zhengchen.tao/obsidian-mcp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(oauth): expose RFC 9728 protected resource metadata endpoint
Build Docker Image / build (push) Failing after 15m17s
Details
Build Docker Image / deploy (push) Has been skipped
Details

Browse Source 
Claude.ai's MCP OAuth client only sends the RFC 8707 `resource` param
when it has Protected Resource Metadata (PRM) to learn the resource
identifier from. Without it, nas-auth's /authorize rejected the request
with 'resource 必填'.

Adds /.well-known/oauth-protected-resource (RFC 9728) that returns the
resource URL + AS URL + supported scopes. ResourceUrl is configurable
via Mcp__OAuthDiscovery__ResourceUrl, falling back to request authority
when unset (works in local dev).
This commit is contained in:
Zhengchen Tao
2026-05-16 17:35:57 +08:00
parent 6494684273
commit 37082e165d
2 changed files with 31 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Config/McpDiscoveryOptions.cs
+9 -2
View File
@@ -1,8 +1,8 @@
namespace ObsidianMcp.Config; namespace ObsidianMcp.Config;
/// <summary> /// <summary>
/// /.well-known/oauth-authorization-server 返回的元数据配置。 /// /.well-known/oauth-authorization-server + /.well-known/oauth-protected-resource
/// 环境变量前缀 Mcp__OAuthDiscovery__,例如 Mcp__OAuthDiscovery__Issuer=... /// 端点返回的元数据。环境变量前缀 Mcp__OAuthDiscovery__
/// </summary> /// </summary>
public class McpDiscoveryOptions public class McpDiscoveryOptions
{ {
@@ -12,4 +12,11 @@ public class McpDiscoveryOptions
public string AuthorizationEndpoint { get; set; } = "https://auth.zhengchentao.win/authorize"; public string AuthorizationEndpoint { get; set; } = "https://auth.zhengchentao.win/authorize";
public string TokenEndpoint { get; set; } = "https://auth.zhengchentao.win/token"; public string TokenEndpoint { get; set; } = "https://auth.zhengchentao.win/token";
public string RegistrationEndpoint { get; set; } = "https://auth.zhengchentao.win/register"; public string RegistrationEndpoint { get; set; } = "https://auth.zhengchentao.win/register";
/// <summary>
/// 本资源服务的标识符(RFC 9728 PRM 的 `resource` 字段,必须与 nas-auth
/// resources.json 里 obsidian 条目的 resource_url 完全一致)。
/// 留空时 PRM 端点回退用请求的 `scheme://host`。
/// </summary>
public string ResourceUrl { get; set; } = string.Empty;
} }
Endpoints/DiscoveryEndpoints.cs
+22 -4
View File
@@ -5,9 +5,11 @@ namespace ObsidianMcp.Endpoints;
public static class DiscoveryEndpoints public static class DiscoveryEndpoints
{ {
/// <summary> /// <summary>
/// 注册 /.well-known/oauth-authorization-server 端点 /// 注册两个 well-known 端点
/// 返回静态 JSON 指向 nas-auth,让 Claude.ai 能自动发现授权服务器。 /// 1. /.well-known/oauth-authorization-server (RFC 8414):指向 nas-auth
/// 所有字段从 McpDiscoveryOptions 读,不 hardcode。 /// 2. /.well-known/oauth-protected-resource (RFC 9728):告诉客户端这个资源
/// 的 identifier 是什么 + 用哪个 AS。Claude.ai 读到 PRM 后会在
/// /authorize 请求里带 resource=<identifier>,满足 nas-auth 的 RFC 8707 校验。
/// </summary> /// </summary>
public static void MapDiscoveryEndpoints(this WebApplication app) public static void MapDiscoveryEndpoints(this WebApplication app)
{ {
@@ -25,7 +27,23 @@ public static class DiscoveryEndpoints
scopes_supported = new[] { "read:obsidian", "write:obsidian" }, scopes_supported = new[] { "read:obsidian", "write:obsidian" },
}); });
}) })
.AllowAnonymous() // well-known 端点不需要认证,Claude 在登录前就要访问它 .AllowAnonymous()
.WithName("OAuthDiscovery"); .WithName("OAuthDiscovery");
app.MapGet("/.well-known/oauth-protected-resource", (HttpContext ctx, McpDiscoveryOptions opts) =>
{
var resourceUrl = string.IsNullOrWhiteSpace(opts.ResourceUrl)
? $"{ctx.Request.Scheme}://{ctx.Request.Host}"
: opts.ResourceUrl;
return Results.Ok(new
{
resource = resourceUrl,
authorization_servers = new[] { opts.Issuer },
scopes_supported = new[] { "read:obsidian", "write:obsidian" },
bearer_methods_supported = new[] { "header" },
});
})
.AllowAnonymous()
.WithName("ProtectedResourceMetadata");
} }
} }