mcp::auth::OAuthClientOrchestrator Class Reference

High-level OAuth 2.1 client orchestrator. More...

#include <client_orchestrator.hpp>

Public Member Functions
	OAuthClientOrchestrator (OAuthClientOrchestratorConfig config, OAuthClientCallback &callback, OAuthMetadataEndpoint &metadata_endpoint, OAuthTokenEndpoint &token_endpoint, PkceGenerator &pkce_generator, OAuthClientRegistrationEndpoint *registration_endpoint=nullptr)
	Construct an orchestrator with all required dependencies.
core::Result< TokenSet >	authorize ()
	Execute the full OAuth authorization flow.
core::Result< std::string >	get_access_token ()
	Get a valid access token, refreshing if necessary.
core::Result< OAuthRefreshRetryResult >	handle_auth_response (const HttpResponseMetadata &response)
	Handle a 401/403 response and attempt recovery.
OAuthLifecycleState	lifecycle_state () const
	Get the current lifecycle state.
const OAuthClientConfig &	client_config () const
	Get the current client configuration.
const std::optional< AuthorizationServerMetadata > &	metadata () const
	Get the discovered authorization server metadata.
const std::optional< ProtectedResourceMetadata > &	protected_resource_metadata () const
	Get the discovered protected resource metadata.

Detailed Description

High-level OAuth 2.1 client orchestrator.

Wraps AuthorizationManager with the missing orchestration steps:

1. Discover metadata from the resource URL
2. Register client via DCR (if needed)
3. Build authorization URL with PKCE
4. Present URL to user via callback
5. Wait for authorization code via callback
6. Exchange code for tokens
7. Auto-refresh expired tokens

All network I/O is injected via OAuthMetadataEndpoint, OAuthTokenEndpoint, and optionally OAuthClientRegistrationEndpoint. User interaction is injected via OAuthClientCallback.

Constructor & Destructor Documentation

OAuthClientOrchestrator()

mcp::auth::OAuthClientOrchestrator::OAuthClientOrchestrator ( OAuthClientOrchestratorConfig  config, OAuthClientCallback &  callback, OAuthMetadataEndpoint &  metadata_endpoint, OAuthTokenEndpoint &  token_endpoint, PkceGenerator &  pkce_generator, OAuthClientRegistrationEndpoint *  registration_endpoint = nullptr  )

inline

Construct an orchestrator with all required dependencies.

Parameters

config	Orchestrator configuration (resource URL, scopes, etc.)
callback	Application callback for presenting auth URL and receiving the authorization code.
metadata_endpoint	Network boundary for metadata discovery.
token_endpoint	Network boundary for token exchange/refresh.
pkce_generator	PKCE challenge generator (OpenSslPkceGenerator).
registration_endpoint	Optional DCR endpoint. When null, the client_id must be pre-configured.

Member Function Documentation

authorize()

core::Result< TokenSet > mcp::auth::OAuthClientOrchestrator::authorize ( )

inline

Execute the full OAuth authorization flow.

Discovers metadata, registers the client (if needed), presents the authorization URL, waits for the callback, and exchanges the code for tokens. After this call, get_access_token() returns a valid bearer token.

Returns

The token set on success.

get_access_token()

core::Result< std::string > mcp::auth::OAuthClientOrchestrator::get_access_token ( )

inline

Get a valid access token, refreshing if necessary.

Must be called after a successful authorize() call.

Returns

The access token string, or an error if no token is available and cannot be refreshed.

handle_auth_response()

core::Result< OAuthRefreshRetryResult > mcp::auth::OAuthClientOrchestrator::handle_auth_response ( const HttpResponseMetadata &  response )

inline

Handle a 401/403 response and attempt recovery.

Analyzes the WWW-Authenticate header and attempts token refresh or scope upgrade if appropriate.

Parameters

response

The HTTP response metadata (status code + headers).

Returns

A retry result indicating whether the request should be retried with a new bearer token.

---

The documentation for this class was generated from the following file:

• sdk/auth/include/cxxmcp/auth/client_orchestrator.hpp