diff --git a/auth/client.go b/auth/client.go index 2dda1351..7c65e9de 100644 --- a/auth/client.go +++ b/auth/client.go @@ -12,7 +12,7 @@ import ( "net/http" "sync" - "github.com/modelcontextprotocol/go-sdk/internal/oauthex" + "github.com/modelcontextprotocol/go-sdk/oauthex" "golang.org/x/oauth2" ) diff --git a/oauthex/auth_meta.go b/oauthex/auth_meta.go new file mode 100644 index 00000000..73b8fb10 --- /dev/null +++ b/oauthex/auth_meta.go @@ -0,0 +1,147 @@ +// Copyright 2025 The Go MCP SDK Authors. All rights reserved. +// Use of this source code is governed by an MIT-style +// license that can be found in the LICENSE file. + +// This file implements Authorization Server Metadata. +// See https://www.rfc-editor.org/rfc/rfc8414.html. + +//go:build mcp_go_client_oauth + +package oauthex + +import ( + "context" + "errors" + "fmt" + "net/http" +) + +// AuthServerMeta represents the metadata for an OAuth 2.0 authorization server, +// as defined in [RFC 8414]. +// +// Not supported: +// - signed metadata +// +// [RFC 8414]: https://tools.ietf.org/html/rfc8414) +type AuthServerMeta struct { + // GENERATED BY GEMINI 2.5. + + // Issuer is the REQUIRED URL identifying the authorization server. + Issuer string `json:"issuer"` + + // AuthorizationEndpoint is the REQUIRED URL of the server's OAuth 2.0 authorization endpoint. + AuthorizationEndpoint string `json:"authorization_endpoint"` + + // TokenEndpoint is the REQUIRED URL of the server's OAuth 2.0 token endpoint. + TokenEndpoint string `json:"token_endpoint"` + + // JWKSURI is the REQUIRED URL of the server's JSON Web Key Set [JWK] document. + JWKSURI string `json:"jwks_uri"` + + // RegistrationEndpoint is the RECOMMENDED URL of the server's OAuth 2.0 Dynamic Client Registration endpoint. + RegistrationEndpoint string `json:"registration_endpoint,omitempty"` + + // ScopesSupported is a RECOMMENDED JSON array of strings containing a list of the OAuth 2.0 + // "scope" values that this server supports. + ScopesSupported []string `json:"scopes_supported,omitempty"` + + // ResponseTypesSupported is a REQUIRED JSON array of strings containing a list of the OAuth 2.0 + // "response_type" values that this server supports. + ResponseTypesSupported []string `json:"response_types_supported"` + + // ResponseModesSupported is a RECOMMENDED JSON array of strings containing a list of the OAuth 2.0 + // "response_mode" values that this server supports. + ResponseModesSupported []string `json:"response_modes_supported,omitempty"` + + // GrantTypesSupported is a RECOMMENDED JSON array of strings containing a list of the OAuth 2.0 + // grant type values that this server supports. + GrantTypesSupported []string `json:"grant_types_supported,omitempty"` + + // TokenEndpointAuthMethodsSupported is a RECOMMENDED JSON array of strings containing a list of + // client authentication methods supported by this token endpoint. + TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"` + + // TokenEndpointAuthSigningAlgValuesSupported is a RECOMMENDED JSON array of strings containing + // a list of the JWS signing algorithms ("alg" values) supported by the token endpoint for + // the signature on the JWT used to authenticate the client. + TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"` + + // ServiceDocumentation is a RECOMMENDED URL of a page containing human-readable documentation + // for the service. + ServiceDocumentation string `json:"service_documentation,omitempty"` + + // UILocalesSupported is a RECOMMENDED JSON array of strings representing supported + // BCP47 [RFC5646] language tag values for display in the user interface. + UILocalesSupported []string `json:"ui_locales_supported,omitempty"` + + // OpPolicyURI is a RECOMMENDED URL that the server provides to the person registering + // the client to read about the server's operator policies. + OpPolicyURI string `json:"op_policy_uri,omitempty"` + + // OpTOSURI is a RECOMMENDED URL that the server provides to the person registering the + // client to read about the server's terms of service. + OpTOSURI string `json:"op_tos_uri,omitempty"` + + // RevocationEndpoint is a RECOMMENDED URL of the