feat: add PKCE + Dynamic Client Registration for ChatGPT OAuth compliance

ChatGPT Apps SDK requires two things our OAuth implementation was missing:

1. Dynamic Client Registration (RFC 7591):
   - New POST /api/oauth/register endpoint
   - ChatGPT registers before starting the OAuth flow to get client_id/secret
   - registration_endpoint added to /.well-known/oauth-authorization-server

2. PKCE with S256 (RFC 7636) — mandatory for ChatGPT:
   - authorize endpoint now stores code_challenge with each auth code
   - token endpoint verifies code_verifier via SHA-256 base64url comparison
   - client_credentials flow preserved for legacy direct API access

Also: allow ChatGPT redirect URI (chatgpt.com, platform.openai.com),
refactor validateBearerToken to check both random issued tokens (new)
and legacy HMAC-derived tokens (backward compat).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: theo-learner

src/app/.well-known/oauth-authorization-server/route.ts

@@ -1,7 +1,7 @@
 /**
  * OAuth 2.0 Authorization Server Metadata (RFC 8414)
  * Required for MCP 2025-03-26 OAuth discovery.
- * ChatGPT uses this to discover token/authorize endpoints automatically.
+ * ChatGPT uses this to discover token/authorize/register endpoints automatically.
  */
 
 import { NextRequest, NextResponse } from 'next/server';
@@ -16,6 +16,7 @@ export async function GET(request: NextRequest) {
     issuer: base,
     authorization_endpoint: `${base}/api/oauth/authorize`,
     token_endpoint: `${base}/api/oauth/token`,
+    registration_endpoint: `${base}/api/oauth/register`,
     response_types_supported: ['code'],
     grant_types_supported: ['authorization_code', 'client_credentials'],
     token_endpoint_auth_methods_supported: ['client_secret_basic', 'client_secret_post'],

src/app/api/oauth/authorize/route.ts

@@ -1,20 +1,41 @@
 /**
- * OAuth 2.0 Authorization Endpoint
- * Handles authorization code flow for ChatGPT MCP app registration.
- * Auto-approves requests with valid client_id (no user login required for M2M).
+ * OAuth 2.0 Authorization Endpoint — RFC 6749 + PKCE (RFC 7636)
+ * Handles authorization code flow with PKCE for ChatGPT MCP app registration.
+ * Auto-approves all requests (no user login needed — MCP is a service connection).
  */
 
 import { NextRequest, NextResponse } from 'next/server';
-import { getOAuthClientId, issueAuthCode } from '@/lib/oauth-token';
+import { getOAuthClientId, getDynamicClient, issueAuthCode } from '@/lib/oauth-token';
 
 export const dynamic = 'force-dynamic';
 
+/** ChatGPT's production redirect URI (must be allowed). */
+const ALLOWED_REDIRECT_ORIGINS = [
+  'https://chatgpt.com',
+  'https://platform.openai.com',
+];
+
+function isAllowedRedirectUri(uri: string): boolean {
+  try {
+    const url = new URL(uri);
+    // Allow ChatGPT's redirect URIs
+    if (ALLOWED_REDIRECT_ORIGINS.some(origin => url.origin === origin)) return true;
+    // Allow localhost for development
+    if (url.hostname === 'localhost' || url.hostname === '127.0.0.1') return true;
+    return false;
+  } catch {
+    return false;
+  }
+}
+
 export async function GET(request: NextRequest) {
   const { searchParams } = new URL(request.url);
   const clientId = searchParams.get('client_id');
   const redirectUri = searchParams.get('redirect_uri');
   const responseType = searchParams.get('response_type');
   const state = searchParams.get('state');
+  const codeChallenge = searchParams.get('code_challenge') || undefined;
+  const codeChallengeMethod = searchParams.get('code_challenge_method') || undefined;
 
   if (responseType !== 'code') {
     return NextResponse.json(
@@ -23,7 +44,18 @@ export async function GET(request: NextRequest) {
     );
   }
 
