Construct with an explicit ConsentStore (e.g. a shared-storage backed store for a multi-process deployment). The store records which dynamically-registered clients (keyed by their redirect_uri) the user has approved, so authorize can enforce the confused-deputy consent MUST.
Construct with explicit ConsentStore and RedirectUriRegistry. The registry records the exact redirect_uris each client presents at /register so authorize can reject any redirect_uri that was never registered (RFC 6749 §3.1.2.2 / §10.6).
Build the upstream authorization redirect for a proxied /authorize, gated on per-client user consent (confused-deputy mitigation).
Build the upstream authorization redirect WITHOUT the per-client consent gate, for flows that do their own consent enforcement. The clientRedirectUri is still validated against the registered allowlist and scheme rules (RFC 6749 §3.1.2.2 / RFC 8252) — the ungated path cannot relay a code to an unregistered redirect_uri. For dynamically-registered clients prefer the consent-gated authorize overload, which additionally enforces the confused-deputy consent MUST.
The proxy's configuration.
Record that the user has approved the dynamically-registered client identified by its clientRedirectUri. Call this once the user approves on the proxy's own consent screen; subsequent authorize calls for that client will then be allowed to forward to the upstream IdP.
Whether the dynamically-registered client identified by its clientRedirectUri has already been granted user consent to be forwarded to the upstream identity provider.
The RFC 8414 AS metadata document to serve at the well-known path.
Build the upstream refresh-token-exchange form for a proxied /token request carrying grant_type=refresh_token. Relays the client-supplied refresh_token to the upstream token endpoint with the fixed upstream credentials and (RFC 8707) resource, so a client that obtained a refresh token via the proxy can refresh through it — matching the refresh_token grant the proxy advertises in its AS metadata.
Handle a DCR (/register) request: persist the exact client redirect_uris into the registry (so a later /authorize can be checked against them) and return the registration response. The fixed upstream client_id is shared across clients, so the registry is keyed by a server-issued registration handle rather than that shared id.
The RFC 9728 PRM document to serve at the protected-resource well-known.
The optional Basic-auth header for the upstream token request.
Build the upstream token-exchange form for a proxied /token.
Reject a client redirect_uri that is not safe to relay an authorization code to. Fails closed by throwing InvalidRedirectUriException when the redirect_uri is empty, uses a disallowed scheme (RFC 8252 §7.3), or is not an exact match against any previously-registered redirect_uri (RFC 6749 §3.1.2.2 / §10.6). Called by both authorize overloads before any proxy state is minted or the request is forwarded upstream.
A TokenValidator that validates an incoming MCP bearer token (an upstream access token) via the configured tokenVerifier. Plug into ResourceServerConfig.validator.
A reusable OAuth proxy provider. Construct it from an OAuthProxyConfig, then read the metadata surface to publish, drive the authorize/token proxying, and obtain a TokenValidator for ResourceServerConfig.validator.