Bump version to 0.1.16 and add RFC 9728 OAuth discovery with JWT authentication

Add server-side OAuth Protected Resource Metadata (RFC 9728), client-side
discovery via http_oauth_metadata() and 401-based flow, and a jwt_authenticate()
factory using Authlib for turnkey JWKS-backed JWT validation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: rustyconover

docs/api/index.md

@@ -21,6 +21,7 @@ Everything else is optional and can be added incrementally.
 | [Core RPC](core.md) | `RpcServer`, `RpcConnection`, errors, `serve_pipe`, `connect` | Yes |
 | [Streaming](streaming.md) | `Stream`, `StreamState`, `ProducerState`, `ExchangeState` | If using streams |
 | [Auth & Context](auth.md) | `AuthContext`, `CallContext`, `ClientLog` | If using auth or logging |
+| [OAuth Discovery](oauth.md) | `OAuthResourceMetadata`, `jwt_authenticate`, `http_oauth_metadata` | `pip install vgi-rpc[http,oauth]` |
 | [Transports](transports.md) | `PipeTransport`, `SubprocessTransport`, `ShmPipeTransport` | Built-in |
 | [Serialization](serialization.md) | `ArrowSerializableDataclass`, `ArrowType`, `IpcValidation` | If using custom dataclasses |
 | [HTTP](http.md) | `make_wsgi_app`, `http_connect`, `make_sync_client` | `pip install vgi-rpc[http]` |

