feat: Add API GW that serves up the .well-known/oauth-authorization-server path expected by MCP clients

Author: clareliguori

DEVELOP.md

@@ -35,7 +35,12 @@ aws iam attach-role-policy \
 cdk bootstrap aws://<aws account id>/us-east-2
 ```
 
-Deploy the Cognito user pool for OAuth authentication via the MCP streamable HTTP transport.
+The examples use Cognito for OAuth authentication used by MCP streamable HTTP transport.
+You will need your own domain name to use for auto-discovery of your Cognito endpoints
+by MCP clients. In `examples/servers/auth/lib/mcp-auth.ts`, replace `liguori.people.aws.dev`
+with your domain name. It must already be registered as a hosted zone in Route53.
+
+Deploy the OAuth authentication stack.
 
 ```bash
 cd examples/servers/auth

examples/servers/auth/lib/mcp-auth.oauth-auth-server-metadata-function.ts

@@ -0,0 +1,76 @@
+import { APIGatewayProxyEvent, APIGatewayProxyResult } from "aws-lambda";
+
+interface CognitoConfiguration {
+  [key: string]: any;
+}
+
+interface OAuthServerMetadata {
+  [key: string]: any;
+  code_challenge_methods_supported?: string[];
+}
+
+export const handler = async (
+  event: APIGatewayProxyEvent
+): Promise<APIGatewayProxyResult> => {
+  const cognitoConfigUrl = process.env.COGNITO_OPENID_CONFIG_URL;
+
+  if (!cognitoConfigUrl) {
+    console.error("COGNITO_OPENID_CONFIG_URL environment variable not set");
+    return {
+      statusCode: 500,
+      headers: {
+        "Content-Type": "application/json",
+        "Access-Control-Allow-Origin": "*",
+      },
+      body: JSON.stringify({ error: "Configuration error" }),
+    };
+  }
+
+  try {
+    // Fetch Cognito's OpenID configuration
+    const cognitoConfig = await fetchJson(cognitoConfigUrl);
+
+    // Add the missing code_challenge_methods_supported field
+    const modifiedConfig: OAuthServerMetadata = {
+      ...cognitoConfig,
+      code_challenge_methods_supported: ["S256"],
+    };
+
+    return {
+      statusCode: 200,
+      headers: {
+        "Content-Type": "application/json",
+        "Access-Control-Allow-Origin": "*",
+        "Cache-Control": "public, max-age=3600", // Cache for 1 hour
+      },
+      body: JSON.stringify(modifiedConfig, null, 2),
+    };
+  } catch (error) {
+    console.error("Error fetching Cognito config:", error);
+    return {
+      statusCode: 500,
+      headers: {
+        "Content-Type": "application/json",
+        "Access-Control-Allow-Origin": "*",
+      },
+      body: JSON.stringify({ error: "Failed to fetch OAuth configuration" }),
+    };
+  }
+};
+
+async function fetchJson(url: string): Promise<CognitoConfiguration> {
+  const response = await fetch(url, {
+    method: "GET",
+    headers: {
+      "User-Agent": "MCP-OAuth-Proxy/1.0",
+    },
+    // Add timeout using AbortController
+    signal: AbortSignal.timeout(5000),
+  });
+
+  if (!response.ok) {
+    throw new Error(`HTTP error! status: ${response.status}`);
+  }
+
+  return await response.json();
+}