ExMCP.Authorization.Provider.OAuth (ex_mcp v0.9.2)

View Source

OAuth 2.1 authorization provider with PKCE, PRM discovery, and scope step-up.

This is the default provider when OAuth configuration is provided to the transport. It handles the complete lifecycle:

  1. On 401 — discovers PRM, AS metadata, optionally registers dynamically, runs PKCE flow
  2. On 403 with insufficient_scope — re-authorizes with broader scopes
  3. Prevents auth loops via auth_completed flag

Configuration

# Minimal (browser-based PKCE flow)
{ExMCP.Authorization.Provider.OAuth, %{resource_url: "http://localhost:3000/mcp"}}

# With pre-existing credentials
{ExMCP.Authorization.Provider.OAuth, %{
  resource_url: "http://localhost:3000/mcp",
  client_id: "my-client",
  client_secret: "secret"
}}