server's OAuth 2.0 revocation endpoint. + RevocationEndpoint string `json:"revocation_endpoint,omitempty"` + + // RevocationEndpointAuthMethodsSupported is a RECOMMENDED JSON array of strings containing + // a list of client authentication methods supported by this revocation endpoint. + RevocationEndpointAuthMethodsSupported []string `json:"revocation_endpoint_auth_methods_supported,omitempty"` + + // RevocationEndpointAuthSigningAlgValuesSupported is a RECOMMENDED JSON array of strings + // containing a list of the JWS signing algorithms ("alg" values) supported by the revocation + // endpoint for the signature on the JWT used to authenticate the client. + RevocationEndpointAuthSigningAlgValuesSupported []string `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"` + + // IntrospectionEndpoint is a RECOMMENDED URL of the server's OAuth 2.0 introspection endpoint. + IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"` + + // IntrospectionEndpointAuthMethodsSupported is a RECOMMENDED JSON array of strings containing + // a list of client authentication methods supported by this introspection endpoint. + IntrospectionEndpointAuthMethodsSupported []string `json:"introspection_endpoint_auth_methods_supported,omitempty"` + + // IntrospectionEndpointAuthSigningAlgValuesSupported is a RECOMMENDED JSON array of strings + // containing a list of the JWS signing algorithms ("alg" values) supported by the introspection + // endpoint for the signature on the JWT used to authenticate the client. + IntrospectionEndpointAuthSigningAlgValuesSupported []string `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"` + + // CodeChallengeMethodsSupported is a RECOMMENDED JSON array of strings containing a list of + // PKCE code challenge methods supported by this authorization server. + CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"` +} + +var wellKnownPaths = []string{ + "/.well-known/oauth-authorization-server", + "/.well-known/openid-configuration", +} + +// GetAuthServerMeta issues a GET request to retrieve authorization server metadata +// from an OAuth authorization server with the given issuerURL. +// +// It follows [RFC 8414]: +// - The well-known paths specified there are inserted into the URL's path, one at time. +// The first to succeed is used. +// - The Issuer field is checked against issuerURL. +// +// [RFC 8414]: https://tools.ietf.org/html/rfc8414 +func GetAuthServerMeta(ctx context.Context, issuerURL string, c *http.Client) (*AuthServerMeta, error) { + var errs []error + for _, p := range wellKnownPaths { + u, err := prependToPath(issuerURL, p) + if err != nil { + // issuerURL is bad; no point in continuing. + return nil, err + } + asm, err := getJSON[AuthServerMeta](ctx, c, u, 1<<20) + if err == nil { + if asm.Issuer != issuerURL { // section 3.3 + // Security violation; don't keep trying. + return nil, fmt.Errorf("metadata issuer %q does not match issuer URL %q", asm.Issuer, issuerURL) + } + return asm, nil + } + errs = append(errs, err) + } + return nil, fmt.Errorf("failed to get auth server metadata from %q: %w", issuerURL, errors.Join(errs...)) +} diff --git a/oauthex/auth_meta_test.go b/oauthex/auth_meta_test.go new file mode 100644 index 00000000..bee8f900 --- /dev/null +++ b/oauthex/auth_meta_test.go @@ -0,0 +1,30 @@ +// Copyright 2025 The Go MCP SDK Authors. All rights reserved. +// Use of this source code is governed by an MIT-style +// license that can be found in the LICENSE file. + +//go:build mcp_go_client_oauth + +package oauthex + +import ( + "encoding/json" + "os" + "path/filepath" + "testing" +) + +func TestAuthMetaParse(t *testing.T) { + // Verify that we parse Google's auth server metadata. + data, err := os.ReadFile(filepath.FromSlash("testdata/google-auth-meta.json")) + if err != nil { + t.Fatal(err) + } + var a AuthServerMeta + if err := json.Unmarshal(data, &a); err != nil { + t.Fatal(err) + } + // Spot check. + if g, w := a.Issuer, "https://accounts.google.com"; g != w { + t.Errorf("got %q, want %q", g, w) + } +} diff --git a/internal/oauthex/auth_meta.go b/oauthex/dcr.go similarity index 55% rename from internal/oauthex/auth_meta.go rename to