feat(oauth): expose RFC 9728 protected resource metadata endpoint

Claude.ai's MCP OAuth client only sends the RFC 8707 `resource` param when it has Protected Resource Metadata (PRM) to learn the resource identifier from. Without it, nas-auth's /authorize rejected the request with 'resource 必填'. Adds /.well-known/oauth-protected-resource (RFC 9728) that returns the resource URL + AS URL + supported scopes. ResourceUrl is configurable via Mcp__OAuthDiscovery__ResourceUrl, falling back to request authority when unset (works in local dev).
2026-05-16 17:35:57 +08:00
parent 6494684273
commit 37082e165d
2 changed files with 31 additions and 6 deletions
@@ -1,8 +1,8 @@
 namespace ObsidianMcp.Config;

 /// <summary>
-/// /.well-known/oauth-authorization-server 返回的元数据配置。
-/// 环境变量前缀 Mcp__OAuthDiscovery__，例如 Mcp__OAuthDiscovery__Issuer=...
+/// /.well-known/oauth-authorization-server + /.well-known/oauth-protected-resource
+/// 端点返回的元数据。环境变量前缀 Mcp__OAuthDiscovery__。
 /// </summary>
 public class McpDiscoveryOptions
 {
@@ -12,4 +12,11 @@ public class McpDiscoveryOptions
    public string AuthorizationEndpoint { get; set; } = "https://auth.zhengchentao.win/authorize";
    public string TokenEndpoint { get; set; } = "https://auth.zhengchentao.win/token";
    public string RegistrationEndpoint { get; set; } = "https://auth.zhengchentao.win/register";
+
+    /// <summary>
+    /// 本资源服务的标识符（RFC 9728 PRM 的 `resource` 字段，必须与 nas-auth
+    /// resources.json 里 obsidian 条目的 resource_url 完全一致）。
+    /// 留空时 PRM 端点回退用请求的 `scheme://host`。
+    /// </summary>
+    public string ResourceUrl { get; set; } = string.Empty;
 }
@@ -5,9 +5,11 @@ namespace ObsidianMcp.Endpoints;
 public static class DiscoveryEndpoints
 {
    /// <summary>
-    /// 注册 /.well-known/oauth-authorization-server 端点。
-    /// 返回静态 JSON 指向 nas-auth，让 Claude.ai 能自动发现授权服务器。
-    /// 所有字段从 McpDiscoveryOptions 读，不 hardcode。
+    /// 注册两个 well-known 端点：
+    /// 1. /.well-known/oauth-authorization-server (RFC 8414)：指向 nas-auth
+    /// 2. /.well-known/oauth-protected-resource (RFC 9728)：告诉客户端这个资源
+    ///    的 identifier 是什么 + 用哪个 AS。Claude.ai 读到 PRM 后会在
+    ///    /authorize 请求里带 resource=<identifier>，满足 nas-auth 的 RFC 8707 校验。
    /// </summary>
    public static void MapDiscoveryEndpoints(this WebApplication app)
    {
@@ -25,7 +27,23 @@ public static class DiscoveryEndpoints
                scopes_supported = new[] { "read:obsidian", "write:obsidian" },
            });
        })
-        .AllowAnonymous() // well-known 端点不需要认证，Claude 在登录前就要访问它
+        .AllowAnonymous()
        .WithName("OAuthDiscovery");
+
+        app.MapGet("/.well-known/oauth-protected-resource", (HttpContext ctx, McpDiscoveryOptions opts) =>
+        {
+            var resourceUrl = string.IsNullOrWhiteSpace(opts.ResourceUrl)
+                ? $"{ctx.Request.Scheme}://{ctx.Request.Host}"
+                : opts.ResourceUrl;
+            return Results.Ok(new
+            {
+                resource = resourceUrl,
+                authorization_servers = new[] { opts.Issuer },
+                scopes_supported = new[] { "read:obsidian", "write:obsidian" },
+                bearer_methods_supported = new[] { "header" },
+            });
+        })
+        .AllowAnonymous()
+        .WithName("ProtectedResourceMetadata");
    }
 }