AuthorizationMiddleware implements MiddlewareInterface
FinalYes
Enforces MCP HTTP authorization requirements.
This middleware:
- Validates Bearer tokens via the configured validator
- Returns 401 with WWW-Authenticate header on missing/invalid tokens
- Returns 403 on insufficient scope
Tags
Table of Contents
Interfaces
- MiddlewareInterface
Properties
- $resourceMetadata : ProtectedResourceMetadata
- $responseFactory : ResponseFactoryInterface
- $validator : AuthorizationTokenValidatorInterface
Methods
- __construct() : mixed
- process() : ResponseInterface
- applyAttributes() : ServerRequestInterface
- buildAuthenticateHeader() : string
- buildErrorResponse() : ResponseInterface
- escapeHeaderValue() : string
- normalizeScopes() : array<int, string>|null
- parseBearerToken() : string|null
- resolveResourceMetadataUrl() : string
- resolveScopes() : array<int, string>|null
Properties
$resourceMetadata
private
ProtectedResourceMetadata
$resourceMetadata
$responseFactory
private
ResponseFactoryInterface
$responseFactory
$validator
private
AuthorizationTokenValidatorInterface
$validator
Methods
__construct()
public
__construct(AuthorizationTokenValidatorInterface $validator, ProtectedResourceMetadata $resourceMetadata[, ResponseFactoryInterface|null $responseFactory = null ]) : mixed
Parameters
- $validator : AuthorizationTokenValidatorInterface
-
Token validator implementation
- $resourceMetadata : ProtectedResourceMetadata
-
Protected resource metadata object used for challenge hints
- $responseFactory : ResponseFactoryInterface|null = null
-
PSR-17 response factory (auto-discovered if null)
process()
public
process(ServerRequestInterface $request, RequestHandlerInterface $handler) : ResponseInterface
Parameters
- $request : ServerRequestInterface
- $handler : RequestHandlerInterface
Return values
ResponseInterfaceapplyAttributes()
private
applyAttributes(ServerRequestInterface $request, array<string, mixed> $attributes) : ServerRequestInterface
Parameters
- $request : ServerRequestInterface
- $attributes : array<string, mixed>
Return values
ServerRequestInterfacebuildAuthenticateHeader()
private
buildAuthenticateHeader(ServerRequestInterface $request, AuthorizationResult $result) : string
Parameters
- $request : ServerRequestInterface
- $result : AuthorizationResult
Return values
stringbuildErrorResponse()
private
buildErrorResponse(ServerRequestInterface $request, AuthorizationResult $result) : ResponseInterface
Parameters
- $request : ServerRequestInterface
- $result : AuthorizationResult
Return values
ResponseInterfaceescapeHeaderValue()
private
escapeHeaderValue(string $value) : string
Parameters
- $value : string
Return values
stringnormalizeScopes()
private
normalizeScopes(array<int, string>|null $scopes) : array<int, string>|null
Parameters
- $scopes : array<int, string>|null
Return values
array<int, string>|nullparseBearerToken()
private
parseBearerToken(string $authorization) : string|null
Parameters
- $authorization : string
Return values
string|nullresolveResourceMetadataUrl()
private
resolveResourceMetadataUrl(ServerRequestInterface $request) : string
Parameters
- $request : ServerRequestInterface
Return values
stringresolveScopes()
private
resolveScopes(AuthorizationResult $result) : array<int, string>|null
Parameters
- $result : AuthorizationResult