Merge RS/AS in client_credentials example

Author: LucaButBoring

examples/servers/simple-auth-client-credentials/README.md

@@ -24,34 +24,17 @@ export MCP_DISCORD_CLIENT_SECRET="your_client_secret_here"
 
 ## Running the Servers
 
-### Step 1: Start Authorization Server
+### Step 1: Start Resource Server (MCP Server)
 
 ```bash
-# Navigate to the simple-auth directory
-cd examples/servers/simple-auth
+# Navigate to the simple-auth-client-credentials directory
+cd examples/servers/simple-auth-client-credentials
 
-# Start Authorization Server on port 9000
-uv run mcp-simple-auth-as --port=9000
+# Start Resource Server on port 8001
+uv run mcp-simple-auth-rs --port=8001 --transport=streamable-http
 ```
 
-**What it provides:**
-
-- OAuth 2.0 flows (registration, authorization, token exchange)
-- Discord OAuth integration for user authentication
-
----
-
-### Step 2: Start Resource Server (MCP Server)
-
-```bash
-# In another terminal, navigate to the simple-auth directory
-cd examples/servers/simple-auth
-
-# Start Resource Server on port 8001, connected to Authorization Server
-uv run mcp-simple-auth-rs --port=8001 --auth-server=http://localhost:9000 --transport=streamable-http
-```
-
-### Step 3: Test with Client
+### Step 2: Test with Client
 
 ```bash
 cd examples/clients/simple-auth-client-client-credentials
@@ -72,21 +55,21 @@ curl http://localhost:8001/.well-known/oauth-protected-resource
 ```json
 {
   "resource": "http://localhost:8001",
-  "authorization_servers": ["http://localhost:9000"]
+  "authorization_servers": ["http://localhost:8001"]
 }
 ```
 
 **Client → Authorization Server:**
 
 ```bash
-curl http://localhost:9000/.well-known/oauth-authorization-server
+curl http://localhost:8001/.well-known/oauth-authorization-server
 ```
 
 ```json
 {
-  "issuer": "http://localhost:9000",
-  "authorization_endpoint": "http://localhost:9000/authorize",
-  "token_endpoint": "http://localhost:9000/token"
+  "issuer": "http://localhost:8001",
+  "authorization_endpoint": "https://discord.com/api/v10/oauth2/authorize",
+  "token_endpoint": "https://discord.com/api/v10/oauth2/token"
 }
 ```
 
@@ -99,14 +82,5 @@ curl http://localhost:9000/.well-known/oauth-authorization-server
 curl -v http://localhost:8001/.well-known/oauth-protected-resource
 
 # Test Authorization Server metadata
-curl -v http://localhost:9000/.well-known/oauth-authorization-server
-```
-
-### Test Token Introspection
-
-```bash
-# After getting a token through OAuth flow:
-curl -X POST http://localhost:9000/introspect \
-  -H "Content-Type: application/x-www-form-urlencoded" \
-  -d "token=your_access_token"
+curl -v http://localhost:8001/.well-known/oauth-authorization-server
 ```

examples/servers/simple-auth-client-credentials/mcp_simple_auth_client_credentials/auth_server.py

@@ -5,17 +5,24 @@
     python -m mcp_simple_auth.server --port=8001
 """
 
+import asyncio
 import logging
 from typing import Any, Literal
 
 import click
 import httpx
 from pydantic import AnyHttpUrl
 from pydantic_settings import BaseSettings, SettingsConfigDict
+from starlette.applications import Starlette
+from starlette.routing import Mount, Route
+from uvicorn import Config, Server
 
+from mcp.server.auth.handlers.metadata import MetadataHandler
 from mcp.server.auth.middleware.auth_context import get_access_token
+from mcp.server.auth.routes import cors_middleware
 from mcp.server.auth.settings import AuthSettings
 from mcp.server.fastmcp.server import FastMCP
+from mcp.shared.auth import OAuthMetadata
 
 from .token_verifier import IntrospectionTokenVerifier
 
@@ -33,9 +40,10 @@ class ResourceServerSettings(BaseSettings):
     host: str = "localhost"
     port: int = 8001
     server_url: AnyHttpUrl = AnyHttpUrl("http://localhost:8001")
+    transport: Literal["sse", "streamable-http"] = "streamable-http"
 
     # Authorization Server settings
-    auth_server_url: AnyHttpUrl = AnyHttpUrl("http://localhost:9000")
+    auth_server_url: AnyHttpUrl = AnyHttpUrl("http://localhost:8001")
     auth_server_introspection_endpoint: str = f"{API_ENDPOINT}/oauth2/@me"
     auth_server_discord_user_endpoint: str = f"{API_ENDPOINT}/users/@me"
 
