306 lines
9.2 KiB
YAML
306 lines
9.2 KiB
YAML
# OAuth API schemas
|
|
|
|
MCPAuthType:
|
|
type: string
|
|
enum: [none, headers, oauth, per_user_oauth]
|
|
description: |
|
|
Authentication type for MCP connections:
|
|
- none: No authentication
|
|
- headers: Header-based authentication (API keys, custom headers, etc.)
|
|
- oauth: OAuth 2.0 authentication (shared admin token)
|
|
- per_user_oauth: Per-user OAuth 2.1 (each end-user authenticates individually)
|
|
|
|
OAuthConfigRequest:
|
|
type: object
|
|
description: OAuth configuration for MCP client creation
|
|
properties:
|
|
client_id:
|
|
type: string
|
|
description: |
|
|
OAuth client ID. Optional if client supports dynamic client registration (RFC 7591).
|
|
If not provided, the server_url must be set for OAuth discovery and dynamic registration.
|
|
client_secret:
|
|
type: string
|
|
description: |
|
|
OAuth client secret. Optional for public clients using PKCE or clients obtained via dynamic registration.
|
|
authorize_url:
|
|
type: string
|
|
description: |
|
|
OAuth authorization endpoint URL. Optional - will be discovered from server_url if not provided.
|
|
token_url:
|
|
type: string
|
|
description: |
|
|
OAuth token endpoint URL. Optional - will be discovered from server_url if not provided.
|
|
registration_url:
|
|
type: string
|
|
description: |
|
|
Dynamic client registration endpoint URL (RFC 7591). Optional - will be discovered from server_url if not provided.
|
|
scopes:
|
|
type: array
|
|
items:
|
|
type: string
|
|
description: |
|
|
OAuth scopes requested. Optional - can be discovered from server_url if not provided.
|
|
Example: ["read", "write"]
|
|
|
|
OAuthFlowInitiation:
|
|
type: object
|
|
description: Response when initiating an OAuth flow
|
|
properties:
|
|
status:
|
|
type: string
|
|
enum: [pending_oauth]
|
|
message:
|
|
type: string
|
|
oauth_config_id:
|
|
type: string
|
|
description: ID of the OAuth config created for this flow
|
|
authorize_url:
|
|
type: string
|
|
description: URL to redirect the user to for authorization
|
|
expires_at:
|
|
type: string
|
|
format: date-time
|
|
description: When the OAuth authorization request expires
|
|
mcp_client_id:
|
|
type: string
|
|
description: The MCP client ID that initiated this OAuth flow
|
|
|
|
OAuthConfigStatus:
|
|
type: object
|
|
description: Status of an OAuth configuration
|
|
properties:
|
|
id:
|
|
type: string
|
|
description: OAuth config ID
|
|
status:
|
|
type: string
|
|
enum: [pending, authorized, failed]
|
|
description: |
|
|
Current status of the OAuth flow:
|
|
- pending: User has not yet authorized
|
|
- authorized: User authorized and token is stored
|
|
- failed: Authorization failed
|
|
created_at:
|
|
type: string
|
|
format: date-time
|
|
description: When this OAuth config was created
|
|
expires_at:
|
|
type: string
|
|
format: date-time
|
|
description: When this OAuth config expires (becomes invalid if not completed)
|
|
token_id:
|
|
type: string
|
|
description: ID of the associated OAuth token (only present if status is authorized)
|
|
token_expires_at:
|
|
type: string
|
|
format: date-time
|
|
description: When the OAuth access token expires (only present if status is authorized)
|
|
token_scopes:
|
|
type: array
|
|
items:
|
|
type: string
|
|
description: Scopes granted in the OAuth token (only present if status is authorized)
|
|
|
|
OAuthToken:
|
|
type: object
|
|
description: OAuth access and refresh tokens
|
|
properties:
|
|
id:
|
|
type: string
|
|
description: Unique token identifier
|
|
access_token:
|
|
type: string
|
|
description: OAuth access token
|
|
refresh_token:
|
|
type: string
|
|
description: OAuth refresh token for obtaining new access tokens
|
|
token_type:
|
|
type: string
|
|
description: Token type (typically "Bearer")
|
|
expires_at:
|
|
type: string
|
|
format: date-time
|
|
description: When the access token expires
|
|
scopes:
|
|
type: array
|
|
items:
|
|
type: string
|
|
description: Scopes granted in this token
|
|
last_refreshed_at:
|
|
type: string
|
|
format: date-time
|
|
description: When the token was last refreshed
|
|
|
|
# Per-User OAuth 2.1 Authorization Server schemas
|
|
|
|
PerUserOAuthClientRegistrationRequest:
|
|
type: object
|
|
description: |
|
|
Dynamic Client Registration request per RFC 7591.
|
|
MCP clients (Claude Code, Cursor, etc.) call this to obtain a client_id
|
|
before initiating the authorization flow.
