Class: OauthDiscoveryController

Inherits:

ActionController::Base

• Object
• ActionController::Base
• OauthDiscoveryController

Defined in:

app/controllers/oauth_discovery_controller.rb

Overview

Surfaces the MCP gateway's OAuth discovery metadata on WarmlyYours' public
origins (www / apex / api / crm), so a crawler or AI agent scanning the main
site can discover how to authenticate — even though the OAuth 2.1
authorization server itself lives on the mcp.* subdomain.

GET /.well-known/oauth-authorization-server → RFC 8414 (issuer = MCP gateway)
GET /.well-known/oauth-protected-resource → RFC 9728 (this origin → MCP AS)

Both documents point at the canonical MCP issuer (MCP_URL) rather than the
serving origin: those origins are not themselves authorization servers, so
the AS metadata advertises the gateway's real endpoints, and the
protected-resource metadata names the gateway as the authorization server for
this origin. The gateway serves its own self-describing copies on mcp.*
(see Mcp::OauthMetadataController); the routes for this controller are
constrained to NON-mcp hosts so they never shadow those.

There is no /.well-known/openid-configuration because the gateway is pure
OAuth 2.1, not an OpenID Connect provider; see Mcp::DiscoveryMetadata for
the (deliberate) absence of jwks_uri.

Inherits from ActionController::Base (not ApplicationController) so no
auth/locale/session filters run, and the documents are publicly cacheable —
the same pattern as RobotsController and ApiCatalogController.

See Also:

• Mcp::DiscoveryMetadata
• Mcp::OauthMetadataController
• OauthDiscoveryControllerTest

Constant Summary

CACHE_TTL =

Edge/browser cache TTL; the metadata changes only on deploy.

1.hour

Instance Method Summary

• #authorization_server ⇒ void

  RFC 8414 Authorization Server Metadata for the canonical MCP issuer.

• #protected_resource ⇒ void

  RFC 9728 Protected Resource Metadata: this origin, with the MCP gateway as its authorization server.

Instance Method Details

#authorization_server ⇒ void

This method returns an undefined value.

RFC 8414 Authorization Server Metadata for the canonical MCP issuer.

# File 'app/controllers/oauth_discovery_controller.rb', line 40

def authorization_server
  render_metadata Mcp::DiscoveryMetadata.authorization_server(issuer: MCP_URL)
end

#protected_resource ⇒ void

This method returns an undefined value.

RFC 9728 Protected Resource Metadata: this origin, with the MCP gateway as
its authorization server.

# File 'app/controllers/oauth_discovery_controller.rb', line 48

def protected_resource
  render_metadata Mcp::DiscoveryMetadata.protected_resource(
    resource: request_origin,
    authorization_servers: [MCP_URL]
  )
end