Skip to content

feat: Add audience support during authorization #1752

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

feat: Add audience support during authorization #1752

wants to merge 1 commit into from
+108 −11

Conversation

ruhulio
Copy link

@ruhulio ruhulio commented Sep 4, 2025

Description

Adds support for passing the audience to the upstream provider if it was specified on the token verifier. This is necessary when using a provider like Auth0 that requires audience scoping for the tokens.

This was manually tested via MCP Inspector against an Auth0 app for the positive case, and a GitHub app for the negative case.

This can be considered a smaller peer change to the recent PKCE forwarding changes (#1733).

Contributors Checklist

  • My change is related to issue #(issue number)
  • I have followed the repository's development workflow
  • I have tested my changes manually and by adding relevant tests
  • I have performed all required documentation updates

Review Checklist

  • I have self-reviewed my changes
  • My Pull Request is ready for review

@marvin-context-protocol marvin-context-protocol bot added enhancement Improvement to existing functionality. For issues and smaller PR improvements. server Related to FastMCP server implementation or server-side functionality. auth Related to authentication (Bearer, JWT, OAuth, WorkOS) for client or server. labels Sep 4, 2025
@dmikusa
Copy link
Contributor

dmikusa commented Sep 4, 2025

I hit this issue with Auth0 too, so +1 for this. It'd be nice if it just worked automatically.

FYI, if anyone else hits this. I worked around it by setting .../authorize?audience=<my-audience> as my upstream_authorization_endpoint value. It was smart enough to retain that audience query param.

@jlowin
Copy link
Owner

jlowin commented Sep 6, 2025

I don't like that this PR introduces a very tight but implicit coupling between the OAuthProxy and the TokenValidator, especially because the outcome sounds like it's highly vendor-specific. I'll open a PR to permit users to pass custom kwargs to the authorize call!

@jlowin jlowin closed this Sep 6, 2025
jlowin added a commit that referenced this pull request Sep 6, 2025
@jlowin
feat: Add flexible parameter forwarding to OAuth proxy
9b69e83 
Improves on #1752 by providing a cleaner, more flexible approach for forwarding provider-specific parameters. Instead of tightly coupling to token verifier attributes, this adds explicit configuration for extra parameters.

- Add extra_authorize_params and extra_token_params configuration
- Forward RFC 8707 resource parameter from AuthorizationParams
- Remove tight coupling to token verifier internals
- Add comprehensive tests for parameter forwarding
@jlowin jlowin mentioned this pull request Sep 6, 2025
Merged
@jlowin
Copy link
Owner

jlowin commented Sep 6, 2025

@ruhulio, @dmikusa please try the new kwargs in #1771 and let me know if it meets your needs!

@ruhulio
Copy link
Author

ruhulio commented Sep 6, 2025

@ruhulio, @dmikusa please try the new kwargs in #1771 and let me know if it meets your needs!

@jlowin I just tested #1771 out and it worked with the Auth0 test apps. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
auth Related to authentication (Bearer, JWT, OAuth, WorkOS) for client or server. enhancement Improvement to existing functionality. For issues and smaller PR improvements. server Related to FastMCP server implementation or server-side functionality.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ruhulio @dmikusa @jlowin