OAuth Protected Resource Plugin

The OAuthProtectedResourcePlugin allows you to configure your Zuplo gateway to support OAuth protected resources through the .well-known/oauth-protected-resource endpoint. See RFC9728 for more details.

This is particularly useful when building an MCP Server on Zuplo. See the MCP Server Handler docs for more details.

Usage

This runtime plugin will register the .well-known/oauth-protected-resource route on your behalf. If you configure an OAuth Policy on a route with the oAuthResourceMetadataEnabled option set to true, then the OAuth policy will automatically add the necessary WWW-Authenticate header to 401 responses, with the resource_metadata parameter set to the URL of the .well-known/oauth-protected-resource endpoint.

Code
import {
  RuntimeExtensions,
  OAuthProtectedResourcePlugin,
} from "@zuplo/runtime";

export function runtimeInit(runtime: RuntimeExtensions) {
  runtime.addPlugin(
    new OAuthProtectedResourcePlugin({
      authorizationServers: ["https://your-auth0-domain.us.auth0.com"],
      resourceName: "My MCP OAuth Resource",
    }),
  );
}

As per the MCP OAuth specification, you must use the canonical URL of your authorization server as the authorizationServers value. The resourceName is a human readable name for the resource.

Note that the .well-known/oauth-protected-resource endpoint explicitly has a CORS policy of anything-goes since this is a public endpoint that should be accessible to anyone to check the server's OAuth configuration.