test validateProtectedResourceMetadata override

Author: ochafik

src/client/auth.test.ts

@@ -983,5 +983,66 @@ describe("OAuth Authorization", () => {
  expect(body.get("grant_type")).toBe("refresh_token");
  expect(body.get("refresh_token")).toBe("refresh123");
  });
+
+ it("skips default PRM resource validation when custom validateProtectedResourceMetadata is provided", async () => {
+ const mockValidateProtectedResourceMetadata = jest.fn().mockResolvedValue(undefined);
+ const providerWithCustomValidation = {
+ ...mockProvider,
+ validateProtectedResourceMetadata: mockValidateProtectedResourceMetadata,
+ };
+
+ // Mock protected resource metadata with mismatched resource URL
+ // This would normally throw an error in default validation, but should be skipped
+ mockFetch.mockImplementation((url) => {
+ const urlString = url.toString();
+ 
+ if (urlString.includes("/.well-known/oauth-protected-resource")) {
+ return Promise.resolve({
+ ok: true,
+ status: 200,
+ json: async () => ({
+ resource: "https://different-resource.example.com/mcp-server", // Mismatched resource
+ authorization_servers: ["https://auth.example.com"],
+ }),
+ });
+ } else if (urlString.includes("/.well-known/oauth-authorization-server")) {
+ return Promise.resolve({
+ ok: true,
+ status: 200,
+ json: async () => ({
+ issuer: "https://auth.example.com",
+ authorization_endpoint: "https://auth.example.com/authorize",
+ token_endpoint: "https://auth.example.com/token",
+ response_types_supported: ["code"],
+ code_challenge_methods_supported: ["S256"],
+ }),
+ });
+ }
+ 
+ return Promise.resolve({ ok: false, status: 404 });
+ });
+
+ // Mock provider methods
+ (providerWithCustomValidation.clientInformation as jest.Mock).mockResolvedValue({
+ client_id: "test-client",
+ client_secret: "test-secret",
+ });
+ (providerWithCustomValidation.tokens as jest.Mock).mockResolvedValue(undefined);
+ (providerWithCustomValidation.saveCodeVerifier as jest.Mock).mockResolvedValue(undefined);
+ (providerWithCustomValidation.redirectToAuthorization as jest.Mock).mockResolvedValue(undefined);
+
+ // Call auth - should succeed despite resource mismatch because custom validation overrides default
+ const result = await auth(providerWithCustomValidation, {
+ serverUrl: "https://api.example.com/mcp-server",
+ });
+
+ expect(result).toBe("REDIRECT");
+ 
+ // Verify custom validation method was called
+ expect(mockValidateProtectedResourceMetadata).toHaveBeenCalledWith({
+ resource: "https://different-resource.example.com/mcp-server",
+ authorization_servers: ["https://auth.example.com"],
+ });
+ });
  });
 });

src/client/auth.ts

@@ -76,7 +76,7 @@ export interface OAuthClientProvider {
  /**
  * If defined, overrides the OAuth Protected Resource Metadata (RFC 9728).
  *
- * Implementations must verify the provider
+ * Implementations must verify the resource matches the MCP server.
  */
  validateProtectedResourceMetadata?(metadata?: OAuthProtectedResourceMetadata): Promise<void>;
 }