Skip to content

feat: add RFC 8707 Resource Indicators support#879

Draft
cohendvir wants to merge 2 commits into
ory:masterfrom
cohendvir:feat/rfc-8707-resource-indicators
Draft

feat: add RFC 8707 Resource Indicators support#879
cohendvir wants to merge 2 commits into
ory:masterfrom
cohendvir:feat/rfc-8707-resource-indicators

Conversation

@cohendvir

@cohendvir cohendvir commented May 25, 2026
edited
Loading

Copy link
Copy Markdown

Adds support for RFC 8707 Resource Indicators in fosite.

Note: This PR stacks on #880 (copyright year bump). Please merge #880 first — once it lands on master, the diff here will show only the RFC 8707 changes.

@coderabbitai

coderabbitai Bot commented May 25, 2026
edited
Loading

Copy link
Copy Markdown

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 08b93e56-8fd9-4170-93cc-559ae26945e7

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@CLAassistant

CLAassistant commented May 25, 2026

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

cohendvir added 2 commits May 25, 2026 15:12
@cohendvir
chore: update copyright year to 2026
41a9d9a
@cohendvir
feat: add RFC 8707 Resource Indicators support
54bfd0b 
Implements RFC 8707 (Resource Indicators for OAuth 2.0) by parsing the standardized "resource" form parameter alongside the existing non-standard "audience" parameter. The "resource" values are validated per RFC 8707 §2 (absolute URI, no fragment) and merged into the RequestedAudience list, so they flow through fosite's existing audience binding pipeline (DefaultAudienceMatchingStrategy and the per-flow audience checks) and end up in the issued token's aud claim with no additional plumbing.

Motivation: the 2026 MCP (Model Context Protocol) spec mandates RFC 8707 to prevent confused-deputy attacks between MCP servers. Several public AS implementations now support it; this aligns fosite with the broader OAuth 2.1 / MCP ecosystem.

Changes: audience_strategy.go merges resource with audience and adds ValidateResourceIndicators helper; access_request_handler.go validates resource before populating RequestedAudience; new unit and integration tests cover merging, de-dup, and invalid input cases.

Backward compatibility: requests with only the "audience" parameter behave exactly as before. The "resource" parameter is opt-in.

Signed-off-by: cohendvir <dvir@honeybook.com>
@cohendvir cohendvir force-pushed the feat/rfc-8707-resource-indicators branch from 6560f1a to 54bfd0b Compare May 25, 2026 08:30
@james-d-elliott

james-d-elliott commented May 25, 2026

Copy link
Copy Markdown
Contributor

Shouldn't this be in the authorize code / implicit auth handlers and refresh / client credentials / device code access handlers?

@james-d-elliott

james-d-elliott commented May 25, 2026

Copy link
Copy Markdown
Contributor

Actually looking more closely it's similar to refresh flow, the values requested on the auth endpoint restrict what can be requested on the token endpoint, same for the original request in refresh flows.

The resource value(s) that is acceptable to an authorization server in fulfilling an access token request is at its sole discretion based on local policy or configuration. In the case of a refresh_token or authorization_code grant type request, such policy may limit the acceptable resources to those that were originally granted by the resource owner or a subset thereof. In the authorization_code case where the requested resources are a subset of the set of resources originally granted, the authorization server will issue an access token based on that subset of requested resources, whereas any refresh token that is returned is bound to the full original grant.

@imryao imryao mentioned this pull request Jun 18, 2026
Merged
imryao added a commit to agentserver/agentserver that referenced this pull request Jun 18, 2026
@imryao @claude
fix(mcppublic): accept tokens with empty aud (Hydra has no RFC 8707) (#…
79af0b8 
…267)

End-to-end testing v0.69.0 reveals: gateway rejects every OAuth
token because their `aud` claim is empty array. Logs:

  level=INFO msg="mcppublic.OAuth: audience mismatch"
    sub=c60a7665-... want="https://mcp.agent.cs.ac.cn/mcp" got=[]

Root cause: Hydra v2.x (via ory/fosite v0.x) does NOT implement
RFC 8707 Resource Indicators. The `resource=https://...` query
parameter that spec-compliant MCP clients send on /oauth2/auth is
silently dropped. The issued token therefore has no audience.

Tracking PR: ory/fosite#879 (opened 2026-05-25, still in draft,
CLA blocked, scope concerns from maintainer). Unblocking this
upstream is months away.

Workaround: when the introspected token's `aud` is empty, accept
it with a warning. When `aud` IS present, mismatch is still a
hard fail (so any token that DOES bind to a resource still gets
proper enforcement).

Safe today: single-tenant Hydra (this gateway is the only MCP
server in the cluster). Risk only emerges if we add a second MCP
server on the same Hydra — at that point either delete this
empty-aud branch (fosite #879 merged by then) or patch the
consent handler to force GrantAccessTokenAudience.

10 existing OAuth resolver tests still pass; new test
TestOAuthResolver_EmptyAudienceAccepted pins the new behavior.

Co-authored-by: mryao <git@mryao.org>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
imryao added a commit to agentserver/agentserver that referenced this pull request Jun 18, 2026
@imryao @claude
docs(mcppublic): strengthen safety comment on empty-aud bypass (#269)
05ef233 
Security review of #267 (empty-aud fail-open) noted the comment should
enumerate the safety preconditions and the failure mode that triggers
"must remove this branch." Expand the comment to spell out:

  1. Why single-tenant Hydra makes it safe today (one MCP gateway).
  2. DCR being off (#258) so attackers can't mint mcp:* tokens
     from unauthorized clients.
  3. The agentserver-mcp client's fixed audience list bounds the
     non-empty-aud case to our gateway URL.

And the action item:

  Before adding a second MCP server on the same Hydra, DELETE the
  empty-aud branch. Either ory/fosite#879 has merged (strict aud
  becomes reliable) or patch the consent handler to hard-inject
  GrantAccessTokenAudience for mcp:* scopes.

No behavioral change.

Co-authored-by: mryao <git@mryao.org>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aeneasr aeneasr Awaiting requested review from aeneasr aeneasr will be requested when the pull request is marked ready for review aeneasr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cohendvir @CLAassistant @james-d-elliott