AuthorizationServerMetadata

OAuth 2.0 Authorization Server Metadata (RFC 8414).

@safe

struct AuthorizationServerMetadata {

string issuer;

string authorizationEndpoint;

string tokenEndpoint;

string registrationEndpoint;

string[] codeChallengeMethodsSupported;

string[] scopesSupported;

string[] grantTypesSupported;

string[] tokenEndpointAuthMethodsSupported;

string[] responseTypesSupported;

bool authorizationResponseIssParameterSupported;

bool clientIdMetadataDocumentSupported;

bool metadataDocumentDiscovered;

bool supportsS256();

}

Members

Functions

supportsS256 bool supportsS256(): PKCE S256 support is mandatory for MCP; clients MUST refuse otherwise.

Variables

authorizationResponseIssParameterSupported bool authorizationResponseIssParameterSupported;: RFC 9207: whether the AS includes the iss parameter in authorization responses. When true, clients MUST require and validate iss.
clientIdMetadataDocumentSupported bool clientIdMetadataDocumentSupported;: SEP-991: whether the AS supports OAuth Client ID Metadata Documents (an HTTPS-URL client_id that points at a hosted client metadata document). When true, a client SHOULD prefer this over Dynamic Client Registration.
metadataDocumentDiscovered bool metadataDocumentDiscovered;: Whether this metadata was parsed from an actual authorization-server metadata document discovered via RFC 8414 / OpenID Connect Discovery (true), as opposed to synthesized from default endpoints for the 2025-03-26 no-document endpoint fallback (false). The MCP authorization spec ("Authorization Code Protection") requires clients to refuse when a *discovered* document omits code_challenge_methods_supported; the no-document fallback case is treated separately. Set by fromJson.
responseTypesSupported string[] responseTypesSupported;: RFC 8414 §2: REQUIRED when authorization_endpoint is present. Lists the OAuth response_type values the server supports (e.g. ["code"]).