docs(integrator): document RFC 8707 / RFC 8414 / MCP audience binding#190
Merged
Conversation
- Replace stale "access tokens have no aud" guidance with RFC 8707 audience-binding validation, including new Audience Binding sections and aud-aware Go/Python/Node examples - Document the optional resource parameter and §2.2 narrowing rule on the auth-code, device, client-credentials, and refresh flows - Add invalid_target error and a Resource Indicator Errors section to the errors reference - Surface the /.well-known/oauth-authorization-server (RFC 8414) metadata endpoint and resource-identifier onboarding hint - Mirror all updates in the Traditional Chinese translations and disable markdownlint MD028 for unavoidable adjacent callouts
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
internal/templates/docs/) with PR feat(oauth): add MCP / RFC 8707 + RFC 8414 compatibility #187. The previous guidance told resource-server implementers to disableaudvalidation; that's now wrong because access tokens may carry a per-requestaudfrom RFC 8707resourceparameters. Each Go/Python/Node example is updated to enforceaud, and the Verification Steps now require bothtype=accessand anaudmatch against the resource server's identifier.resourceparameter on all three flow guides (auth-code, device, client-credentials) and on token refresh, including the RFC 8707 §2.2 subset rule and the newinvalid_targeterror./.well-known/oauth-authorization-server(RFC 8414) and adds a Resource Indicator Errors section to the error reference.zh-TW/translations are kept in lockstep. zh-TW headings that anchor in-page links (Audience Binding,Resource Indicator 錯誤) use ASCII parens so the markdownlint MD051 GitHub-style slugger matches the link fragments..markdownlint.json: disables MD028 (no-blanks-blockquote) so adjacent callout blocks can stay separated by a blank line without lint noise.Test plan
make generate && make buildsucceeds (templates unchanged, but verify the docs handler still embeds the new files)../bin/authgate serverand visit/docs/en/jwt-verification. Confirm the new Audience Binding (RFC 8707) section renders and the in-page#audience-binding-rfc-8707jump links work from the claims table and Verification Steps./docs/zh-TW/jwt-verificationand/docs/zh-TW/errors. Confirm the same in-page anchors (#audience-binding-rfc-8707,#resource-indicator-錯誤-rfc-8707) jump correctly.markdownlint internal/templates/docs/**/*.md(or whatever the repo uses) — zero MD051 violations expected.resourceparameter row in the request-parameters table.🤖 Generated with Claude Code