Add OAuth Protected Resource Metadata support

- Introduced OAuthProtectedResourceMetadata class for enhanced resource metadata handling.
- Updated create_auth_routes to include resource_server_url and resource_name parameters.
- Modified AuthSettings to include resource_server_url and resource_name fields.
- Adjusted MetadataHandler to accept both OAuthMetadata and OAuthProtectedResourceMetadata.
- Updated FastMCP to utilize new resource metadata features.

Signed-off-by: Xin Fu <[email protected]>

Author: imfing

src/mcp/server/auth/handlers/metadata.py

@@ -4,12 +4,12 @@
 from starlette.responses import Response
 
 from mcp.server.auth.json_response import PydanticJSONResponse
-from mcp.shared.auth import OAuthMetadata
+from mcp.shared.auth import OAuthMetadata, OAuthProtectedResourceMetadata
 
 
 @dataclass
 class MetadataHandler:
-    metadata: OAuthMetadata
+    metadata: OAuthMetadata | OAuthProtectedResourceMetadata
 
     async def handle(self, request: Request) -> Response:
         return PydanticJSONResponse(

src/mcp/server/auth/routes.py

@@ -16,7 +16,7 @@
 from mcp.server.auth.middleware.client_auth import ClientAuthenticator
 from mcp.server.auth.provider import OAuthAuthorizationServerProvider
 from mcp.server.auth.settings import ClientRegistrationOptions, RevocationOptions
-from mcp.shared.auth import OAuthMetadata
+from mcp.shared.auth import OAuthMetadata, OAuthProtectedResourceMetadata
 
 
 def validate_issuer_url(url: AnyHttpUrl):
@@ -67,9 +67,11 @@ def cors_middleware(
 def create_auth_routes(
     provider: OAuthAuthorizationServerProvider[Any, Any, Any],
     issuer_url: AnyHttpUrl,
+    resource_server_url: AnyHttpUrl,
     service_documentation_url: AnyHttpUrl | None = None,
     client_registration_options: ClientRegistrationOptions | None = None,
     revocation_options: RevocationOptions | None = None,
+    resource_name: str | None = None,
 ) -> list[Route]:
     validate_issuer_url(issuer_url)
 
@@ -85,11 +87,27 @@ def create_auth_routes(
     )
     client_authenticator = ClientAuthenticator(provider)
 
+    protected_resource_metadata = OAuthProtectedResourceMetadata(
+        resource=resource_server_url,
+        authorization_servers=[metadata.issuer],
+        scopes_supported=metadata.scopes_supported,
+        resource_name=resource_name,
+        resource_documentation= service_documentation_url,
+    )
+
     # Create routes
     # Allow CORS requests for endpoints meant to be hit by the OAuth client
     # (with the client secret). This is intended to support things like MCP Inspector,
     # where the client runs in a web browser.
     routes = [
+        Route(
+            "/.well-known/oauth-protected-resource",
+            endpoint=cors_middleware(
+                MetadataHandler(protected_resource_metadata).handle,
+                ["GET", "OPTIONS"],
+            ),
+            methods=["GET", "OPTIONS"],
+        ),
         Route(
             "/.well-known/oauth-authorization-server",
             endpoint=cors_middleware(

src/mcp/server/auth/settings.py

@@ -15,10 +15,15 @@ class RevocationOptions(BaseModel):
 class AuthSettings(BaseModel):
     issuer_url: AnyHttpUrl = Field(
         ...,
-        description="URL advertised as OAuth issuer; this should be the URL the server "
-        "is reachable at",
+        description="The authorization server's issuer identifier",
+    )
+    resource_server_url: AnyHttpUrl = Field(
+        ..., description="URL of the MCP server, for use in protected resource metadata"
     )
     service_documentation_url: AnyHttpUrl | None = None
     client_registration_options: ClientRegistrationOptions | None = None
     revocation_options: RevocationOptions | None = None
     required_scopes: list[str] | None = None
+    resource_name: str | None = Field(
+        None, description="Optional resource name to display in resource metadata"
+    )

src/mcp/server/fastmcp/server.py

@@ -810,9 +810,11 @@ async def handle_streamable_http(
                 create_auth_routes(
                     provider=self._auth_server_provider,
                     issuer_url=self.settings.auth.issuer_url,
+                    resource_server_url=self.settings.auth.resource_server_url,
                     service_documentation_url=self.settings.auth.service_documentation_url,
                     client_registration_options=self.settings.auth.client_registration_options,
                     revocation_options=self.settings.auth.revocation_options,
+                    resource_name=self.settings.auth.resource_name,
                 )
             )
             routes.append(

src/mcp/shared/auth.py

@@ -135,3 +135,25 @@ class OAuthMetadata(BaseModel):
     ) = None
     introspection_endpoint_auth_signing_alg_values_supported: None = None
     code_challenge_methods_supported: list[Literal["S256"]] | None = None
+
+
+class OAuthProtectedResourceMetadata(BaseModel):
+    """
+    RFC 9728 OAuth Protected Resource Metadata
+    See https://datatracker.ietf.org/doc/html/rfc9728
+    """
+
+    resource: AnyHttpUrl
+    authorization_servers: list[AnyHttpUrl] | None = None
+    jwks_uri: AnyHttpUrl | None = None
+    scopes_supported: list[str] | None = None
+    bearer_methods_supported: list[str] | None = None
+    resource_signing_alg_values_supported: list[str] | None = None
+    resource_name: str | None = None
+    resource_documentation: str | None = None
+    resource_policy_uri: AnyHttpUrl | None = None
+    resource_tos_uri: AnyHttpUrl | None = None
+    tls_client_certificate_bound_access_tokens: bool | None = None
+    authorization_details_types_supported: list[str] | None = None
+    dpop_signing_alg_values_supported: list[str] | None = None
+    dpop_bound_access_tokens_required: bool | None = None