-  if (clientId !== getOAuthClientId()) {
+  if (!clientId) {
+    return NextResponse.json(
+      { error: 'invalid_request', error_description: 'client_id is required.' },
+      { status: 400 }
+    );
+  }
+
+  // Accept both static client and dynamic DCR clients
+  const isStaticClient = clientId === getOAuthClientId();
+  const isDynamicClient = !isStaticClient && !!getDynamicClient(clientId);
+
+  if (!isStaticClient && !isDynamicClient) {
     return NextResponse.json(
       { error: 'unauthorized_client', error_description: 'Unknown client_id.' },
       { status: 401 }
@@ -37,6 +69,24 @@ export async function GET(request: NextRequest) {
     );
   }
 
+  if (!isAllowedRedirectUri(redirectUri)) {
+    return NextResponse.json(
+      { error: 'invalid_request', error_description: 'redirect_uri is not allowed.' },
+      { status: 400 }
+    );
+  }
+
+  // PKCE: S256 is the only supported method
+  if (codeChallenge && codeChallengeMethod && codeChallengeMethod !== 'S256') {
+    return NextResponse.json(
+      { error: 'invalid_request', error_description: 'Only code_challenge_method=S256 is supported.' },
+      { status: 400 }
+    );
+  }
+
+  // Auto-approve: issue the authorization code
+  const code = issueAuthCode(clientId, codeChallenge, codeChallengeMethod);
+
   let redirectUrl: URL;
   try {
     redirectUrl = new URL(redirectUri);
@@ -47,7 +97,6 @@ export async function GET(request: NextRequest) {
     );
   }
 
-  const code = issueAuthCode(clientId);
   redirectUrl.searchParams.set('code', code);
   if (state) redirectUrl.searchParams.set('state', state);
 

src/app/api/oauth/register/route.ts

@@ -0,0 +1,38 @@
+/**
+ * OAuth 2.0 Dynamic Client Registration Endpoint — RFC 7591
+ * ChatGPT Apps SDK performs DCR before starting the OAuth flow.
+ * Returns a unique client_id and client_secret for each registration.
+ */
+
+import { NextRequest, NextResponse } from 'next/server';
+import { registerDynamicClient } from '@/lib/oauth-token';
+
+export const dynamic = 'force-dynamic';
+
+export async function POST(request: NextRequest) {
+  let body: Record<string, unknown> = {};
+  try {
+    const text = await request.text();
+    if (text) body = JSON.parse(text);
+  } catch {
+    // Accept registrations with no body (redirect_uris defaults to empty)
+  }
+
+  const redirectUris: string[] = Array.isArray(body.redirect_uris) ? body.redirect_uris : [];
+  const { clientId, clientSecret } = registerDynamicClient(redirectUris);
+
+  // RFC 7591 response
+  return NextResponse.json(
+    {
+      client_id: clientId,
+      client_secret: clientSecret,
+      client_id_issued_at: Math.floor(Date.now() / 1000),
+      client_secret_expires_at: 0, // 0 = never expires
+      redirect_uris: redirectUris,
+      token_endpoint_auth_method: 'client_secret_basic',
+      grant_types: ['authorization_code'],
+      response_types: ['code'],
+    },
+    { status: 201 }
+  );
+}

src/app/api/oauth/token/route.ts

@@ -1,15 +1,19 @@
 /**
- * OAuth 2.0 Token Endpoint
+ * OAuth 2.0 Token Endpoint — RFC 6749 + PKCE (RFC 7636)
  * Issues access tokens for ChatGPT MCP app authentication.
- * Supports: authorization_code, client_credentials grant types.
- * Client credentials accepted via Basic auth header or request body.
+ * Supports:
+ *   - authorization_code + PKCE (ChatGPT's required flow)
+ *   - client_credentials (legacy / direct API users)
+ * Client auth via Basic header or request body.
  */
 