docs/api/oauth.md

@@ -0,0 +1,187 @@
+# OAuth Discovery
+
+RFC 9728 Protected Resource Metadata and JWT authentication for vgi-rpc HTTP services.
+
+## Quick Overview
+
+vgi-rpc HTTP servers can advertise their OAuth configuration so clients
+discover auth requirements automatically — no out-of-band configuration needed.
+
+### Server setup
+
+```python
+from vgi_rpc.http import OAuthResourceMetadata, jwt_authenticate, make_wsgi_app
+from vgi_rpc import RpcServer
+
+metadata = OAuthResourceMetadata(
+    resource="https://api.example.com/vgi",
+    authorization_servers=("https://auth.example.com",),
+    scopes_supported=("read", "write"),
+)
+
+auth = jwt_authenticate(
+    issuer="https://auth.example.com",
+    audience="https://api.example.com/vgi",
+)
+
+server = RpcServer(MyService, MyServiceImpl())
+app = make_wsgi_app(
+    server,
+    authenticate=auth,
+    oauth_resource_metadata=metadata,
+)
+```
+
+### Client discovery
+
+```python
+from vgi_rpc.http import http_oauth_metadata, http_connect
+
+meta = http_oauth_metadata("https://api.example.com")
+print(meta.authorization_servers)  # ("https://auth.example.com",)
+
+with http_connect(MyService, "https://api.example.com") as svc:
+    result = svc.protected_method()
+```
+
+## How It Works
+
+1. Server serves `/.well-known/oauth-protected-resource` (RFC 9728)
+2. 401 responses include `WWW-Authenticate: Bearer resource_metadata="..."`
+3. Client fetches metadata to discover authorization server(s)
+4. Client authenticates with the AS and sends Bearer token
+
+### Discovery from a 401
+
+If a client doesn't know the server's auth requirements upfront, it can
+discover them from a 401 response:
+
+```python
+from vgi_rpc.http import parse_resource_metadata_url, fetch_oauth_metadata
+
+# 1. Make a request that returns 401
+resp = client.post("/vgi/my_method", ...)
+
+# 2. Parse the metadata URL from WWW-Authenticate header
+www_auth = resp.headers["www-authenticate"]
+metadata_url = parse_resource_metadata_url(www_auth)
+# "https://api.example.com/.well-known/oauth-protected-resource/vgi"
+
+# 3. Fetch the metadata
+meta = fetch_oauth_metadata(metadata_url)
+print(meta.authorization_servers)  # use these to authenticate
+```
+
+## OAuthResourceMetadata
+
+Frozen dataclass configuring the server's RFC 9728 metadata document.
+Pass to `make_wsgi_app(oauth_resource_metadata=...)` to enable OAuth discovery.
+
+| Field | Type | Required | Description |
+|---|---|---|---|
+| `resource` | `str` | Yes | Canonical URL of the protected resource |
+| `authorization_servers` | `tuple[str, ...]` | Yes | Authorization server issuer URLs (must be non-empty) |
+| `scopes_supported` | `tuple[str, ...]` | No | OAuth scopes the resource understands |
+| `bearer_methods_supported` | `tuple[str, ...]` | No | Token delivery methods (default `("header",)`) |
+| `resource_signing_alg_values_supported` | `tuple[str, ...]` | No | JWS algorithms for signed responses |
+| `resource_name` | `str \| None` | No | Human-readable name |
+| `resource_documentation` | `str \| None` | No | URL to developer docs |
+| `resource_policy_uri` | `str \| None` | No | URL to privacy policy |
+| `resource_tos_uri` | `str \| None` | No | URL to terms of service |
+
+Raises `ValueError` if `resource` is empty or `authorization_servers` is empty.
+
+## jwt_authenticate()
+
+Factory that creates a JWT-validating `authenticate` callback using Authlib.
+
+```python
+from vgi_rpc.http import jwt_authenticate
+
+auth = jwt_authenticate(
+    issuer="https://auth.example.com",
+    audience="https://api.example.com/vgi",
+    jwks_uri="https://auth.example.com/.well-known/jwks.json",  # optional
+    principal_claim="sub",  # default
+    domain="jwt",  # default
+)
+```
+
+| Parameter | Type | Default | Description |
+|---|---|---|---|
+| `issuer` | `str` | required | Expected `iss` claim |
+| `audience` | `str` | required | Expected `aud` claim |
+| `jwks_uri` | `str \| None` | `None` | JWKS URL (discovered from OIDC if `None`) |
+| `claims_options` | `Mapping \| None` | `None` | Additional Authlib claim options |
+| `principal_claim` | `str` | `"sub"` | JWT claim for `AuthContext.principal` |
+| `domain` | `str` | `"jwt"` | Domain for `AuthContext` |
+
+**JWKS caching**: Keys are fetched lazily on first request and cached in-process.
+On unknown `kid` (decode error), keys are automatically refreshed once. Other
+validation failures (expired token, wrong issuer/audience) fail immediately
+without a network round-trip.
+
+Requires `pip install vgi-rpc[oauth]` — raises a clear `ImportError` with
+install instructions if Authlib is not available.
+
+## http_oauth_metadata()
+
+Client-side function to discover a server's OAuth configuration.
+
+```python
+from vgi_rpc.http import http_oauth_metadata
+
+meta = http_oauth_metadata("https://api.example.com")
+if meta is not None:
+    print(meta.authorization_servers)
+```
+
+Returns `OAuthResourceMetadataResponse` or `None` (if server returns 404).
+
+**Note:** The `prefix` parameter (default `"/vgi"`) must match the server's
+`make_wsgi_app(prefix=...)`. A mismatch results in a 404 (`None` return).
+
+## fetch_oauth_metadata()
+
+Fetch metadata from an explicit URL (typically from a 401 `WWW-Authenticate` header).
+
+```python
+from vgi_rpc.http import fetch_oauth_metadata
+
+meta = fetch_oauth_metadata("https://api.example.com/.well-known/oauth-protected-resource/vgi")
+```
+
+## parse_resource_metadata_url()
+
+Extract the `resource_metadata` URL from a `WWW-Authenticate` header.
+
+```python
+from vgi_rpc.http import parse_resource_metadata_url
+
+url = parse_resource_metadata_url('Bearer resource_metadata="https://..."')
+# "https://..."
+```
+
+Returns `None` if the header doesn't contain `resource_metadata`.
+
+## OAuthResourceMetadataResponse
+
+Frozen dataclass returned by `http_oauth_metadata()` and `fetch_oauth_metadata()`.
+Same fields as `OAuthResourceMetadata` (the server-side config class).
+
+## Standards Compliance
+
+- [RFC 9728](https://www.rfc-editor.org/rfc/rfc9728) — OAuth 2.0 Protected Resource Metadata
+- [RFC 8414](https://www.rfc-editor.org/rfc/rfc8414) — OAuth 2.0 Authorization Server Metadata
+- [RFC 6750](https://www.rfc-editor.org/rfc/rfc6750) — Bearer Token Usage
+- Compatible with MCP's OAuth implementation
+
+## Installation
+
+```bash
+# OAuth discovery (no extra deps beyond [http])
+pip install vgi-rpc[http]
+
+# JWT authentication (adds Authlib)
+pip install vgi-rpc[http,oauth]
+```

