Skip to content

feat: OAuth 2.0 Protected Resource Metadata handler - RFC 9728 #643

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: OAuth 2.0 Protected Resource Metadata handler - RFC 9728 #643

wants to merge 1 commit into from
+275 −11

Conversation

@orius123
Copy link

@orius123 orius123 commented Nov 19, 2025

auth: add OAuth 2.0 Protected Resource Metadata handler with CORS support

This change adds support for RFC 9728 (OAuth 2.0 Protected Resource Metadata)
by introducing a new ProtectedResourceMetadataHandler that serves the
.well-known/oauth-protected-resource endpoint.

The handler includes built-in CORS support with Access-Control-Allow-Origin: *
by default, as OAuth metadata is public information meant for client discovery.
Documentation includes examples for using custom CORS policies with popular
middleware libraries (github.com/rs/cors and github.com/jub0bs/cors).

Changes:

  • Added ProtectedResourceMetadata struct and ProtectedResourceMetadataHandler
    function in auth/auth.go
  • Added comprehensive tests for the new handler in auth/auth_test.go
  • Updated auth-middleware example with OAuth metadata endpoint and CORS
    documentation in examples/server/auth-middleware/
  • Updated protocol documentation to describe the OAuth 2.0 integration

The implementation follows RFC 9728 §3.1 for OAuth 2.0 Authorization Server
Metadata discovery, enabling clients to discover protected resource capabilities
and authentication requirements.

jba
jba reviewed Nov 19, 2025
View reviewed changes
Copy link
Contributor

@jba jba left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Just going to have a security person take a look.

@jba
Copy link
Contributor

jba commented Nov 19, 2025

@rolandshoemaker can you confirm that the CORS policy is acceptable?

@jba
Copy link
Contributor

jba commented Nov 19, 2025

@wagnerjt Do you think this is a useful addition to the API?

@wagnerjt
Copy link

wagnerjt commented Nov 20, 2025

Hey @jba thanks for tagging me!

I have code very similar to the server I have defined in the protocol.md to create the endpoint (the part that just dumps the struct to json).

metadata := &oauthex.ProtectedResourceMetadata{
    Resource: "https://example.com/mcp",
    AuthorizationServers: []string{
        "https://auth.example.com/.well-known/openid-configuration",
    },
    ScopesSupported: []string{"read", "write"},
}
http.Handle("/.well-known/oauth-protected-resource",
    auth.ProtectedResourceMetadataHandler(metadata))

For the CORS element, as described within the example of usage, there are plenty of ways to do it within go as well as other infra depending on how it is hosted. I personally leverage external infra/tooling for cors policy. So I will leave it up to you all on this helper

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jba jba jba left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@orius123 @jba @wagnerjt