OAuth 2.1 client strategy for MCP Streamable HTTP: discovery (RFC 9728
protected-resource metadata → RFC 8414 / OIDC authorization-server
metadata), PKCE S256 authorization-code flow with the RFC 8707 resource
parameter, token refresh, and insufficient_scope step-up.
{Noizu.MCP.Client,
transport:
{:streamable_http,
url: "https://api.example.com/mcp",
auth:
{Noizu.MCP.Auth.OAuth,
client_id: "my-client",
redirect_uri: "http://localhost:8910/callback",
scope: "mcp:tools",
authorize_user: &MyApp.OAuth.open_browser_and_await_callback/1}}}:authorize_user is how the host application drives the user agent — a
library cannot open a browser for you. It receives the authorization URL
and must return {:ok, %{"code" => code, "state" => state}} from the
redirect callback, or {:error, reason}.
Options
:client_id(required),:client_secret(optional, confidential clients):redirect_uri(required),:scope(optional):authorize_user(required) — fun/1 or{module, function}:resource— RFC 8707 resource indicator; defaults to the MCP URL:resource_metadata— override the RFC 9728 discovery URL