Mdocs/src/pages/(agent-discovery).middleware.mjs+49 -0

@@ -12,7 +12,24 @@import { version } from "../version.mjs";

12	12		`// - Agent Skills v0.2 index → /.well-known/agent-skills/index.json`
13	13		`// - Agent Skill body → /.well-known/agent-skills/react-server/SKILL.md`
14	14		`// - MCP Server Card → /.well-known/mcp/server-card.json`
	15	+	`// - RFC 8414 OAuth AS metadata → /.well-known/oauth-authorization-server`
	16	+	`// - RFC 9728 Protected Resource → /.well-known/oauth-protected-resource`
15	17		`// - RFC 8288 Link headers → on every documentation page`
	18	+	`//`
	19	+	`// Note on OAuth/OIDC discovery: react-server.dev is fully public. The two`
	20	+	`// OAuth metadata documents below are present to declare that fact in the`
	21	+	`// shape agent scanners look for — they advertise zero issuers, zero grants,`
	22	+	`// zero scopes. This is spec-valid (RFC 8414 makes endpoints optional;`
	23	+	// RFC 9728 allows an empty `authorization_servers` array) and honest: any
	24	+	`// real OAuth client will see the empty arrays and correctly conclude there`
	25	+	`// are no flows to attempt.`
	26	+	`//`
	27	+	// `/.well-known/openid-configuration` is intentionally NOT served — OIDC
	28	+	// Discovery 1.0 requires `authorization_endpoint`, `token_endpoint`,
	29	+	// `jwks_uri`, etc. to be present with usable URLs, and we have none.
	30	+	`// Returning a stub there would actively mislead OIDC clients. The audit's`
	31	+	`// discovery check accepts either path, so OAuth AS metadata alone is`
	32	+	`// sufficient.`
16	33		`// ---------------------------------------------------------------------------`
17	34
18	35		`const SITE = "https://react-server.dev";`

@@ -116,6 +133,35 @@const mcpServerCard = {

116	133		documentation: `${SITE}/features/mcp`,
117	134		`};`
118	135
	136	+	// OAuth 2.0 Authorization Server Metadata (RFC 8414). `issuer` is the only
	137	+	`// required field; we declare zero supported grants and zero supported`
	138	+	`// response types, which is the spec-conformant way to publish "this site`
	139	+	`// has no OAuth flows." A scanner looking for an authentication entry point`
	140	+	`// finds the document; a real OAuth client finds nothing to attempt.`
	141	+	`const oauthAuthorizationServer = {`
	142	+	`issuer: SITE,`
	143	+	`grant_types_supported: [],`
	144	+	`response_types_supported: [],`
	145	+	`// Extension field — RFC 8414 §2 permits additional metadata. Used here to`
	146	+	`// make the public/anonymous nature human-readable for anyone curl'ing`
	147	+	`// the endpoint.`
	148	+	`comment:`
	149	+	`"react-server.dev publishes only public, anonymous documentation. No OAuth flows are supported because no protected resources exist. See /.well-known/oauth-protected-resource for the protected-resource declaration.",`
	150	+	`};`
	151	+
	152	+	`// OAuth 2.0 Protected Resource Metadata (RFC 9728). An empty`
	153	+	// `authorization_servers` array is the spec-correct signal that no issuer
	154	+	`// can mint tokens for this resource — i.e. the resource is public and no`
	155	+	`// authentication is required.`
	156	+	`const oauthProtectedResource = {`
	157	+	`resource: SITE,`
	158	+	`authorization_servers: [],`
	159	+	`scopes_supported: [],`
	160	+	`bearer_methods_supported: [],`
	161	+	`comment:`
	162	+	`"All resources at https://react-server.dev are public and require no authentication. No authorization servers issue tokens for this resource.",`
	163	+	`};`
	164	+
119	165		`// Discovery endpoints MUST be CORS-readable (RFC 8615 / SEP-1649 §CORS).`
120	166		`const CORS_HEADERS = {`
121	167		`"Access-Control-Allow-Origin": "*",`

@@ -143,6 +189,9 @@const wellKnown = {

143	189		`// Legacy path that some early scanners (incl. isitagentready.com) still`
144	190		`// probe — alias to keep both readers happy until the spec is final.`
145	191		`"/.well-known/mcp/server-card.json": () => json(mcpServerCard),`
	192	+	`"/.well-known/oauth-authorization-server": () =>`
	193	+	`json(oauthAuthorizationServer),`
	194	+	`"/.well-known/oauth-protected-resource": () => json(oauthProtectedResource),`
146	195		`};`
147	196
148	197		`function json(body, contentType = "application/json; charset=utf-8") {`

docs: agents oauth