fix: Include pathname in resourceServer for RFC 8707 path-aware audience validation#109
Merged
mattzcarey merged 5 commits intocloudflare:mainfrom Feb 11, 2026
Conversation
…nce validation Fixes cloudflare#108 When using RFC 8707 Resource Indicators with path components (e.g., resource=https://example.com/api), token validation was failing because resourceServer was computed using only the origin (protocol + host), while the token audience contained the full URL with path. This commit updates the resourceServer computation in both internal and external token validation flows to include the pathname component: const resourceServer = `${requestUrl.protocol}//${requestUrl.host}${requestUrl.pathname}`; This ensures that audience validation succeeds when the resource indicator includes the path component, as recommended by RFC 8707.
🦋 Changeset detectedLatest commit: 3810a31 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
commit: |
- Modify audienceMatches() to support both origin-only and path-aware audiences - Origin-only audiences (e.g., https://example.com) match by origin for backward compatibility - Path-aware audiences (e.g., https://example.com/api) require exact match per RFC 8707 - Add 3 test cases for path-aware audience validation - Update TestApiHandler to handle all /api/* paths This fixes the CI failures in PR cloudflare#109 while maintaining backward compatibility with existing code that uses origin-only resource indicators. Fixes cloudflare#108
Contributor
|
Looking at this :) thanks for your contribution. |
mattzcarey
force-pushed
the
fix/rfc8707-path-aware-audience-validation
branch
from
3a53410 to
7609828
Compare
nathan-bw
pushed a commit
to nathan-bw/mcp-server-google-oauth
that referenced
this pull request
Jan 29, 2026
Patches @cloudflare/workers-oauth-provider to include pathname in resourceServer computation, fixing "Token audience does not match resource server" error when connecting from the Cloudflare MCP portal. The bug occurs because RFC 8707 Resource Indicators include the path (e.g., /mcp), but the library only compared against the origin. Upstream fix: cloudflare/workers-oauth-provider#109 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The previous exact-path matching was too strict — a token with audience "https://example.com/api" would fail for requests to sub-paths like "/api/users". This made the fix unusable for real APIs (including MCP servers and ChatGPT connectors) that have multiple endpoints under a base path. Replace the dual exact-match/origin-match heuristic with proper path-boundary prefix matching: - Origin-only audiences still match any path (backward compat) - Path-aware audiences match the exact path and any sub-path on a path boundary ("/api" matches "/api/foo" but not "/api-v2") - Origins are compared via URL normalization (case-insensitive host)
mattzcarey
force-pushed
the
fix/rfc8707-path-aware-audience-validation
branch
from
6b49b47 to
531b372
Compare
mattzcarey
approved these changes
Feb 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #108
Problem
When using RFC 8707 Resource Indicators with path components (e.g.,
resource=https://example.com/api), token validation fails with:This breaks OAuth flows for services like ChatGPT custom connectors.
Root Cause
In
handleApiRequest, theresourceServeris computed using only the origin:However, RFC 8707 recommends using full URLs with paths for resource indicators. Since
audienceMatchesperforms strict equality (===):https://example.com/api(from authorization request'sresourceparameter)https://example.com(computed from request URL)Solution
This PR updates the
resourceServercomputation in both internal and external token validation flows to include the pathname component:Changes
src/oauth-provider.tsline 2194: Include pathname in resourceServer (internal token validation)src/oauth-provider.tsline 2228: Include pathname in resourceServer (external token validation)Testing
Tested with ChatGPT custom connector:
resource=https://server/mcpaud: "https://server/mcp"https://server/mcpsucceedsReferences