feat(auth): OIDC Discovery and redirect_uri support for OAuth compliance#97
Open
getlarge wants to merge 2 commits intoplatformatic:mainfrom
Open
feat(auth): OIDC Discovery and redirect_uri support for OAuth compliance#97getlarge wants to merge 2 commits intoplatformatic:mainfrom
getlarge wants to merge 2 commits intoplatformatic:mainfrom
Conversation
…on tests The MCP SDK types use discriminated unions (e.g., text | image content). TypeScript requires type narrowing before accessing type-specific properties. This fixes typecheck failures introduced by SDK type changes. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add OIDC discovery to fetch endpoints from /.well-known/openid-configuration with 5-minute caching and fallback to default /oauth/* paths - Include redirect_uri in authorization request (required for OIDC 1.0) - Pass redirect_uri to token exchange (must match authorization request) - Skip /oauth/callback in auth prehandler - Add excludedPaths option for custom routes to bypass authorization (e.g., health checks) This enables compatibility with OAuth providers like Ory Hydra that use non-standard endpoint paths (e.g., /oauth2/auth instead of /oauth/authorize). Closes platformatic#95 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This was referenced Jan 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds OIDC compatibility for OAuth providers like Ory Hydra that use non-standard endpoint paths.
Closes #95
Changes
1. OIDC Discovery
/.well-known/openid-configurationwith 5-minute caching/oauth/*paths for backwards compatibility2. redirect_uri Support (OIDC 1.0 Required)
redirect_uriin authorization requestredirect_urito token exchange (must match authorization request)callbackUrlin session for token exchange3. Auth Prehandler Improvements
/oauth/callbackin auth prehandler (was missing)excludedPathsoption for custom routes to bypass authorization (e.g., health checks)Files Changed
src/auth/oauth-client.ts- OIDC discovery, redirect_uri in token exchangesrc/auth/prehandler.ts- Skip callback, excludedPaths supportsrc/routes/auth-routes.ts- Include redirect_uri, store in sessionsrc/types/auth-types.ts- Add excludedPaths to config typetest/integration.test.ts- Fix type guards for discriminated unions (unrelated pre-existing issue)Backwards Compatibility
/oauth/*pathsexcludedPathsis optionalTest Plan
npm run typecheck)npm run test)🤖 Generated with Claude Code