oauthex/dcr.go index 5bbbb412..75ce2961 100644 --- a/internal/oauthex/auth_meta.go +++ b/oauthex/dcr.go @@ -5,114 +5,20 @@ // This file implements Authorization Server Metadata. // See https://www.rfc-editor.org/rfc/rfc8414.html. +//go:build mcp_go_client_oauth + package oauthex import ( "bytes" "context" "encoding/json" - "errors" "fmt" "io" "net/http" "time" ) -// AuthServerMeta represents the metadata for an OAuth 2.0 authorization server, -// as defined in [RFC 8414]. -// -// Not supported: -// - signed metadata -// -// [RFC 8414]: https://tools.ietf.org/html/rfc8414) -type AuthServerMeta struct { - // GENERATED BY GEMINI 2.5. - - // Issuer is the REQUIRED URL identifying the authorization server. - Issuer string `json:"issuer"` - - // AuthorizationEndpoint is the REQUIRED URL of the server's OAuth 2.0 authorization endpoint. - AuthorizationEndpoint string `json:"authorization_endpoint"` - - // TokenEndpoint is the REQUIRED URL of the server's OAuth 2.0 token endpoint. - TokenEndpoint string `json:"token_endpoint"` - - // JWKSURI is the REQUIRED URL of the server's JSON Web Key Set [JWK] document. - JWKSURI string `json:"jwks_uri"` - - // RegistrationEndpoint is the RECOMMENDED URL of the server's OAuth 2.0 Dynamic Client Registration endpoint. - RegistrationEndpoint string `json:"registration_endpoint,omitempty"` - - // ScopesSupported is a RECOMMENDED JSON array of strings containing a list of the OAuth 2.0 - // "scope" values that this server supports. - ScopesSupported []string `json:"scopes_supported,omitempty"` - - // ResponseTypesSupported is a REQUIRED JSON array of strings containing a list of the OAuth 2.0 - // "response_type" values that this server supports. - ResponseTypesSupported []string `json:"response_types_supported"` - - // ResponseModesSupported is a RECOMMENDED JSON array of strings containing a list of the OAuth 2.0 - // "response_mode" values that this server supports. - ResponseModesSupported []string `json:"response_modes_supported,omitempty"` - - // GrantTypesSupported is a RECOMMENDED JSON array of strings containing a list of the OAuth 2.0 - // grant type values that this server supports. - GrantTypesSupported []string `json:"grant_types_supported,omitempty"` - - // TokenEndpointAuthMethodsSupported is a RECOMMENDED JSON array of strings containing a list of - // client authentication methods supported by this token endpoint. - TokenEndpointAuthMethodsSupported []string `json:"token_endpoint_auth_methods_supported,omitempty"` - - // TokenEndpointAuthSigningAlgValuesSupported is a RECOMMENDED JSON array of strings containing - // a list of the JWS signing algorithms ("alg" values) supported by the token endpoint for - // the signature on the JWT used to authenticate the client. - TokenEndpointAuthSigningAlgValuesSupported []string `json:"token_endpoint_auth_signing_alg_values_supported,omitempty"` - - // ServiceDocumentation is a RECOMMENDED URL of a page containing human-readable documentation - // for the service. - ServiceDocumentation string `json:"service_documentation,omitempty"` - - // UILocalesSupported is a RECOMMENDED JSON array of strings representing supported - // BCP47 [RFC5646] language tag values for display in the user interface. - UILocalesSupported []string `json:"ui_locales_supported,omitempty"` - - // OpPolicyURI is a RECOMMENDED URL that the server provides to the person registering - // the client to read about the server's operator policies. - OpPolicyURI string `json:"op_policy_uri,omitempty"` - - // OpTOSURI is a RECOMMENDED URL that the server provides to the person registering the - // client to read about the server's terms of service. - OpTOSURI string `json:"op_tos_uri,omitempty"` - - // RevocationEndpoint is a RECOMMENDED URL of the server's OAuth 2.0 revocation endpoint. - RevocationEndpoint string `json:"revocation_endpoint,omitempty"` - - // RevocationEndpointAuthMethodsSupported is a RECOMMENDED JSON array of strings containing - // a list of client authentication methods supported by this revocation endpoint. - RevocationEndpointAuthMethodsSupported []string `json:"revocation_endpoint_auth_methods_supported,omitempty"` - - // RevocationEndpointAuthSigningAlgValuesSupported is a RECOMMENDED JSON array of strings - // containing a list of the JWS signing algorithms ("alg" values) supported by the revocation - // endpoint for the signature on the JWT used to authenticate the client. - RevocationEndpointAuthSigningAlgValuesSupported []string `json:"revocation_endpoint_auth_signing_alg_values_supported,omitempty"` - - // IntrospectionEndpoint is a RECOMMENDED URL of the server's OAuth 2.0 introspection endpoint. - IntrospectionEndpoint string `json:"introspection_endpoint,omitempty"` - - // IntrospectionEndpointAuthMethodsSupported is a RECOMMENDED JSON array of strings containing - // a list of client authentication methods supported by this introspection endpoint. - IntrospectionEndpointAuthMethodsSupported []string `json:"introspection_endpoint_auth_methods_supported,omitempty"` - - // IntrospectionEndpointAuthSigningAlgValuesSupported is a RECOMMENDED JSON array of strings - // containing a list of the JWS signing algorithms ("alg" values) supported by the introspection - // endpoint for the signature on the JWT used to authenticate the client. - IntrospectionEndpointAuthSigningAlgValuesSupported []string `json:"introspection_endpoint_auth_signing_alg_values_supported,omitempty"` - - // CodeChallengeMethodsSupported is a RECOMMENDED JSON array of strings containing a list of - // PKCE code challenge methods supported by this authorization server. - CodeChallengeMethodsSupported []string `json:"code_challenge_methods_supported,omitempty"` -} - // ClientRegistrationMetadata represents the client metadata fields for the DCR POST request (RFC 7591). type ClientRegistrationMetadata struct { // RedirectURIs is a REQUIRED JSON array of redirection URI strings for use in @@ -260,41 +166,6 @@ func (e *ClientRegistrationError) Error() string { return fmt.Sprintf("registration failed: %s (%s)", e.ErrorCode, e.ErrorDescription) } -var wellKnownPaths = []string{ - "/.well-known/oauth-authorization-server", - "/.well-known/openid-configuration", -} - -// GetAuthServerMeta issues a GET request to retrieve authorization server metadata -// from an OAuth authorization server with the given issuerURL. -// -// It follows [RFC 8414]: -// - The well-known paths specified there are inserted into the URL's path, one at time. -// The first to succeed is used. -// - The Issuer field is checked against issuerURL. -// -// [RFC 8414]: https://tools.ietf.org/html/rfc8414 -func GetAuthServerMeta(ctx context.Context, issuerURL string, c *http.Client) (*AuthServerMeta, error) { - var errs []error - for _, p := range wellKnownPaths { - u, err := prependToPath(issuerURL, p) - if err != nil { - // issuerURL is bad; no point in continuing. - return nil, err - } - asm, err := getJSON[AuthServerMeta](ctx, c, u, 1<<20) - if err == nil { - if asm.Issuer != issuerURL { // section 3.3 - // Security violation; don't keep trying. - return nil, fmt.Errorf("metadata issuer %q does not match issuer URL %q", asm.Issuer, issuerURL) - } - return asm, nil - } - errs = append(errs, err) - } - return nil, fmt.Errorf("failed to get auth server metadata from %q: %w", issuerURL, errors.Join(errs...)) -} - // RegisterClient performs Dynamic Client Registration according to RFC 7591. func RegisterClient(ctx context.Context, registrationEndpoint string, clientMeta *ClientRegistrationMetadata, c *http.Client) (*ClientRegistrationResponse, error) { if registrationEndpoint == "" { diff --git a/internal/oauthex/auth_meta_test.go b/oauthex/dcr_test.go similarity index 94% rename from internal/oauthex/auth_meta_test.go rename to oauthex/dcr_test.go index 6ff9f3dd..7c5551ed 100644 --- a/internal/oauthex/auth_meta_test.go +++ b/oauthex/dcr_test.go @@ -2,6 +2,8 @@ // Use of this source code is governed by an MIT-style // license that can be found in the LICENSE file. +//go:build mcp_go_client_oauth + package oauthex import ( @@ -19,22 +21,6 @@ import ( "github.com/google/go-cmp/cmp" ) -func TestAuthMetaParse(t *testing.T) { - // Verify that we parse Google's auth server metadata. - data, err := os.ReadFile(filepath.FromSlash("testdata/google-auth-meta.json")) - if