OAuthProxyMiddleware implements MiddlewareInterface
FinalYes
Proxies OAuth authorization requests to an upstream authorization server.
This middleware implements the OAuth proxy pattern for MCP servers that delegate authorization to third-party OAuth providers (Microsoft, Keycloak, etc.).
It handles:
- /authorize: Redirects to the upstream authorization server
- /token: Proxies token requests to the upstream token endpoint
- /.well-known/oauth-authorization-server: Serves authorization server metadata
Tags
Table of Contents
Interfaces
- MiddlewareInterface
Constants
- CLIENT_SECRET_BASIC = 'client_secret_basic'
- CLIENT_SECRET_POST = 'client_secret_post'
Properties
- $clientSecret : string|null
- $discovery : OidcDiscoveryInterface
- $httpClient : ClientInterface
- $localBaseUrl : string
- $requestFactory : RequestFactoryInterface
- $responseFactory : ResponseFactoryInterface
- $streamFactory : StreamFactoryInterface
- $upstreamIssuer : string
Methods
- __construct() : mixed
- process() : ResponseInterface
- createAuthServerMetadataResponse() : ResponseInterface
- createErrorResponse() : ResponseInterface
- getTokenEndpointAuthMethods() : array<int, string>
- handleAuthorize() : ResponseInterface
- handleToken() : ResponseInterface
- resolveTokenEndpointAuthMethod() : string
Constants
CLIENT_SECRET_BASIC
private
mixed
CLIENT_SECRET_BASIC
= 'client_secret_basic'
CLIENT_SECRET_POST
private
mixed
CLIENT_SECRET_POST
= 'client_secret_post'
Properties
$clientSecret read-only
private
string|null
$clientSecret
= null
$discovery read-only
private
OidcDiscoveryInterface
$discovery
$httpClient
private
ClientInterface
$httpClient
$localBaseUrl read-only
private
string
$localBaseUrl
$requestFactory
private
RequestFactoryInterface
$requestFactory
$responseFactory
private
ResponseFactoryInterface
$responseFactory
$streamFactory
private
StreamFactoryInterface
$streamFactory
$upstreamIssuer read-only
private
string
$upstreamIssuer
Methods
__construct()
public
__construct(string $upstreamIssuer, string $localBaseUrl, OidcDiscoveryInterface $discovery[, string|null $clientSecret = null ][, ClientInterface|null $httpClient = null ][, RequestFactoryInterface|null $requestFactory = null ][, ResponseFactoryInterface|null $responseFactory = null ][, StreamFactoryInterface|null $streamFactory = null ]) : mixed
Parameters
- $upstreamIssuer : string
-
The issuer URL of the upstream OAuth provider
- $localBaseUrl : string
-
The base URL of this MCP server (e.g., http://localhost:8000)
- $discovery : OidcDiscoveryInterface
-
OIDC discovery provider for upstream metadata
- $clientSecret : string|null = null
-
Optional client secret for confidential clients
- $httpClient : ClientInterface|null = null
- $requestFactory : RequestFactoryInterface|null = null
- $responseFactory : ResponseFactoryInterface|null = null
- $streamFactory : StreamFactoryInterface|null = null
process()
public
process(ServerRequestInterface $request, RequestHandlerInterface $handler) : ResponseInterface
Parameters
- $request : ServerRequestInterface
- $handler : RequestHandlerInterface
Return values
ResponseInterfacecreateAuthServerMetadataResponse()
private
createAuthServerMetadataResponse() : ResponseInterface
Return values
ResponseInterfacecreateErrorResponse()
private
createErrorResponse(int $status, string $message) : ResponseInterface
Parameters
- $status : int
- $message : string
Return values
ResponseInterfacegetTokenEndpointAuthMethods()
private
getTokenEndpointAuthMethods() : array<int, string>
Return values
array<int, string>handleAuthorize()
private
handleAuthorize(ServerRequestInterface $request) : ResponseInterface
Parameters
- $request : ServerRequestInterface
Return values
ResponseInterfacehandleToken()
private
handleToken(ServerRequestInterface $request) : ResponseInterface
Parameters
- $request : ServerRequestInterface
Return values
ResponseInterfaceresolveTokenEndpointAuthMethod()
private
resolveTokenEndpointAuthMethod() : string