMiddleware],
 );
 

examples/server/oauth-microsoft/server.php

@@ -11,7 +11,7 @@
 
 declare(strict_types=1);
 
-require_once dirname(__DIR__, 3).'/vendor/autoload.php';
+require_once dirname(__DIR__).'/bootstrap.php';
 
 use Http\Discovery\Psr17Factory;
 use Laminas\HttpHandlerRunner\Emitter\SapiEmitter;
@@ -23,7 +23,6 @@
 use Mcp\Server\Transport\Middleware\ProtectedResourceMetadata;
 use Mcp\Server\Transport\StreamableHttpTransport;
 use Psr\Log\AbstractLogger;
-use Psr\Log\LoggerInterface;
 
 // Configuration from environment
 $tenantId = getenv('AZURE_TENANT_ID') ?: throw new RuntimeException('AZURE_TENANT_ID environment variable is required');
@@ -36,15 +35,6 @@
 $issuerV1 = "https://sts.windows.net/{$tenantId}/";
 $issuers = [$issuerV2, $issuerV1];
 
-// Create logger
-$logger = new class extends AbstractLogger {
-    public function log($level, \Stringable|string $message, array $context = []): void
-    {
-        $logMessage = sprintf("[%s] %s\n", strtoupper($level), $message);
-        error_log($logMessage);
-    }
-};
-
 // Create PSR-17 factory
 $psr17Factory = new Psr17Factory();
 $request = $psr17Factory->createServerRequestFromGlobals();
@@ -90,16 +80,16 @@ public function log($level, \Stringable|string $message, array $context = []): v
 // Build MCP server
 $server = Server::builder()
     ->setServerInfo('OAuth Microsoft Example', '1.0.0')
-    ->setLogger($logger)
-    ->setSession(new FileSessionStore('/tmp/mcp-sessions'))
+    ->setLogger(logger())
+    ->setSession(new FileSessionStore(__DIR__.'/sessions'))
     ->setDiscovery(__DIR__)
     ->build();
 
 // Create transport with OAuth proxy and authorization middlewares
 // Middlewares are reversed internally, so put OAuth proxy FIRST to execute FIRST
 $transport = new StreamableHttpTransport(
     $request,
-    logger: $logger,
+    logger: logger(),
     middlewares: [$oauthProxyMiddleware, $authMiddleware],
 );
 

src/Server/Transport/Middleware/AuthorizationMiddleware.php

@@ -70,18 +70,15 @@ public function __construct(
 
     public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
     {
-        // Serve metadata at well-known paths
         if ($this->isMetadataRequest($request)) {
             return $this->createMetadataResponse();
         }
 
-        // Extract Authorization header
         $authorization = $request->getHeaderLine('Authorization');
         if ('' === $authorization) {
             return $this->buildErrorResponse($request, AuthorizationResult::unauthorized());
         }
 
-        // Parse Bearer token
         $accessToken = $this->parseBearerToken($authorization);
         if (null === $accessToken) {
             return $this->buildErrorResponse(
@@ -90,7 +87,6 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
             );
         }
 
-        // Validate the token
         $result = $this->validator->validate($request, $accessToken);
         if ($result->isAllowed()) {
             return $handler->handle($this->applyAttributes($request, $result->getAttributes()));
@@ -101,33 +97,19 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
 
     private function createMetadataResponse(): ResponseInterface
     {
-        $payload = $this->metadata->toJson();
-
         return $this->responseFactory
             ->createResponse(200)
             ->withHeader('Content-Type', 'application/json')
-            ->withBody($this->streamFactory->createStream($payload));
+            ->withBody($this->streamFactory->createStream($this->metadata->toJson()));
     }
 
     private function isMetadataRequest(ServerRequestInterface $request): bool
     {
-        if (empty($this->metadataPaths)) {
-            return false;
-        }
-
-        if ('GET' !== $request->getMethod()) {
+        if (empty($this->metadataPaths) || 'GET' !== $request->getMethod()) {
             return false;
         }
 
