/** * OAuth Client Provider Implementation for MCP Client * * Provides a ready-to-use OAuthClientProvider implementation that can be used * with Mastra's MCPClient for connecting to OAuth-protected MCP servers. * * @see https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization */ import type { OAuthClientProvider, OAuthClientMetadata, OAuthClientInformation, OAuthClientInformationFull, OAuthTokens } from '../shared/oauth-types.js'; /** * Storage interface for persisting OAuth data. * * Implement this interface to persist OAuth data across sessions. * For simple in-memory usage, use InMemoryOAuthStorage. */ export interface OAuthStorage { /** * Store a value by key. */ set(key: string, value: string): Promise | void; /** * Retrieve a value by key. */ get(key: string): Promise | string | undefined; /** * Delete a value by key. */ delete(key: string): Promise | void; } /** * Simple in-memory OAuth storage. * * Data is lost when the process exits. For production, implement * OAuthStorage with a persistent store like Redis or a database. */ export declare class InMemoryOAuthStorage implements OAuthStorage { private data; set(key: string, value: string): void; get(key: string): string | undefined; delete(key: string): void; clear(): void; } /** * Options for creating a MCPOAuthClientProvider. */ export interface MCPOAuthClientProviderOptions { /** * The redirect URL for the OAuth callback. * This should be a URL your application controls that can handle * the authorization code callback. * * @example 'http://localhost:3000/oauth/callback' */ redirectUrl: string | URL; /** * OAuth client metadata for registration. * If the client is not pre-registered with the authorization server, * this metadata will be used for dynamic client registration. */ clientMetadata: OAuthClientMetadata; /** * Pre-registered client information. * If provided, skips dynamic client registration. */ clientInformation?: OAuthClientInformation; /** * Storage for persisting OAuth data (tokens, client info, etc.). * Defaults to InMemoryOAuthStorage if not provided. */ storage?: OAuthStorage; /** * Callback invoked when the user needs to be redirected to authorize. * * For CLI applications, you might open the URL in a browser. * For web applications, you might redirect the response. * * @param url - The authorization URL to redirect to */ onRedirectToAuthorization?: (url: URL) => void | Promise; /** * Generate a random state parameter for OAuth requests. * Defaults to using crypto.randomUUID. */ stateGenerator?: () => string | Promise; } /** * Mastra's OAuth Client Provider implementation. * * This provider handles the OAuth 2.1 flow for connecting to OAuth-protected * MCP servers, including: * - Dynamic client registration (RFC 7591) * - PKCE (Proof Key for Code Exchange) * - Token storage and refresh * * @example * ```typescript * import { MCPClient, MCPOAuthClientProvider, InMemoryOAuthStorage } from '@mastra/mcp'; * * // Create the OAuth provider * const oauthProvider = new MCPOAuthClientProvider({ * redirectUrl: 'http://localhost:3000/oauth/callback', * clientMetadata: { * redirect_uris: ['http://localhost:3000/oauth/callback'], * client_name: 'My MCP Client', * grant_types: ['authorization_code', 'refresh_token'], * response_types: ['code'], * }, * onRedirectToAuthorization: (url) => { * // Open URL in browser for CLI, or redirect response for web * console.log(`Please visit: ${url}`); * }, * }); * * // Create the MCP client with OAuth * const client = new MCPClient({ * servers: { * 'protected-server': { * url: 'https://mcp.example.com/mcp', * authProvider: oauthProvider, * }, * }, * }); * * await client.connect(); * ``` */ export declare class MCPOAuthClientProvider implements OAuthClientProvider { private readonly _redirectUrl; private readonly _clientMetadata; private readonly storage; private readonly onRedirect?; private readonly generateState; private _clientInfo?; constructor(options: MCPOAuthClientProviderOptions); /** * The URL to redirect the user agent to after authorization. */ get redirectUrl(): string | URL; /** * Metadata about this OAuth client. */ get clientMetadata(): OAuthClientMetadata; /** * Returns a OAuth2 state parameter. */ state(): Promise; /** * Loads information about this OAuth client. */ clientInformation(): Promise; /** * Saves dynamically registered client information. */ saveClientInformation(clientInformation: OAuthClientInformationFull): Promise; /** * Loads existing OAuth tokens. */ tokens(): Promise; /** * Stores new OAuth tokens after successful authorization. */ saveTokens(tokens: OAuthTokens): Promise; /** * Invoked to redirect the user agent to the authorization URL. */ redirectToAuthorization(authorizationUrl: URL): Promise; /** * Saves a PKCE code verifier before redirecting to authorization. */ saveCodeVerifier(codeVerifier: string): Promise; /** * Loads the PKCE code verifier for validating authorization result. */ codeVerifier(): Promise; /** * Invalidate credentials when server indicates they're no longer valid. */ invalidateCredentials(scope: 'all' | 'client' | 'tokens' | 'verifier'): Promise; /** * Clear all stored OAuth data. * Useful for logging out or resetting state. */ clear(): Promise; /** * Check if the provider has valid (non-expired) tokens. */ hasValidTokens(): Promise; } /** * Creates a simple OAuth provider with pre-configured tokens. * * This is useful for testing scenarios where you already have a valid token. * For production, use the full MCPOAuthClientProvider with proper OAuth flow. * * @param accessToken - A valid access token * @param options - Additional configuration options * @returns An OAuthClientProvider that returns the pre-configured token * * @example * ```typescript * const provider = createSimpleTokenProvider('my-access-token', { * redirectUrl: 'http://localhost:3000/callback', * clientMetadata: { * redirect_uris: ['http://localhost:3000/callback'], * client_name: 'Test Client', * }, * }); * * const client = new MCPClient({ * servers: { * test: { url: 'https://mcp.example.com', authProvider: provider } * }, * }); * ``` */ export declare function createSimpleTokenProvider(accessToken: string, options: { redirectUrl: string | URL; clientMetadata: OAuthClientMetadata; clientInformation?: OAuthClientInformation; tokenType?: string; refreshToken?: string; expiresIn?: number; scope?: string; }): OAuthClientProvider; //# sourceMappingURL=oauth-provider.d.ts.map