err != nil { - t.Fatal(err) - } - var a AuthServerMeta - if err := json.Unmarshal(data, &a); err != nil { - t.Fatal(err) - } - // Spot check. - if g, w := a.Issuer, "https://accounts.google.com"; g != w { - t.Errorf("got %q, want %q", g, w) - } -} - func TestClientRegistrationMetadataParse(t *testing.T) { // Verify that we can parse a typical client metadata JSON. data, err := os.ReadFile(filepath.FromSlash("testdata/client-auth-meta.json")) diff --git a/internal/oauthex/oauth2.go b/oauthex/oauth2.go similarity index 98% rename from internal/oauthex/oauth2.go rename to oauthex/oauth2.go index fc08c6b4..f876be03 100644 --- a/internal/oauthex/oauth2.go +++ b/oauthex/oauth2.go @@ -3,6 +3,9 @@ // license that can be found in the LICENSE file. // Package oauthex implements extensions to OAuth2. + +//go:build mcp_go_client_oauth + package oauthex import ( diff --git a/internal/oauthex/oauth2_test.go b/oauthex/oauth2_test.go similarity index 99% rename from internal/oauthex/oauth2_test.go rename to oauthex/oauth2_test.go index 9c3da156..e4c71cbe 100644 --- a/internal/oauthex/oauth2_test.go +++ b/oauthex/oauth2_test.go @@ -2,6 +2,8 @@ // Use of this source code is governed by an MIT-style // license that can be found in the LICENSE file. +//go:build mcp_go_client_oauth + package oauthex import ( diff --git a/oauthex/oauthex.go b/oauthex/oauthex.go index 3c28dce9..34ed55b5 100644 --- a/oauthex/oauthex.go +++ b/oauthex/oauthex.go @@ -5,10 +5,88 @@ // Package oauthex implements extensions to OAuth2. package oauthex -import ( - "github.com/modelcontextprotocol/go-sdk/internal/oauthex" -) - // ProtectedResourceMetadata is the metadata for an OAuth 2.0 protected resource, // as defined in section 2 of https://www.rfc-editor.org/rfc/rfc9728.html. -type ProtectedResourceMetadata = oauthex.ProtectedResourceMetadata +// +// The following features are not supported: +// - additional keys (§2, last sentence) +// - human-readable metadata (§2.1) +// - signed metadata (§2.2) +type ProtectedResourceMetadata struct { + // GENERATED BY GEMINI 2.5. + + // Resource (resource) is the protected resource's resource identifier. + // Required. + Resource string `json:"resource"` + + // AuthorizationServers (authorization_servers) is an optional slice containing a list of + // OAuth authorization server issuer identifiers (as defined in RFC 8414) that can be + // used with this protected resource. + AuthorizationServers []string `json:"authorization_servers,omitempty"` + + // JWKSURI (jwks_uri) is an optional URL of the protected resource's JSON Web Key (JWK) Set + // document. This contains public keys belonging to the protected resource, such as + // signing key(s) that the resource server uses to sign resource responses. + JWKSURI string `json:"jwks_uri,omitempty"` + + // ScopesSupported (scopes_supported) is a recommended slice containing a list of scope + // values (as defined in RFC 6749) used in authorization requests to request access + // to this protected resource. + ScopesSupported []string `json:"scopes_supported,omitempty"` + + // BearerMethodsSupported (bearer_methods_supported) is an optional slice containing + // a list of the supported methods of sending an OAuth 2.0 bearer token to the + // protected resource. Defined values are "header", "body", and "query". + BearerMethodsSupported []string `json:"bearer_methods_supported,omitempty"` + + // ResourceSigningAlgValuesSupported (resource_signing_alg_values_supported) is an optional + // slice of JWS signing algorithms (alg values) supported by the protected + // resource for signing resource responses. + ResourceSigningAlgValuesSupported []string `json:"resource_signing_alg_values_supported,omitempty"` + + // ResourceName (resource_name) is a human-readable name of the protected resource + // intended for display to the end user. It is RECOMMENDED that this field be included. + // This value may be internationalized. + ResourceName string `json:"resource_name,omitempty"` + + // ResourceDocumentation (resource_documentation) is an optional URL of a page containing + // human-readable information for developers using the protected