[Server] Expose OAuth protected resource metadata as a reusable request handler#391
Open
chr-hertel wants to merge 3 commits into
Open
[Server] Expose OAuth protected resource metadata as a reusable request handler#391chr-hertel wants to merge 3 commits into
chr-hertel wants to merge 3 commits into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The SDK's OAuth "middleware" like
ProtectedResourceMetadataMiddlewareisn't really cross-cutting middleware. It self-selects onGET /.well-known/oauth-protected-resource, short-circuits, and never participates in the JSON-RPC flow — it's an endpoint controller wearing middleware clothing. That makes it awkward to reuse in Symfony/Laravel, which express endpoints as callable controllers rather than PSR-15 middleware.The bridge already sits in the dependency tree: PSR-15's
RequestHandlerInterface::handle(ServerRequestInterface): ResponseInterfaceis structurally identical to a framework callable controller. The framework router decides when; the handler decides what.What
Scoped to
src/Server/Transport/Httponly:ProtectedResourceMetadataHandler— the RFC 9728 endpoint as a plain, transport-neutral PSR-15RequestHandlerInterface. Zero new dependencies.ProtectedResourceMetadataMiddlewareis now a thin path-guard adapter that delegates to it. Public constructor unchanged — fully backward compatible.ProtectedResourceMetadataHandlerTest; the existing middleware test still covers delegation + pass-through.The same shape applies to
ClientRegistrationMiddlewareandOAuthProxyMiddlewareas a follow-up.Using it from a framework
Because the handler is just
handle(ServerRequestInterface): ResponseInterface, you can mount it directly on a framework route instead of routing the well-knownGETthrough the MCP transport.Symfony (constructor-inject the handler; bridge with
symfony/psr-http-message-bridge):Laravel (type-hint the PSR-7 request, return the PSR-7 response directly):
Verification
phpunit --testsuite unit→ green;phpstanclean;php-cs-fixer --dry-runclean.