-        $path = $request->getUri()->getPath();
-
-        foreach ($this->metadataPaths as $metadataPath) {
-            if ($path === $metadataPath) {
-                return true;
-            }
-        }
-
-        return false;
+        return in_array($request->getUri()->getPath(), $this->metadataPaths, true);
     }
 
     private function buildErrorResponse(ServerRequestInterface $request, AuthorizationResult $result): ResponseInterface

src/Server/Transport/Middleware/AuthorizationResult.php

@@ -22,7 +22,7 @@
  *
  * @author Volodymyr Panivko <sveneld300@gmail.com>
  */
-class AuthorizationResult
+final class AuthorizationResult
 {
     /**
      * @param list<string>|null $scopes Scopes to include in WWW-Authenticate challenge

src/Server/Transport/Middleware/JwtTokenValidator.php

@@ -11,10 +11,14 @@
 
 namespace Mcp\Server\Transport\Middleware;
 
+use Firebase\JWT\BeforeValidException;
+use Firebase\JWT\ExpiredException;
 use Firebase\JWT\JWK;
 use Firebase\JWT\JWT;
+use Firebase\JWT\SignatureInvalidException;
 use Http\Discovery\Psr17FactoryDiscovery;
 use Http\Discovery\Psr18ClientDiscovery;
+use Mcp\Exception\RuntimeException;
 use Psr\Http\Client\ClientInterface;
 use Psr\Http\Message\RequestFactoryInterface;
 use Psr\Http\Message\ServerRequestInterface;
@@ -128,31 +132,16 @@ public function validate(ServerRequestInterface $request, string $accessToken):
             }
 
             return AuthorizationResult::allow($attributes);
-        } catch (\Firebase\JWT\ExpiredException $e) {
-            return AuthorizationResult::unauthorized(
-                'invalid_token',
-                'Token has expired.'
-            );
-        } catch (\Firebase\JWT\SignatureInvalidException $e) {
-            return AuthorizationResult::unauthorized(
-                'invalid_token',
-                'Token signature verification failed.'
-            );
-        } catch (\Firebase\JWT\BeforeValidException $e) {
-            return AuthorizationResult::unauthorized(
-                'invalid_token',
-                'Token is not yet valid.'
-            );
+        } catch (ExpiredException) {
+            return AuthorizationResult::unauthorized('invalid_token', 'Token has expired.');
+        } catch (SignatureInvalidException) {
+            return AuthorizationResult::unauthorized('invalid_token', 'Token signature verification failed.');
+        } catch (BeforeValidException) {
+            return AuthorizationResult::unauthorized('invalid_token', 'Token is not yet valid.');
         } catch (\UnexpectedValueException|\DomainException $e) {
-            return AuthorizationResult::unauthorized(
-                'invalid_token',
-                'Token validation failed: ' . $e->getMessage()
-            );
-        } catch (\Throwable $e) {
-            return AuthorizationResult::unauthorized(
-                'invalid_token',
-                'Token validation error.'
-            );
+            return AuthorizationResult::unauthorized('invalid_token', 'Token validation failed: '.$e->getMessage());
+        } catch (\Throwable) {
+            return AuthorizationResult::unauthorized('invalid_token', 'Token validation error.');
         }
     }
 
@@ -320,10 +309,9 @@ private function validateIssuer(array $claims): bool
             return false;
         }
 
-        $tokenIssuer = $claims['iss'];
         $expectedIssuers = \is_array($this->issuer) ? $this->issuer : [$this->issuer];
 
-        return \in_array($tokenIssuer, $expectedIssuers, true);
+        return \in_array($claims['iss'], $expectedIssuers, true);
     }
 
     /**
@@ -336,24 +324,24 @@ private function fetchJwks(string $jwksUri): array
 
         $response = $this->httpClient->sendRequest($request);
 
-        if ($response->getStatusCode() >= 400) {
-            throw new \RuntimeException(sprintf(
+        if (200 !== $response->getStatusCode()) {
+            throw new RuntimeException(sprintf(
                 'Failed to fetch JWKS from %s: HTTP %d',
                 $jwksUri,
                 $response->getStatusCode()
             ));
         }
 
-        $body = (string)$response->getBody();
+        $body = (string) $response->getBody();
 
         try {
             $data = json_decode($body, true, 512, \JSON_THROW_ON_ERROR);
         } catch (\JsonException $e) {
-            throw new \RuntimeException(sprintf('Failed to decode JWKS: %s', $e->getMessage()), 0, $e);
+            throw new RuntimeException(sprintf('Failed to decode JWKS: %s', $e->getMessage()), 0, $e);
         }
 
         if (!\is_array($data) || !isset($data['keys'])) {
-            throw new \RuntimeException('Invalid JWKS format: missing "keys" array.');
+            throw new RuntimeException('Invalid JWKS format: missing "keys" array.');
         }
 
         /** @var array<string, mixed> $data */