resource. + // This value may be internationalized. + ResourceDocumentation string `json:"resource_documentation,omitempty"` + + // ResourcePolicyURI (resource_policy_uri) is an optional URL of a page containing + // human-readable policy information on how a client can use the data provided. + // This value may be internationalized. + ResourcePolicyURI string `json:"resource_policy_uri,omitempty"` + + // ResourceTOSURI (resource_tos_uri) is an optional URL of a page containing the protected + // resource's human-readable terms of service. This value may be internationalized. + ResourceTOSURI string `json:"resource_tos_uri,omitempty"` + + // TLSClientCertificateBoundAccessTokens (tls_client_certificate_bound_access_tokens) is an + // optional boolean indicating support for mutual-TLS client certificate-bound + // access tokens (RFC 8705). Defaults to false if omitted. + TLSClientCertificateBoundAccessTokens bool `json:"tls_client_certificate_bound_access_tokens,omitempty"` + + // AuthorizationDetailsTypesSupported (authorization_details_types_supported) is an optional + // slice of 'type' values supported by the resource server for the + // 'authorization_details' parameter (RFC 9396). + AuthorizationDetailsTypesSupported []string `json:"authorization_details_types_supported,omitempty"` + + // DPOPSigningAlgValuesSupported (dpop_signing_alg_values_supported) is an optional + // slice of JWS signing algorithms supported by the resource server for validating + // DPoP proof JWTs (RFC 9449). + DPOPSigningAlgValuesSupported []string `json:"dpop_signing_alg_values_supported,omitempty"` + + // DPOPBoundAccessTokensRequired (dpop_bound_access_tokens_required) is an optional boolean + // specifying whether the protected resource always requires the use of DPoP-bound + // access tokens (RFC 9449). Defaults to false if omitted. + DPOPBoundAccessTokensRequired bool `json:"dpop_bound_access_tokens_required,omitempty"` + + // SignedMetadata (signed_metadata) is an optional JWT containing metadata parameters + // about the protected resource as claims. If present, these values take precedence + // over values conveyed in plain JSON. + // TODO:implement. + // Note that §2.2 says it's okay to ignore this. + // SignedMetadata string `json:"signed_metadata,omitempty"` +} diff --git a/internal/oauthex/resource_meta.go b/oauthex/resource_meta.go similarity index 67% rename from internal/oauthex/resource_meta.go rename to oauthex/resource_meta.go index 5787fb1b..e584b068 100644 --- a/internal/oauthex/resource_meta.go +++ b/oauthex/resource_meta.go @@ -5,6 +5,8 @@ // This file implements Protected Resource Metadata. // See https://www.rfc-editor.org/rfc/rfc9728.html. +//go:build mcp_go_client_oauth + package oauthex import ( @@ -22,92 +24,6 @@ import ( const defaultProtectedResourceMetadataURI = "/.well-known/oauth-protected-resource" -// ProtectedResourceMetadata is the metadata for an OAuth 2.0 protected resource, -// as defined in section 2 of https://www.rfc-editor.org/rfc/rfc9728.html. -// -// The following features are not supported: -// - additional keys (§2, last sentence) -// - human-readable metadata (§2.1) -// - signed metadata (§2.2) -type ProtectedResourceMetadata struct { - // GENERATED BY GEMINI 2.5. - - // Resource (resource) is the protected resource's resource identifier. - // Required. - Resource string `json:"resource"` - - // AuthorizationServers (authorization_servers) is an optional slice containing a list of - // OAuth authorization server issuer identifiers (as defined in RFC 8414) that can be - // used with this protected resource. - AuthorizationServers []string `json:"authorization_servers,omitempty"` - - // JWKSURI (jwks_uri) is an optional URL of the protected resource's JSON Web Key (JWK) Set - // document. This contains public keys belonging to the protected resource, such as - // signing key(s) that the resource server uses to sign resource responses. - JWKSURI string `json:"jwks_uri,omitempty"` - - // ScopesSupported (scopes_supported) is a recommended slice containing a list of scope - // values (as defined in RFC 6749) used in authorization requests to request access - // to this protected resource. - ScopesSupported []string `json:"scopes_supported,omitempty"` - - // BearerMethodsSupported (bearer_methods_supported) is an optional slice containing - // a list of the supported methods of sending an OAuth 2.0 bearer token to the - // protected resource. Defined values are "header", "body", and "query". - BearerMethodsSupported []string `json:"bearer_methods_supported,omitempty"` - - // ResourceSigningAlgValuesSupported (resource_signing_alg_values_supported) is an optional - // slice of JWS signing algorithms (alg values) supported by the protected - // resource for signing resource responses. - ResourceSigningAlgValuesSupported []string `json:"resource_signing_alg_values_supported,omitempty"` - - // ResourceName (resource_name) is a human-readable name of the protected resource - // intended for display to the end user. It is RECOMMENDED that this field be included. - // This value may be internationalized. - ResourceName string `json:"resource_name,omitempty"` - - // ResourceDocumentation (resource_documentation) is an optional URL of a page containing - // human-readable information for developers using the protected resource. - // This value may be internationalized. - ResourceDocumentation string `json:"resource_documentation,omitempty"` - - // ResourcePolicyURI (resource_policy_uri) is an optional URL of a page containing - // human-readable policy information on how a client can use the data provided. - // This value may be internationalized. - ResourcePolicyURI string `json:"resource_policy_uri,omitempty"` - - // ResourceTOSURI (resource_tos_uri) is an optional URL of a page containing the protected - // resource's human-readable terms of service. This value may be internationalized. - ResourceTOSURI string `json:"resource_tos_uri,omitempty"` - - // TLSClientCertificateBoundAccessTokens (tls_client_certificate_bound_access_tokens) is an - // optional boolean indicating support for mutual-TLS client certificate-bound - // access tokens (RFC 8705). Defaults to false if omitted. - TLSClientCertificateBoundAccessTokens bool `json:"tls_client_certificate_bound_access_tokens,omitempty"` - - // AuthorizationDetailsTypesSupported (authorization_details_types_supported) is an optional - // slice of 'type' values supported by the resource server for the - // 'authorization_details' parameter (RFC 9396). - AuthorizationDetailsTypesSupported []string `json:"authorization_details_types_supported,omitempty"` - - // DPOPSigningAlgValuesSupported (dpop_signing_alg_values_supported) is an optional - // slice of JWS signing algorithms supported by the resource server for validating - // DPoP proof JWTs (RFC 9449). - DPOPSigningAlgValuesSupported []string `json:"dpop_signing_alg_values_supported,omitempty"` - - // DPOPBoundAccessTokensRequired (dpop_bound_access_tokens_required) is an optional boolean - // specifying whether the protected resource always requires the use of DPoP-bound - // access tokens (RFC 9449). Defaults to false if omitted. - DPOPBoundAccessTokensRequired bool `json:"dpop_bound_access_tokens_required,omitempty"` - - // SignedMetadata (signed_metadata) is an optional JWT containing metadata parameters - // about the protected resource as claims. If present, these values take precedence - // over values conveyed in plain JSON. - // TODO:implement. - // Note that §2.2 says it's okay to ignore this. - // SignedMetadata string `json:"signed_metadata,omitempty"` -} - // GetProtectedResourceMetadataFromID issues a GET request to retrieve protected resource // metadata from a resource server by its ID. // The resource ID is an HTTPS URL, typically with a host:port and possibly a path. diff --git a/internal/oauthex/testdata/client-auth-meta.json b/oauthex/testdata/client-auth-meta.json similarity index 100% rename from internal/oauthex/testdata/client-auth-meta.json rename to oauthex/testdata/client-auth-meta.json diff --git a/internal/oauthex/testdata/google-auth-meta.json b/oauthex/testdata/google-auth-meta.json similarity index 100% rename from internal/oauthex/testdata/google-auth-meta.json rename to oauthex/testdata/google-auth-meta.json