fix(oauth): rfc8414 should judement the response_types

response_types_supported should be judement while try to do 'Authorization Code Flow'

Signed-off-by: jokemanfire <[email protected]>

Author: jokemanfire

crates/rmcp/src/transport/auth.rs

@@ -98,14 +98,15 @@ pub enum AuthError {
 }
 
 /// oauth2 metadata
-#[derive(Debug, Clone, Deserialize, Serialize)]
+#[derive(Debug, Clone, Deserialize, Serialize, Default)]
 pub struct AuthorizationMetadata {
     pub authorization_endpoint: String,
     pub token_endpoint: String,
     pub registration_endpoint: Option<String>,
     pub issuer: Option<String>,
     pub jwks_uri: Option<String>,
     pub scopes_supported: Option<Vec<String>>,
+    pub response_types_supported: Option<Vec<String>>,
     // allow additional fields
     #[serde(flatten)]
     pub additional_fields: HashMap<String, serde_json::Value>,
@@ -290,11 +291,7 @@ impl AuthorizationManager {
         Ok(AuthorizationMetadata {
             authorization_endpoint: create_endpoint("authorize"),
             token_endpoint: create_endpoint("token"),
-            registration_endpoint: None,
-            issuer: None,
-            jwks_uri: None,
-            scopes_supported: None,
-            additional_fields: HashMap::new(),
+            ..Default::default()
         })
     }
 
@@ -357,6 +354,16 @@ impl AuthorizationManager {
             ));
         };
 
+        // RFC 8414 requires response_types_supported; if provided and doesn't include
+        // the flow we use (code), bail out early with a clear error.
+        if let Some(response_types_supported) = metadata.response_types_supported.as_ref() {
+            if !response_types_supported.contains(&"code".to_string()) {
+                return Err(AuthError::RegistrationFailed(
+                    "Server does not support response_type=code".to_string(),
+                ));
+            }
+        }
+
         // prepare registration request
         let registration_request = ClientRegistrationRequest {
             client_name: name.to_string(),
@@ -446,6 +453,17 @@ impl AuthorizationManager {
             .as_ref()
             .ok_or_else(|| AuthError::InternalError("OAuth client not configured".to_string()))?;
 
+        // Ensure the server supports the response type we intend to use when metadata is available
+        if let Some(metadata) = self.metadata.as_ref() {
+            if let Some(response_types_supported) = metadata.response_types_supported.as_ref() {
+                if !response_types_supported.contains(&"code".to_string()) {
+                    return Err(AuthError::RegistrationFailed(
+                        "Server does not support response_type=code".to_string(),
+                    ));
+                }
+            }
+        }
+
         // generate pkce challenge
         let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
 

examples/servers/src/complex_auth_sse.rs

@@ -526,6 +526,7 @@ async fn oauth_authorization_server() -> impl IntoResponse {
         token_endpoint: format!("http://{}/oauth/token", BIND_ADDRESS),
         scopes_supported: Some(vec!["profile".to_string(), "email".to_string()]),
         registration_endpoint: Some(format!("http://{}/oauth/register", BIND_ADDRESS)),
+        response_types_supported: Some(vec!["code".to_string()]),
         issuer: Some(BIND_ADDRESS.to_string()),
         jwks_uri: Some(format!("http://{}/oauth/jwks", BIND_ADDRESS)),
         additional_fields,