Implement OAuth 2.0 Protected Resource Metadata

What

Indicate locations of authorization servers for MCP authorization server discovery.

Why

Adherence to MCP spec for RFC 9728.

Implementation Plan

  • Create a Resource Metadata Endpoint
    • Create a new endpoint that provides metadata about GitLab's resources. (Likely just scoped to MCP for now)
    • Add matching Rails route
Claude came up with this, I've not verified it yet. 
# app/controllers/oauth/resource_metadata_controller.rb
class Oauth::ResourceMetadataController < ApplicationController
  skip_before_action :authenticate_user!
  
  def show
    render json: {
      resource_server: Gitlab.config.gitlab.url,
      resource_server_name: "GitLab",
      resource_documentation: "#{Gitlab.config.gitlab.url}/help/api/oauth2.md",
      scopes_supported: supported_scopes,
      resource_endpoints: resource_endpoints,
      token_endpoint_auth_methods_supported: [
        "client_secret_basic",
        "client_secret_post"
      ],
      resource_signing_alg_values_supported: ["RS256"],
      resource_server_jwks_uri: "#{Gitlab.config.gitlab.url}/oauth/discovery/keys",
      resource_server_scopes_supported: supported_scopes,
      resource_server_metadata_uri: "#{Gitlab.config.gitlab.url}/.well-known/resource-metadata"
    }
  end

  private

  def supported_scopes
    Doorkeeper.configuration.scopes.all.map(&:to_s)
  end

  def resource_endpoints
    {
      api: "#{Gitlab.config.gitlab.url}/api/v4",
      userinfo: "#{Gitlab.config.gitlab.url}/oauth/userinfo",
      git_http: "#{Gitlab.config.gitlab.url}/*.git",
      container_registry: "#{Gitlab.config.gitlab.url}:5000",
      package_registry: "#{Gitlab.config.gitlab.url}/api/v4/packages"
    }
  end
end
Edited by Max Woolf