init

Author: saucow

.github/CODEOWNERS

@@ -0,0 +1,2 @@
+# Global owners
+*   @docker/ai-tools-team

.golangci.yml

@@ -0,0 +1,56 @@
+version: "2"
+linters:
+  default: none
+  enable:
+    - containedctx
+    - copyloopvar
+    - errcheck
+    - ginkgolinter
+    - gocritic
+    - govet
+    - importas      # Enforces consistent import aliases.
+    - ineffassign
+    - misspell
+    - nakedret
+    - nolintlint
+    - revive
+    - staticcheck
+    - unconvert
+    - unparam
+    - unused
+    - usestdlibvars
+    - noctx
+    - nilnil
+    - testifylint
+    - intrange
+    - thelper
+    - forbidigo
+
+  settings:
+    forbidigo:
+      forbid:
+        - pattern: ^os\.UserHomeDir
+          message: "Do not use os.UserHomeDir(). Use user.HomeDir() instead."
+    gocritic:
+      disabled-checks:
+        - ifElseChain
+        - exitAfterDefer
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - std-error-handling
+formatters:
+  enable:
+    - gofmt
+    - gofumpt
+    - goimports
+  settings:
+    gofmt:
+      simplify: false
+      rewrite-rules:
+        - pattern: interface{}
+          replacement: any
+    goimports:
+      local-prefixes:
+        - github.com/docker/mcp-gateway-oauth-helpers

Dockerfile

@@ -0,0 +1,43 @@
+#syntax=docker/dockerfile:1
+
+ARG GO_VERSION=1.24.5
+
+FROM --platform=${BUILDPLATFORM} golangci/golangci-lint:v2.1.6-alpine AS lint-base
+
+FROM --platform=${BUILDPLATFORM} golang:${GO_VERSION}-alpine AS base
+RUN apk add --no-cache git rsync
+WORKDIR /app
+
+FROM base AS lint
+COPY --from=lint-base /usr/bin/golangci-lint /usr/bin/golangci-lint
+ARG TARGETOS
+ARG TARGETARCH
+RUN --mount=target=. \
+    --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/root/.cache/golangci-lint <<EOD
+    set -e
+    CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} golangci-lint --timeout 30m0s run ./...
+EOD
+
+FROM base AS test
+ARG TARGETOS
+ARG TARGETARCH
+RUN --mount=target=. \
+    --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build <<EOD
+    set -e
+    CGO_ENABLED=0 go test -short --count=1 -v ./...
+EOD
+
+FROM base AS do-format
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/go-build \
+    go install golang.org/x/tools/cmd/goimports@latest \
+    && go install mvdan.cc/gofumpt@latest
+COPY . .
+RUN goimports -local github.com/docker/mcp-gateway-oauth-helpers -w .
+RUN gofumpt -w .
+
+FROM scratch AS format
+COPY --from=do-format /app .

Makefile

@@ -0,0 +1,23 @@
+# Makefile for mcp-gateway-oauth-helpers library
+
+.PHONY: format lint test clean
+
+# Format Go code using Docker
+format:
+	docker buildx build --target=format -o . .
+
+# Run linting using Docker
+lint:
+	docker buildx build --target=lint --platform=linux,darwin,windows .
+
+# Run linting for specific platform
+lint-%:
+	docker buildx build --target=lint --platform=$* .
+
+# Run tests using Docker
+test:
+	docker buildx build --target=test .
+
+# Clean build cache
+clean:
+	docker buildx prune -f

README.md

@@ -0,0 +1,11 @@
+# MCP Gateway OAuth Helpers
+
+Library containing OAuth Dynamic Client Registration (DCR) functionality for MCP servers.
+
+## Purpose
+
+This library provides the core OAuth/DCR functions for MCP Gateway:
+
+- **OAuth Discovery**: Discover OAuth requirements from MCP servers (RFC 9728 + 8414)
+- **Dynamic Client Registration**: Register OAuth clients automatically (RFC 7591)
+- **WWW-Authenticate Parsing**: Parse OAuth challenge headers

SECURITY.md

@@ -0,0 +1,36 @@
+# Security Policy
+
+The maintainers of Docker MCP Gateway take security seriously. If you discover
+a security issue, please bring it to their attention right away!
+
+## Reporting a Vulnerability
+
+Please **DO NOT** file a public issue, instead send your report privately
+to [[email protected]](mailto:[email protected]).
+
+Reporter(s) can expect a response within 72 hours, acknowledging the issue was
+received.
+
+## Review Process
+
+After receiving the report, an initial triage and technical analysis is
+performed to confirm the report and determine its scope. We may request
+additional information in this stage of the process.
+
+Once a reviewer has confirmed the relevance of the report, a draft security
+advisory will be created on GitHub. The draft advisory will be used to discuss
+the issue with maintainers, the reporter(s), and where applicable, other
+affected parties under embargo.
+
+If the vulnerability is accepted, a timeline for developing a patch, public
+disclosure, and patch release will be determined. If there is an embargo period
+on public disclosure before the patch release, the reporter(s) are expected to
+participate in the discussion of the timeline and abide by agreed upon dates
+for public disclosure.
+
+## Accreditation
+
+Security reports are greatly appreciated and we will publicly thank you,
+although we will keep your name confidential if you request it. We also like to
+send gifts - if you're into swag, make sure to let us know. We do not currently
+offer a paid security bounty program at this time.

