ReadonlyclientClient ID registered with the OIDC provider
ReadonlyclientClient secret registered with the OIDC provider
Optional ReadonlydiscoveryTTL for the cached OIDC discovery document in milliseconds. The discovery document is re-fetched when the TTL expires.
Optional ReadonlygrantedMCP scopes granted to authenticated users.
If not provided, the default mapUserInfo grants no scopes (empty array).
When providing a custom mapUserInfo, this option is ignored.
ReadonlyissuerOIDC issuer URL (e.g. https://auth.example.com).
The discovery document is fetched from {issuer}/.well-known/openid-configuration.
Optional ReadonlymapCustom mapping from OIDC UserInfo response to MCP AuthInfo.
When not provided, the default mapping uses standard OIDC claims:
sub → clientIdgrantedScopes → scopesexpiresAt (token is re-verified on each request)name, email, preferred_username → extraReadonlyserverMCP server base URL (e.g. http://localhost:8000). Used as redirect_uri target.
Optional ReadonlyupstreamScopes to request from the upstream OIDC provider.
Options for createOidcProvider.