zhengchen.tao/gitea-mcp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(oauth): expose RFC 9728 protected resource metadata endpoint
Build Docker Image / build (push) Failing after 12m20s
Details
Build Docker Image / deploy (push) Has been skipped
Details

Browse Source 
Same fix as obsidian-mcp: Claude.ai needs PRM to know the resource
identifier and send RFC 8707 `resource` in /authorize requests.

Adds /.well-known/oauth-protected-resource. ResourceUrl is configurable
via Mcp__OAuthDiscovery__ResourceUrl, falling back to request authority
when unset.
This commit is contained in:
Zhengchen Tao
2026-05-16 17:36:04 +08:00
parent 0f07300cec
commit 16bd328849
2 changed files with 29 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Config/McpDiscoveryOptions.cs
+9 -2
View File
@@ -1,8 +1,8 @@
namespace GiteaMcp.Config;
/// <summary>
/// /.well-known/oauth-authorization-server 端点返回的静态元数据,
/// 字段由 Mcp:OAuthDiscovery:* 配置项驱动。
/// /.well-known/oauth-authorization-server + /.well-known/oauth-protected-resource
/// 端点返回的元数据,字段由 Mcp:OAuthDiscovery:* 配置项驱动。
/// </summary>
public class McpDiscoveryOptions
{
@@ -12,4 +12,11 @@ public class McpDiscoveryOptions
public string AuthorizationEndpoint { get; set; } = "https://auth.zhengchentao.win/authorize";
public string TokenEndpoint { get; set; } = "https://auth.zhengchentao.win/token";
public string RegistrationEndpoint { get; set; } = "https://auth.zhengchentao.win/register";
/// <summary>
/// 本资源服务的标识符(RFC 9728 PRM 的 `resource` 字段,必须与 nas-auth
/// resources.json 里 gitea 条目的 resource_url 完全一致)。
/// 留空时 PRM 端点回退用请求的 `scheme://host`。
/// </summary>
public string ResourceUrl { get; set; } = string.Empty;
}
Endpoints/DiscoveryEndpoints.cs
+20 -3
View File
@@ -4,9 +4,11 @@ using Microsoft.Extensions.Options;
namespace GiteaMcp.Endpoints;
/// <summary>
/// OAuth 2.0 Authorization Server MetadataRFC 8414端点
/// Claude.ai 在接入 custom connector 时会先访问 /.well-known/oauth-authorization-server
/// 根据返回的元数据找到 nas-auth 的 authorize / token / register 端点。
/// 两个 well-known 端点
/// 1. /.well-known/oauth-authorization-server (RFC 8414):指向 nas-auth。
/// 2. /.well-known/oauth-protected-resource (RFC 9728):声明本资源的 identifier
/// + 指向哪个 AS。Claude.ai 读到 PRM 后会在 /authorize 请求里带
/// resource=<identifier>,满足 nas-auth 的 RFC 8707 校验。
/// </summary>
public static class DiscoveryEndpoints
{
@@ -28,6 +30,21 @@ public static class DiscoveryEndpoints
});
});
app.MapGet("/.well-known/oauth-protected-resource", (HttpContext ctx, IOptions<McpDiscoveryOptions> opts) =>
{
var o = opts.Value;
var resourceUrl = string.IsNullOrWhiteSpace(o.ResourceUrl)
? $"{ctx.Request.Scheme}://{ctx.Request.Host}"
: o.ResourceUrl;
return Results.Ok(new
{
resource = resourceUrl,
authorization_servers = new[] { o.Issuer },
scopes_supported = new[] { "read:gitea" },
bearer_methods_supported = new[] { "header" },
});
});
return app;
}
}