dcr.go

@@ -0,0 +1,133 @@
+package oauth
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+)
+
+// PerformDCR performs Dynamic Client Registration with the authorization server
+// Returns client credentials for the registered public client
+//
+// RFC 7591 COMPLIANCE:
+// - Uses token_endpoint_auth_method="none" for public clients
+// - Includes redirect_uris pointing to mcp-oauth proxy
+// - Requests authorization_code and refresh_token grant types
+func PerformDCR(ctx context.Context, discovery *Discovery, serverName string) (*ClientCredentials, error) {
+	if discovery.RegistrationEndpoint == "" {
+		return nil, fmt.Errorf("no registration endpoint found for %s", serverName)
+	}
+
+	// Build DCR request for PUBLIC client
+	registration := DCRRequest{
+		ClientName: fmt.Sprintf("MCP Gateway - %s", serverName),
+		RedirectURIs: []string{
+			"https://mcp.docker.com/oauth/callback", // mcp-oauth proxy callback only
+		},
+		TokenEndpointAuthMethod: "none", // PUBLIC client (no client secret)
+		GrantTypes:              []string{"authorization_code", "refresh_token"},
+		ResponseTypes:           []string{"code"},
+
+		// Additional metadata for better client identification
+		ClientURI:       "https://github.com/docker/mcp-gateway",
+		SoftwareID:      "mcp-gateway",
+		SoftwareVersion: "1.0.0",
+		Contacts:        []string{"[email protected]"},
+	}
+
+	// Add requested scopes if provided
+	if len(discovery.Scopes) > 0 {
+		registration.Scope = joinScopes(discovery.Scopes)
+	} else {
+	}
+
+	// Marshal the registration request
+	body, err := json.Marshal(registration)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal DCR request: %w", err)
+	}
+
+	// Create HTTP request
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, discovery.RegistrationEndpoint, bytes.NewReader(body))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create DCR request: %w", err)
+	}
+
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("Accept", "application/json")
+	req.Header.Set("User-Agent", "MCP-Gateway/1.0.0")
+
+	// Send the request
+	client := &http.Client{}
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to send DCR request to %s: %w", discovery.RegistrationEndpoint, err)
+	}
+	defer resp.Body.Close()
+
+	// Check response status (201 Created or 200 OK are acceptable)
+	if resp.StatusCode != http.StatusCreated && resp.StatusCode != http.StatusOK {
+		// Read error response body to understand why DCR failed
+		errorBody, err := io.ReadAll(resp.Body)
+		if err != nil {
+			return nil, fmt.Errorf("DCR failed with status %d for %s", resp.StatusCode, serverName)
+		}
+
+		errorMsg := string(errorBody)
+
+		// Try to parse as JSON for structured error
+		var errorResp map[string]any
+		if err := json.Unmarshal(errorBody, &errorResp); err == nil {
+			// Successfully parsed as JSON - look for common error fields
+			if errDesc, ok := errorResp["error_description"].(string); ok {
+				errorMsg = errDesc
+			} else if errField, ok := errorResp["error"].(string); ok {
+				errorMsg = errField
+			} else if message, ok := errorResp["message"].(string); ok {
+				errorMsg = message
+			}
+		}
+
+		return nil, fmt.Errorf("DCR failed with status %d for %s: %s", resp.StatusCode, serverName, errorMsg)
+	}
+
+	// Parse the response
+	var dcrResponse DCRResponse
+	if err := json.NewDecoder(resp.Body).Decode(&dcrResponse); err != nil {
+		return nil, fmt.Errorf("failed to decode DCR response: %w", err)
+	}
+
+	if dcrResponse.ClientID == "" {
+		return nil, fmt.Errorf("DCR response missing client_id for %s", serverName)
+	}
+
+	// Create client credentials (public client - no secret)
+	creds := &ClientCredentials{
+		ClientID:              dcrResponse.ClientID,
+		ServerURL:             discovery.ResourceURL,
+		IsPublic:              true,
+		AuthorizationEndpoint: discovery.AuthorizationEndpoint,
+		TokenEndpoint:         discovery.TokenEndpoint,
+		// No ClientSecret for public clients
+	}
+
+	return creds, nil
+}
+
+// joinScopes joins a slice of scopes into a space-separated string
+// per OAuth 2.0 specification (RFC 6749 Section 3.3)
+func joinScopes(scopes []string) string {
+	if len(scopes) == 0 {
+		return ""
+	}
+
+	// Use simple string concatenation for small arrays
+	result := scopes[0]
+	for i := 1; i < len(scopes); i++ {
+		result += " " + scopes[i]
+	}
+	return result
+}