-
#1527
dc896e1Thanks @felixweinberger! - AdddiscoverOAuthServerInfo()function and unified discovery state caching for OAuth- New
discoverOAuthServerInfo(serverUrl)export that performs RFC 9728 protected resource metadata discovery followed by authorization server metadata discovery in a single call. Use this for operations like token refresh and revocation that need the authorization server URL outside ofauth(). - New
OAuthDiscoveryStatetype and optionalOAuthClientProvidermethodssaveDiscoveryState()/discoveryState()allow providers to persist all discovery results (auth server URL, resource metadata URL, resource metadata, auth server metadata) across sessions. This avoids redundant discovery requests and handles browser redirect scenarios where discovery state would otherwise be lost. - New
'discovery'scope forinvalidateCredentials()to clear cached discovery state. - New
OAuthServerInfotype exported for the return value ofdiscoverOAuthServerInfo().
- New
-
#1614
1a78b01Thanks @pcarleton! - Apply resolved scope consistently to both DCR and the authorization URL (SEP-835)When
scopes_supportedis present in the protected resource metadata (/.well-known/oauth-protected-resource), the SDK already uses it as the default scope for the authorization URL. This change applies the same resolved scope to the dynamic client registration request body, ensuring both use a consistent value.registerClient()now accepts an optionalscopeparameter that overridesclientMetadata.scopein the registration body.auth()now computes the resolved scope once (WWW-Authenticate → PRMscopes_supported→clientMetadata.scope) and passes it to both DCR and the authorization request.
-
#1343
4b5fdcbThanks @christso! - Fix OAuth error handling for servers returning errors with HTTP 200 statusSome OAuth servers (e.g., GitHub) return error responses with HTTP 200 status instead of 4xx. The SDK now checks for an
errorfield in the JSON response before attempting to parse it as tokens, providing users with meaningful error messages. -
#1534
69a0626Thanks @josefaidt! - remove npm references, use pnpm -
#1386
00249ceThanks @PederHP! - Respect capability negotiation in list methods by returning empty lists when server lacks capabilityThe Client now returns empty lists instead of sending requests to servers that don't advertise the corresponding capability:
listPrompts()returns{ prompts: [] }if server lacks prompts capabilitylistResources()returns{ resources: [] }if server lacks resources capabilitylistResourceTemplates()returns{ resourceTemplates: [] }if server lacks resources capabilitylistTools()returns{ tools: [] }if server lacks tools capability
This respects the MCP spec requirement that "Both parties SHOULD respect capability negotiation" and avoids unnecessary server warnings and traffic. The existing
enforceStrictCapabilitiesoption continues to throw errors when set totrue. -
#1534
69a0626Thanks @josefaidt! - clean up package manager usage, all pnpm -
#1279
71ae3acThanks @KKonstantinov! - Initial 2.0.0-alpha.0 client and server package