/** * MCP OAuth Server Provider 实现 * * 实现 MCP SDK 的 OAuthServerProvider 接口 */ import type { Response } from 'express'; import type { OAuthServerProvider, AuthorizationParams } from '@modelcontextprotocol/sdk/server/auth/provider.js'; import type { OAuthRegisteredClientsStore } from '@modelcontextprotocol/sdk/server/auth/clients.js'; import type { OAuthClientInformationFull, OAuthTokens, OAuthTokenRevocationRequest } from '@modelcontextprotocol/sdk/shared/auth.js'; import type { AuthInfo } from '@modelcontextprotocol/sdk/server/auth/types.js'; import { type StoredAuthCode, type StoredRefreshToken } from './store.js'; type OAuthProviderDeps = { getCodeChallenge: (code: string) => Promise; getAuthorizationCode: (code: string) => Promise; exchangeAuthorizationCodeTransactionally: (params: { authorizationCode: string; refreshToken: string; }) => Promise<'ok' | 'invalid_code'>; getActiveRefreshToken: (refreshToken: string) => Promise; rotateRefreshTokenTransactionally: (params: { refreshToken: string; newRefreshToken: string; scope: string; resource?: string; }) => Promise<'ok' | 'invalid_refresh_token'>; revokeRefreshToken: (refreshToken: string) => Promise; signAccessToken: (userId: string, clientId: string, scope: string, resource?: string) => Promise<{ token: string; expiresIn: number; }>; verifyAccessToken: (token: string) => Promise; generateRefreshToken: () => string; }; export declare class TaiBuOAuthProvider implements OAuthServerProvider { private _clientsStore; private deps; constructor(deps?: Partial); get clientsStore(): OAuthRegisteredClientsStore; /** * 渲染授权登录页面 * * SDK 的 authorizationHandler 在验证 client_id / redirect_uri / PKCE 参数后调用此方法。 * 我们渲染 HTML 登录表单,表单 POST 到 /oauth/login(自定义路由)。 */ authorize(client: OAuthClientInformationFull, params: AuthorizationParams, res: Response): Promise; /** * 返回授权码对应的 code_challenge */ challengeForAuthorizationCode(_client: OAuthClientInformationFull, authorizationCode: string): Promise; /** * 用授权码换取 access_token + refresh_token */ exchangeAuthorizationCode(client: OAuthClientInformationFull, authorizationCode: string, _codeVerifier?: string, redirectUri?: string, resource?: URL): Promise; /** * 用 refresh_token 换取新的 access_token(token rotation) */ exchangeRefreshToken(client: OAuthClientInformationFull, refreshToken: string, scopes?: string[], resource?: URL): Promise; /** * 验证 JWT access_token */ verifyAccessToken(token: string): Promise; /** * 吊销 token */ revokeToken(_client: OAuthClientInformationFull, request: OAuthTokenRevocationRequest): Promise; } export {};