pomerium / pomerium / 21890627876

44%

Build Type

push

github

Committed by web-flow

Commit Message

mcp: add upstream OAuth discovery core functions (RFC 9728/8414) (#6099)

## Summary

Add core upstream discovery functions for MCP proxy OAuth flow,
implementing RFC 9728 (Protected Resource Metadata) and RFC 8414
(Authorization Server Metadata):

- `ParseWWWAuthenticate` — parse Bearer WWW-Authenticate headers using
go-sfv (round-trip compatible with existing `SetWWWAuthenticateHeader`)
- `FetchProtectedResourceMetadata` / `FetchAuthorizationServerMetadata`
— fetch and validate metadata from well-known endpoints
- `BuildProtectedResourceMetadataURLs` /
`BuildAuthorizationServerMetadataURLs` — construct well-known URLs with
MCP-specified priority order for path-based issuers
- `ValidateProtectedResourceMetadata` /
`ValidateAuthorizationServerMetadata` — validate required fields and MCP
constraints (PKCE S256, authorization_code grant)

These are stateless core functions that will be consumed by ext_proc for
401/403 response handling. Response body capped at 1MB via
`io.LimitReader`.

## Related issues

- ENG-3555

## User Explanation

No user-facing changes. Internal implementation for upcoming upstream
MCP server authorization discovery.

## Checklist

- [x] reference any related issues
- [x] updated unit tests
- [ ] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [ ] ready for review

Run Details

126 of 131 new or added lines in 2 files covered. (96.18%)

7 existing lines in 3 files now uncovered.

31974 of 72583 relevant lines covered (44.05%)

118.33 hits per line