@@ -47,7 +55,7 @@ def __init__(self, **data):
         super().__init__(**data)
 
 
-def create_resource_server(settings: ResourceServerSettings) -> FastMCP:
+def create_resource_server(settings: ResourceServerSettings) -> Starlette:
     """
     Create MCP Resource Server.
     """
@@ -59,10 +67,8 @@ def create_resource_server(settings: ResourceServerSettings) -> FastMCP:
     )
 
     # Create FastMCP server as a Resource Server
-    app = FastMCP(
+    resource_server = FastMCP(
         name="MCP Resource Server",
-        host=settings.host,
-        port=settings.port,
         debug=True,
         token_verifier=token_verifier,
         auth=AuthSettings(
@@ -93,14 +99,14 @@ async def get_discord_user_data() -> dict[str, Any]:
 
             return response.json()
 
-    @app.tool()
+    @resource_server.tool()
     async def get_user_profile() -> dict[str, Any]:
         """
         Get the authenticated user's Discord profile information.
         """
         return await get_discord_user_data()
 
-    @app.tool()
+    @resource_server.tool()
     async def get_user_info() -> dict[str, Any]:
         """
         Get information about the currently authenticated user.
@@ -121,12 +127,53 @@ async def get_user_info() -> dict[str, Any]:
             "authorization_server": str(settings.auth_server_url),
         }
 
+    # Create Starlette app to mount the MCP server and host RFC8414
+    # metadata to jump to Discord's authorization server
+    app = Starlette(
+        debug=True,
+        routes=[
+            Route(
+                "/.well-known/oauth-authorization-server",
+                endpoint=cors_middleware(
+                    MetadataHandler(metadata=OAuthMetadata(
+                        issuer=settings.server_url,
+                        authorization_endpoint=AnyHttpUrl(f"{API_ENDPOINT}/oauth2/authorize"),
+                        token_endpoint=AnyHttpUrl(f"{API_ENDPOINT}/oauth2/token"),
+                        token_endpoint_auth_methods_supported=["client_secret_basic"],
+                        response_types_supported=["code"],
+                        grant_types_supported=["client_credentials"],
+                        scopes_supported=["identify"]
+                    )).handle,
+                    ["GET", "OPTIONS"],
+                ),
+                methods=["GET", "OPTIONS"],
+            ),
+            Mount(
+                "/",
+                app=resource_server.streamable_http_app() if settings.transport == "streamable-http" else resource_server.sse_app()
+            ),
+        ],
+        lifespan=lambda app: resource_server.session_manager.run(),
+    )
+
     return app
 
 
+async def run_server(settings: ResourceServerSettings):
+    mcp_server = create_resource_server(settings)
+    config = Config(
+        mcp_server,
+        host=settings.host,
+        port=settings.port,
+        log_level="info",
+    )
+    server = Server(config)
+    await server.serve()
+
+
 @click.command()
 @click.option("--port", default=8001, help="Port to listen on")
-@click.option("--auth-server", default="http://localhost:9000", help="Authorization Server URL")
+@click.option("--auth-server", default="http://localhost:8001", help="Authorization Server URL")
 @click.option(
     "--transport",
     default="streamable-http",
@@ -153,15 +200,14 @@ def main(port: int, auth_server: str, transport: Literal["sse", "streamable-http
             auth_server_url=auth_server_url,
             auth_server_introspection_endpoint=f"{API_ENDPOINT}/oauth2/@me",
             auth_server_discord_user_endpoint=f"{API_ENDPOINT}/users/@me",
+            transport=transport,
         )
     except ValueError as e:
         logger.error(f"Configuration error: {e}")
         logger.error("Make sure to provide a valid Authorization Server URL")
         return 1
 
     try:
-        mcp_server = create_resource_server(settings)
-
         logger.info("=" * 80)
         logger.info("📦 MCP RESOURCE SERVER")
         logger.info("=" * 80)
@@ -182,7 +228,7 @@ def main(port: int, auth_server: str, transport: Literal["sse", "streamable-http
         logger.info("=" * 80)
 
         # Run the server - this should block and keep running
-        mcp_server.run(transport=transport)
+        asyncio.run(run_server(settings))
         logger.info("Server stopped")
         return 0
     except Exception as e:

examples/servers/simple-auth-client-credentials/mcp_simple_auth_client_credentials/server.py

@@ -19,7 +19,6 @@ dependencies = [
 
 [project.scripts]
 mcp-simple-auth-rs = "mcp_simple_auth_client_credentials.server:main"
-mcp-simple-auth-as = "mcp_simple_auth_client_credentials.auth_server:main"
 
 [build-system]
 requires = ["hatchling"]