|
|
required:
|
|
- redirect_uris
|
|
properties:
|
|
client_name:
|
|
type: string
|
|
description: Human-readable name of the client application
|
|
example: Claude Code
|
|
redirect_uris:
|
|
type: array
|
|
items:
|
|
type: string
|
|
description: List of allowed redirect URIs for this client
|
|
example: ["http://localhost:54321/callback"]
|
|
grant_types:
|
|
type: array
|
|
items:
|
|
type: string
|
|
description: Supported grant types. Defaults to ["authorization_code"]
|
|
example: ["authorization_code"]
|
|
response_types:
|
|
type: array
|
|
items:
|
|
type: string
|
|
description: Supported response types
|
|
example: ["code"]
|
|
token_endpoint_auth_method:
|
|
type: string
|
|
description: Token endpoint authentication method. Always "none" (public client)
|
|
example: none
|
|
scope:
|
|
type: string
|
|
description: Space-separated list of requested scopes
|
|
example: "mcp:read mcp:write"
|
|
|
|
PerUserOAuthClientRegistrationResponse:
|
|
type: object
|
|
description: Dynamic Client Registration response per RFC 7591
|
|
properties:
|
|
client_id:
|
|
type: string
|
|
description: Issued client identifier
|
|
example: "550e8400-e29b-41d4-a716-446655440000"
|
|
client_name:
|
|
type: string
|
|
description: Human-readable name of the client application
|
|
redirect_uris:
|
|
type: array
|
|
items:
|
|
type: string
|
|
description: Registered redirect URIs
|
|
grant_types:
|
|
type: array
|
|
items:
|
|
type: string
|
|
description: Registered grant types
|
|
response_types:
|
|
type: array
|
|
items:
|
|
type: string
|
|
description: Registered response types
|
|
token_endpoint_auth_method:
|
|
type: string
|
|
description: Token endpoint authentication method (always "none")
|
|
|
|
PerUserOAuthTokenResponse:
|
|
type: object
|
|
description: OAuth 2.1 token response from the token endpoint
|
|
properties:
|
|
access_token:
|
|
type: string
|
|
description: Bifrost-issued access token (24h TTL). Use as Bearer token on /mcp requests.
|
|
token_type:
|
|
type: string
|
|
description: Token type, always "Bearer"
|
|
example: Bearer
|
|
expires_in:
|
|
type: integer
|
|
description: Seconds until the access token expires (86400 for 24h)
|
|
example: 86400
|
|
scope:
|
|
type: string
|
|
description: Space-separated scopes granted
|
|
|
|
ProtectedResourceMetadata:
|
|
type: object
|
|
description: |
|
|
OAuth 2.0 Protected Resource Metadata per RFC 9728.
|
|
Returned by /.well-known/oauth-protected-resource to tell MCP clients
|
|
which authorization server(s) protect the /mcp endpoint.
|
|
properties:
|
|
resource:
|
|
type: string
|
|
description: URL of the protected resource (Bifrost's /mcp endpoint)
|
|
example: "https://your-bifrost-domain.com/mcp"
|
|
authorization_servers:
|
|
type: array
|
|
items:
|
|
type: string
|
|
description: List of authorization server issuer URLs
|
|
example: ["https://your-bifrost-domain.com"]
|
|
scopes_supported:
|
|
type: array
|
|
items:
|
|
type: string
|
|
description: Scopes supported by this resource
|
|
example: ["mcp:read", "mcp:write"]
|
|
bearer_methods_supported:
|
|
type: array
|
|
items:
|
|
type: string
|
|
description: Supported methods for passing Bearer tokens
|
|
example: ["header"]
|
|
|
|
AuthorizationServerMetadata:
|
|
type: object
|
|
description: |
|
|
OAuth 2.0 Authorization Server Metadata per RFC 8414.
|
|
Returned by /.well-known/oauth-authorization-server to let MCP clients
|
|
discover Bifrost's OAuth endpoints and capabilities.
|
|
properties:
|
|
issuer:
|
|
type: string
|
|
description: Authorization server issuer URL (Bifrost base URL)
|
|
example: "https://your-bifrost-domain.com"
|
|
authorization_endpoint:
|
|
type: string
|
|
description: Authorization endpoint URL
|
|
example: "https://your-bifrost-domain.com/api/oauth/per-user/authorize"
|
|
token_endpoint:
|
|
type: string
|
|
description: Token endpoint URL
|
|
example: "https://your-bifrost-domain.com/api/oauth/per-user/token"
|
|
registration_endpoint:
|
|
type: string
|
|
description: Dynamic client registration endpoint URL
|
|
example: "https://your-bifrost-domain.com/api/oauth/per-user/register"
|
|
response_types_supported:
|
|
type: array
|
|
items:
|
|
type: string
|
|
example: ["code"]
|
|
grant_types_supported:
|
|
type: array
|
|
items:
|
|
type: string
|
|
example: ["authorization_code"]
|
|
code_challenge_methods_supported:
|
|
type: array
|
|
items:
|
|
type: string
|
|
description: Supported PKCE methods (only S256)
|
|
example: ["S256"]
|
|
token_endpoint_auth_methods_supported:
|
|
type: array
|
|
items:
|
|
type: string
|
|
description: Supported token endpoint auth methods (public clients only)
|
|
example: ["none"]
|
|
scopes_supported:
|
|
type: array
|
|
items:
|
|
type: string
|
|
example: ["mcp:read", "mcp:write"]
|