docs/examples.md

@@ -96,6 +96,16 @@ HTTP authentication with Bearer tokens. Shows `authenticate` callback, `AuthCont
 --8<-- "examples/auth.py"
 ```
 
+### OAuth Discovery
+
+OAuth 2.0 Protected Resource Metadata (RFC 9728) with JWT authentication.
+Shows `OAuthResourceMetadata`, `jwt_authenticate()`, and client-side
+discovery via `http_oauth_metadata()`.
+
+```python
+--8<-- "examples/oauth_discovery.py"
+```
+
 ### Introspection
 
 Runtime service discovery with `enable_describe=True`. Shows `introspect()` for pipe transport and `http_introspect()` for HTTP.

examples/oauth_discovery.py

@@ -0,0 +1,155 @@
+"""OAuth Discovery with JWT authentication.
+
+Demonstrates:
+1. Configuring OAuthResourceMetadata (RFC 9728)
+2. Using jwt_authenticate() for JWT token validation
+3. Client-side OAuth metadata discovery via http_oauth_metadata()
+4. An RPC service that returns the authenticated user's identity
+
+Requires ``pip install vgi-rpc[http,oauth]``
+
+Run::
+
+    python examples/oauth_discovery.py
+"""
+
+from __future__ import annotations
+
+import time
+from typing import Protocol
+
+import falcon
+from authlib.jose import JsonWebKey, jwt
+
+from vgi_rpc import AuthContext, CallContext, RpcServer
+from vgi_rpc.http import OAuthResourceMetadata, http_connect, http_oauth_metadata, jwt_authenticate, make_sync_client
+
+# ---------------------------------------------------------------------------
+# 1. Define the service Protocol
+# ---------------------------------------------------------------------------
+
+
+class IdentityService(Protocol):
+    """A service that returns the caller's identity."""
+
+    def whoami(self) -> str:
+        """Return the caller's identity."""
+        ...
+
+    def my_claims(self) -> str:
+        """Return the caller's JWT claims."""
+        ...
+
+
+# ---------------------------------------------------------------------------
+# 2. Implement with CallContext
+# ---------------------------------------------------------------------------
+
+
+class IdentityServiceImpl:
+    """Concrete implementation of IdentityService."""
+
+    def whoami(self, ctx: CallContext) -> str:
+        """Return the caller's identity."""
+        ctx.auth.require_authenticated()
+        return f"You are {ctx.auth.principal} (domain={ctx.auth.domain})"
+
+    def my_claims(self, ctx: CallContext) -> str:
+        """Return the caller's JWT claims."""
+        ctx.auth.require_authenticated()
+        claims = dict(ctx.auth.claims)
+        return f"Claims for {ctx.auth.principal}: {claims}"
+
+
+# ---------------------------------------------------------------------------
+# 3. Configure OAuth metadata + JWT auth
+# ---------------------------------------------------------------------------
+
+
+def main() -> None:
+    """Run the OAuth discovery example end-to-end."""
+    # Generate a test RSA key pair
+    key = JsonWebKey.generate_key("RSA", 2048, is_private=True)
+    key_dict = key.as_dict(is_private=True)
+    key_dict["kid"] = "test-key-1"
+    jwk_public = JsonWebKey.import_key(key_dict).as_dict()
+
+    # Create a test JWT
+    now = int(time.time())
+    header = {"alg": "RS256", "kid": "test-key-1"}
+    payload = {
+        "iss": "https://auth.example.com",
+        "aud": "https://api.example.com/vgi",
+        "sub": "alice",
+        "iat": now,
+        "exp": now + 3600,
+        "name": "Alice Example",
+        "scope": "read write",
+    }
+    token_bytes: bytes = jwt.encode(header, payload, key_dict)
+    token = token_bytes.decode()
+
+    # Build a JWKS-based authenticate callback.
+    # In production, jwt_authenticate() fetches keys from a real JWKS endpoint.
+    # For this example, we create a local callback that uses the generated key.
+    def _local_authenticate(req: falcon.Request) -> AuthContext:
+        """Validate JWT using local key (simulates jwt_authenticate behaviour)."""
+        auth_header = req.get_header("Authorization") or ""
+        if not auth_header.startswith("Bearer "):
+            raise ValueError("Missing or invalid Authorization header")
+        raw_token = auth_header[7:]
+        claims = jwt.decode(
+            raw_token,
+            jwk_public,
+            claims_options={
+                "iss": {"essential": True, "value": "https://auth.example.com"},
+                "aud": {"essential": True, "value": "https://api.example.com/vgi"},
+            },
+        )
+        claims.validate()
+        return AuthContext(
+            domain="jwt",
+            authenticated=True,
+            principal=str(claims.get("sub", "")),
+            claims=dict(claims),
+        )
+
+    metadata = OAuthResourceMetadata(
+        resource="https://api.example.com/vgi",
+        authorization_servers=("https://auth.example.com",),
+        scopes_supported=("read", "write"),
+        resource_name="Example Identity Service",
+    )
+
+    server = RpcServer(IdentityService, IdentityServiceImpl())
+
+    client = make_sync_client(
+        server,
+        signing_key=b"example-oauth-key",
+        authenticate=_local_authenticate,
+        default_headers={"Authorization": f"Bearer {token}"},
+        oauth_resource_metadata=metadata,
+    )
+
+    # --- 4. Client discovers metadata, then calls service ---
+    meta = http_oauth_metadata(client=client)
+    assert meta is not None
+    print(f"authorization_servers: {meta.authorization_servers}")
+    print(f"scopes_supported: {meta.scopes_supported}")
+    print(f"resource_name: {meta.resource_name}")
+
+    with http_connect(IdentityService, client=client) as svc:
+        print(svc.whoami())
+        print(svc.my_claims())
+
+    # Verify jwt_authenticate is importable (requires authlib)
+    _auth_fn = jwt_authenticate(
+        issuer="https://auth.example.com",
+        audience="https://api.example.com/vgi",
+        jwks_uri="https://auth.example.com/.well-known/jwks.json",
+    )
+    print(f"jwt_authenticate factory created: {_auth_fn is not None}")
+
+
+if __name__ == "__main__":
+    main()

mkdocs.yml

@@ -118,6 +118,7 @@ nav:
     - Core RPC: api/core.md
     - Streaming: api/streaming.md
     - Auth & Context: api/auth.md
+    - OAuth Discovery: api/oauth.md
     - Transports: api/transports.md
     - HTTP: api/http.md
     - Serialization: api/serialization.md