ExMCP.Authorization.OIDCDiscovery (ex_mcp v0.10.0)

OpenID Connect Discovery support for MCP authorization.

Implements OIDC Discovery (OpenID Connect Discovery 1.0) which allows fetching and parsing .well-known/openid-configuration documents.

This extends the OAuth 2.1 authorization server metadata discovery with OIDC-specific fields like userinfo_endpoint and id_token_signing_alg_values_supported.

Available in protocol version 2025-11-25.

Summary

Types

oidc_metadata()

Functions

build_metadata()

Builds local OIDC-compatible metadata from application configuration.

discover(issuer, opts \\ [])

Discovers authorization server metadata using OIDC Discovery with fallback to OAuth 2.0 Authorization Server Metadata (RFC 8414).

oidc_compliant?(metadata)

Checks if the metadata is OIDC-compliant (vs plain OAuth 2.0).

validate_metadata(metadata, expected_issuer)

Validates that the discovered metadata contains required OIDC fields.

Types

oidc_metadata()

@type oidc_metadata() :: %{required(String.t()) => term()}

Functions

build_metadata()

@spec build_metadata() :: oidc_metadata()

Builds local OIDC-compatible metadata from application configuration.

Extends the base OAuth metadata from AuthorizationServerMetadata.build_metadata/0 with OIDC-specific fields.

discover(issuer, opts \\ [])

@spec discover(
  String.t(),
  keyword()
) :: {:ok, oidc_metadata()} | {:error, term()}

Discovers authorization server metadata using OIDC Discovery with fallback to OAuth 2.0 Authorization Server Metadata (RFC 8414).

Tries .well-known/openid-configuration first, then falls back to .well-known/oauth-authorization-server.

Parameters

issuer - The issuer URL to discover metadata for
opts - Options including :http_client for custom HTTP client

Returns

{:ok, metadata} - Successfully fetched metadata
{:error, reason} - Failed to fetch metadata

oidc_compliant?(metadata)

@spec oidc_compliant?(oidc_metadata()) :: boolean()

Checks if the metadata is OIDC-compliant (vs plain OAuth 2.0).

Returns true if the metadata contains OIDC-specific fields.

validate_metadata(metadata, expected_issuer)

@spec validate_metadata(oidc_metadata(), String.t()) :: :ok | {:error, term()}

Validates that the discovered metadata contains required OIDC fields.

Required Fields

issuer - Must match the expected issuer
authorization_endpoint - URL of the authorization endpoint
token_endpoint - URL of the token endpoint

OIDC-specific Fields (optional but recommended)

userinfo_endpoint
jwks_uri
id_token_signing_alg_values_supported
subject_types_supported