Files
bifrost/docs/openapi/schemas/management/oauth.yaml
Beyhan Oğur 880f412e2c first commit
2026-04-26 21:52:23 +03:00

306 lines
9.2 KiB
YAML

# OAuth API schemas
MCPAuthType:
type: string
enum: [none, headers, oauth, per_user_oauth]
description: |
Authentication type for MCP connections:
- none: No authentication
- headers: Header-based authentication (API keys, custom headers, etc.)
- oauth: OAuth 2.0 authentication (shared admin token)
- per_user_oauth: Per-user OAuth 2.1 (each end-user authenticates individually)
OAuthConfigRequest:
type: object
description: OAuth configuration for MCP client creation
properties:
client_id:
type: string
description: |
OAuth client ID. Optional if client supports dynamic client registration (RFC 7591).
If not provided, the server_url must be set for OAuth discovery and dynamic registration.
client_secret:
type: string
description: |
OAuth client secret. Optional for public clients using PKCE or clients obtained via dynamic registration.
authorize_url:
type: string
description: |
OAuth authorization endpoint URL. Optional - will be discovered from server_url if not provided.
token_url:
type: string
description: |
OAuth token endpoint URL. Optional - will be discovered from server_url if not provided.
registration_url:
type: string
description: |
Dynamic client registration endpoint URL (RFC 7591). Optional - will be discovered from server_url if not provided.
scopes:
type: array
items:
type: string
description: |
OAuth scopes requested. Optional - can be discovered from server_url if not provided.
Example: ["read", "write"]
OAuthFlowInitiation:
type: object
description: Response when initiating an OAuth flow
properties:
status:
type: string
enum: [pending_oauth]
message:
type: string
oauth_config_id:
type: string
description: ID of the OAuth config created for this flow
authorize_url:
type: string
description: URL to redirect the user to for authorization
expires_at:
type: string
format: date-time
description: When the OAuth authorization request expires
mcp_client_id:
type: string
description: The MCP client ID that initiated this OAuth flow
OAuthConfigStatus:
type: object
description: Status of an OAuth configuration
properties:
id:
type: string
description: OAuth config ID
status:
type: string
enum: [pending, authorized, failed]
description: |
Current status of the OAuth flow:
- pending: User has not yet authorized
- authorized: User authorized and token is stored
- failed: Authorization failed
created_at:
type: string
format: date-time
description: When this OAuth config was created
expires_at:
type: string
format: date-time
description: When this OAuth config expires (becomes invalid if not completed)
token_id:
type: string
description: ID of the associated OAuth token (only present if status is authorized)
token_expires_at:
type: string
format: date-time
description: When the OAuth access token expires (only present if status is authorized)
token_scopes:
type: array
items:
type: string
description: Scopes granted in the OAuth token (only present if status is authorized)
OAuthToken:
type: object
description: OAuth access and refresh tokens
properties:
id:
type: string
description: Unique token identifier
access_token:
type: string
description: OAuth access token
refresh_token:
type: string
description: OAuth refresh token for obtaining new access tokens
token_type:
type: string
description: Token type (typically "Bearer")
expires_at:
type: string
format: date-time
description: When the access token expires
scopes:
type: array
items:
type: string
description: Scopes granted in this token
last_refreshed_at:
type: string
format: date-time
description: When the token was last refreshed
# Per-User OAuth 2.1 Authorization Server schemas
PerUserOAuthClientRegistrationRequest:
type: object
description: |
Dynamic Client Registration request per RFC 7591.
MCP clients (Claude Code, Cursor, etc.) call this to obtain a client_id
before initiating the authorization flow.
required:
- redirect_uris
properties:
client_name:
type: string
description: Human-readable name of the client application
example: Claude Code
redirect_uris:
type: array
items:
type: string
description: List of allowed redirect URIs for this client
example: ["http://localhost:54321/callback"]
grant_types:
type: array
items:
type: string
description: Supported grant types. Defaults to ["authorization_code"]
example: ["authorization_code"]
response_types:
type: array
items:
type: string
description: Supported response types
example: ["code"]
token_endpoint_auth_method:
type: string
description: Token endpoint authentication method. Always "none" (public client)
example: none
scope:
type: string
description: Space-separated list of requested scopes
example: "mcp:read mcp:write"
PerUserOAuthClientRegistrationResponse:
type: object
description: Dynamic Client Registration response per RFC 7591
properties:
client_id:
type: string
description: Issued client identifier
example: "550e8400-e29b-41d4-a716-446655440000"
client_name:
type: string
description: Human-readable name of the client application
redirect_uris:
type: array
items:
type: string
description: Registered redirect URIs
grant_types:
type: array
items:
type: string
description: Registered grant types
response_types:
type: array
items:
type: string
description: Registered response types
token_endpoint_auth_method:
type: string
description: Token endpoint authentication method (always "none")
PerUserOAuthTokenResponse:
type: object
description: OAuth 2.1 token response from the token endpoint
properties:
access_token:
type: string
description: Bifrost-issued access token (24h TTL). Use as Bearer token on /mcp requests.
token_type:
type: string
description: Token type, always "Bearer"
example: Bearer
expires_in:
type: integer
description: Seconds until the access token expires (86400 for 24h)
example: 86400
scope:
type: string
description: Space-separated scopes granted
ProtectedResourceMetadata:
type: object
description: |
OAuth 2.0 Protected Resource Metadata per RFC 9728.
Returned by /.well-known/oauth-protected-resource to tell MCP clients
which authorization server(s) protect the /mcp endpoint.
properties:
resource:
type: string
description: URL of the protected resource (Bifrost's /mcp endpoint)
example: "https://your-bifrost-domain.com/mcp"
authorization_servers:
type: array
items:
type: string
description: List of authorization server issuer URLs
example: ["https://your-bifrost-domain.com"]
scopes_supported:
type: array
items:
type: string
description: Scopes supported by this resource
example: ["mcp:read", "mcp:write"]
bearer_methods_supported:
type: array
items:
type: string
description: Supported methods for passing Bearer tokens
example: ["header"]
AuthorizationServerMetadata:
type: object
description: |
OAuth 2.0 Authorization Server Metadata per RFC 8414.
Returned by /.well-known/oauth-authorization-server to let MCP clients
discover Bifrost's OAuth endpoints and capabilities.
properties:
issuer:
type: string
description: Authorization server issuer URL (Bifrost base URL)
example: "https://your-bifrost-domain.com"
authorization_endpoint:
type: string
description: Authorization endpoint URL
example: "https://your-bifrost-domain.com/api/oauth/per-user/authorize"
token_endpoint:
type: string
description: Token endpoint URL
example: "https://your-bifrost-domain.com/api/oauth/per-user/token"
registration_endpoint:
type: string
description: Dynamic client registration endpoint URL
example: "https://your-bifrost-domain.com/api/oauth/per-user/register"
response_types_supported:
type: array
items:
type: string
example: ["code"]
grant_types_supported:
type: array
items:
type: string
example: ["authorization_code"]
code_challenge_methods_supported:
type: array
items:
type: string
description: Supported PKCE methods (only S256)
example: ["S256"]
token_endpoint_auth_methods_supported:
type: array
items:
type: string
description: Supported token endpoint auth methods (public clients only)
example: ["none"]
scopes_supported:
type: array
items:
type: string
example: ["mcp:read", "mcp:write"]