 import { NextRequest, NextResponse } from 'next/server';
 import {
   getOAuthClientId,
   getOAuthClientSecret,
+  validateDynamicClient,
   consumeAuthCode,
+  issueAccessToken,
   deriveAccessToken,
   ACCESS_TOKEN_TTL_SECONDS,
 } from '@/lib/oauth-token';
@@ -22,13 +26,17 @@ function extractClientCredentials(
 ): { clientId: string | null; clientSecret: string | null } {
   const authHeader = request.headers.get('authorization');
   if (authHeader?.startsWith('Basic ')) {
-    const decoded = Buffer.from(authHeader.slice(6), 'base64').toString('utf-8');
-    const colonIndex = decoded.indexOf(':');
-    if (colonIndex !== -1) {
-      return {
-        clientId: decoded.slice(0, colonIndex) || null,
-        clientSecret: decoded.slice(colonIndex + 1) || null,
-      };
+    try {
+      const decoded = Buffer.from(authHeader.slice(6), 'base64').toString('utf-8');
+      const colonIndex = decoded.indexOf(':');
+      if (colonIndex !== -1) {
+        return {
+          clientId: decoded.slice(0, colonIndex) || null,
+          clientSecret: decoded.slice(colonIndex + 1) || null,
+        };
+      }
+    } catch {
+      // fall through to body
     }
   }
   return {
@@ -37,6 +45,19 @@ function extractClientCredentials(
   };
 }
 
+/** Validate client credentials: accepts both static and DCR clients. */
+function isValidClient(clientId: string | null, clientSecret: string | null): boolean {
+  if (!clientId || !clientSecret) return false;
+
+  // Static pre-configured client
+  const staticId = getOAuthClientId();
+  const staticSecret = getOAuthClientSecret();
+  if (clientId === staticId && staticSecret && clientSecret === staticSecret) return true;
+
+  // Dynamic DCR client
+  return validateDynamicClient(clientId, clientSecret);
+}
+
 export async function POST(request: NextRequest) {
   let body: URLSearchParams;
   try {
@@ -46,39 +67,51 @@ export async function POST(request: NextRequest) {
     return NextResponse.json({ error: 'invalid_request' }, { status: 400 });
   }
 
-  const configuredSecret = getOAuthClientSecret();
-  if (!configuredSecret) {
-    return NextResponse.json(
-      { error: 'server_error', error_description: 'OAuth is not configured on this server.' },
-      { status: 500 }
-    );
-  }
-
   const { clientId, clientSecret } = extractClientCredentials(request, body);
-  const configuredClientId = getOAuthClientId();
 
-  if (clientId !== configuredClientId || clientSecret !== configuredSecret) {
+  if (!isValidClient(clientId, clientSecret)) {
     return NextResponse.json({ error: 'invalid_client' }, { status: 401 });
   }
 
   const grantType = body.get('grant_type');
 
-  if (grantType === 'client_credentials') {
+  if (grantType === 'authorization_code') {
+    const code = body.get('code');
+    const codeVerifier = body.get('code_verifier') || undefined;
+
+    if (!code || !clientId) {
+      return NextResponse.json(
+        { error: 'invalid_request', error_description: 'code is required.' },
+        { status: 400 }
+      );
+    }
+
+    if (!consumeAuthCode(code, clientId, codeVerifier)) {
+      return NextResponse.json(
+        { error: 'invalid_grant', error_description: 'Authorization code is invalid, expired, or PKCE verification failed.' },
+        { status: 400 }
+      );
+    }
+
     return NextResponse.json({
-      access_token: deriveAccessToken(configuredSecret),
+      access_token: issueAccessToken(),
       token_type: 'Bearer',
       expires_in: ACCESS_TOKEN_TTL_SECONDS,
     });
   }
 
-  if (grantType === 'authorization_code') {
-    const code = body.get('code');
-    if (!code || !consumeAuthCode(code, clientId)) {
+  if (grantType === 'client_credentials') {
+    const configuredSecret = getOAuthClientSecret();
+    if (!configuredSecret) {
       return NextResponse.json(
-        { error: 'invalid_grant', error_description: 'Authorization code is invalid or expired.' },
-        { status: 400 }
+        { error: 'server_error', error_description: 'OAuth is not configured.' },
+        { status: 500 }
       );
     }
+    // Static client only for client_credentials
+    if (clientId !== getOAuthClientId()) {
+      return NextResponse.json({ error: 'invalid_client' }, { status: 401 });
+    }
     return NextResponse.json({
       access_token: deriveAccessToken(configuredSecret),
       token_type: 'Bearer',