Multi tenant "Authorization Server discovery" #70
Description
Currently, the "authorization server metadata" URL is hard-coded: /.well-known/oauth-authorization-server.
As a result, it is not possible to define multiple authorization servers on the same domain.
According to the specs [1], the resource server can indicate the "protected resource metadata" URL with the resource_metadata parameter in the WWW-Authenticate header. This allows to customize the location of the authorization server and turn the same domain multi-tenant.
To support this, the OAuth provider requires the following capabilities.
- Ability to customize the "AS metadata URL"
- Add hosting for "protected resource metadata" [2]
- Add the
resource_metadataparameter to 401 responses pointing to "protected resource metadata" - (Optional) Ability to customize the issuer in the "AS metadata" response
[1]
https://modelcontextprotocol.io/specification/draft/basic/authorization#server-metadata-discovery
https://datatracker.ietf.org/doc/html/rfc9728#section-5.1
[2]
https://datatracker.ietf.org/doc/html/rfc9728#section-3.2
Update
More details about the protocol