Check PCKE Support

Author: RyoKusnadi

internal/testing/fake_auth_server.go

@@ -9,6 +9,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"net"
 	"net/http"
 	"time"
 
@@ -44,7 +45,19 @@ func NewFakeAuthMux() *http.ServeMux {
 }
 
 func (s *state) handleMetadata(w http.ResponseWriter, r *http.Request) {
-	issuer := "https://localhost:" + r.URL.Port()
+	// Derive the port from the request Host; r.URL.Port() is empty on server side.
+	hostPort := r.Host
+	port := ""
+	if hp := hostPort; hp != "" {
+		if _, p, err := net.SplitHostPort(hp); err == nil {
+			port = p
+		}
+	}
+	if port == "" {
+		// Fallback attempt; may still be empty depending on server/request.
+		port = r.URL.Port()
+	}
+	issuer := "https://localhost:" + port
 	metadata := map[string]any{
 		"issuer":                                issuer,
 		"authorization_endpoint":                issuer + "/authorize",

mcp/client_example_test.go

@@ -8,9 +8,14 @@ import (
 	"context"
 	"fmt"
 	"log"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
 
 	"github.com/google/jsonschema-go/jsonschema"
+	itesting "github.com/modelcontextprotocol/go-sdk/internal/testing"
 	"github.com/modelcontextprotocol/go-sdk/mcp"
+	"github.com/modelcontextprotocol/go-sdk/oauthex"
 )
 
 // !+roots
@@ -137,3 +142,40 @@ func Example_elicitation() {
 }
 
 // !-elicitation
+
+// !+oauth_pkce
+
+func Example_oauthPKCE() {
+	ctx := context.Background()
+
+	// Start a fake OAuth 2.1 auth server that advertises PKCE (S256).
+	orig := itesting.NewFakeAuthMux()
+	wrapper := http.NewServeMux()
+	wrapper.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		orig.ServeHTTP(w, r)
+	})
+	ts := httptest.NewTLSServer(wrapper)
+	defer ts.Close()
+
+	// Validate that the server supports PKCE per MCP auth requirements.
+	// The fake server sets issuer to https://localhost:<port>, so compute that issuer.
+	u, _ := url.Parse(ts.URL)
+	issuer := "https://localhost:" + u.Port()
+
+	// The fake server presents a cert for example.com; set ServerName accordingly.
+	httpClient := ts.Client()
+	if tr, ok := httpClient.Transport.(*http.Transport); ok {
+		clone := tr.Clone()
+		clone.TLSClientConfig.ServerName = "example.com"
+		httpClient.Transport = clone
+	}
+
+	if err := oauthex.RequirePKCE(ctx, issuer, httpClient); err != nil {
+		log.Fatal(err)
+	}
+
+	fmt.Println("pkce ok")
+	// Output: pkce ok
+}
+
+// !-oauth_pkce

oauthex/oauthex.go

@@ -5,6 +5,38 @@
 // Package oauthex implements extensions to OAuth2.
 package oauthex
 
-import "github.com/modelcontextprotocol/go-sdk/internal/oauthex"
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	"github.com/modelcontextprotocol/go-sdk/internal/oauthex"
+)
 
 type ProtectedResourceMetadata = oauthex.ProtectedResourceMetadata
+
+// AuthServerMeta is the authorization server metadata type.
+// It is re-exported here for users of the public oauthex package.
+type AuthServerMeta = oauthex.AuthServerMeta
+
+// GetAuthServerMeta retrieves OAuth 2.0 Authorization Server Metadata for the given issuer URL.
+// This forwards to the internal implementation.
+func GetAuthServerMeta(ctx context.Context, issuerURL string, c *http.Client) (*AuthServerMeta, error) {
+	return oauthex.GetAuthServerMeta(ctx, issuerURL, c)
+}
+
+// RequirePKCE checks that the authorization server for issuerURL supports PKCE,
+// by verifying that CodeChallengeMethodsSupported is non-empty.
+// It returns an error if metadata cannot be fetched or PKCE is not advertised.
+func RequirePKCE(ctx context.Context, issuerURL string, c *http.Client) error {
+	asm, err := oauthex.GetAuthServerMeta(ctx, issuerURL, c)
+	if err != nil {
+		return err
+	}
+
+	if len(asm.CodeChallengeMethodsSupported) == 0 {
+		return fmt.Errorf("authorization server at %s does not implement PKCE", issuerURL)
+	}
+
+	return nil
+}