fix: Include pathname in resourceServer for RFC 8707 path-aware audience validation #109
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…nce validation Fixes cloudflare#108 When using RFC 8707 Resource Indicators with path components (e.g., resource=https://example.com/api), token validation was failing because resourceServer was computed using only the origin (protocol + host), while the token audience contained the full URL with path. This commit updates the resourceServer computation in both internal and external token validation flows to include the pathname component: const resourceServer = `${requestUrl.protocol}//${requestUrl.host}${requestUrl.pathname}`; This ensures that audience validation succeeds when the resource indicator includes the path component, as recommended by RFC 8707.
|
commit: |
- Modify audienceMatches() to support both origin-only and path-aware audiences - Origin-only audiences (e.g., https://example.com) match by origin for backward compatibility - Path-aware audiences (e.g., https://example.com/api) require exact match per RFC 8707 - Add 3 test cases for path-aware audience validation - Update TestApiHandler to handle all /api/* paths This fixes the CI failures in PR cloudflare#109 while maintaining backward compatibility with existing code that uses origin-only resource indicators. Fixes cloudflare#108
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #108
Problem
When using RFC 8707 Resource Indicators with path components (e.g.,
resource=https://example.com/api), token validation fails with:This breaks OAuth flows for services like ChatGPT custom connectors.
Root Cause
In
handleApiRequest, theresourceServeris computed using only the origin:However, RFC 8707 recommends using full URLs with paths for resource indicators. Since
audienceMatchesperforms strict equality (===):https://example.com/api(from authorization request'sresourceparameter)https://example.com(computed from request URL)Solution
This PR updates the
resourceServercomputation in both internal and external token validation flows to include the pathname component:Changes
src/oauth-provider.tsline 2194: Include pathname in resourceServer (internal token validation)src/oauth-provider.tsline 2228: Include pathname in resourceServer (external token validation)Testing
Tested with ChatGPT custom connector:
resource=https://server/mcpaud: "https://server/mcp"https://server/mcpsucceedsReferences