fix: Implement proper OAuth resource parameters and PRM-based discovery
This commit completes the OAuth audience validation implementation per RFC 7519, RFC 8707 (Resource Indicators), and RFC 9728 (Protected Resource Metadata). ## Key Changes ### OAuth Resource Parameters (RFC 8707) - Add `resource` parameter to Flow 1 (MCP client auth) with MCP server audience - Add `resource` parameter to Flow 2 (Nextcloud access) with Nextcloud audience - Add `nextcloud_resource_uri` to oauth_context configuration - Fix undefined variable error in starlette_lifespan ### PRM-Based Resource Discovery (RFC 9728) - Update tests to fetch resource identifier from PRM endpoint - Add fallback to hardcoded value if PRM fetch fails - Demonstrate correct OAuth client implementation pattern ### ADR-005 Documentation Updates - Update to reflect simplified RFC 7519 compliant implementation - Document that MCP validates only its own audience (not Nextcloud's) - Add section on OAuth resource parameters and PRM discovery - Update implementation checklist to show completed items - Mark status as "Implemented" with update date ## Implementation Details The solution follows RFC 7519 Section 4.1.3: resource servers validate only their own presence in the audience claim. This simplifies the logic while maintaining security: - MCP server validates MCP audience only - Nextcloud independently validates its own audience - No dual validation required at MCP layer - Token reuse is allowed per RFC 8707 for multi-audience tokens ## Test Results ✅ test_mcp_oauth_server_connection - PASSED ✅ test_deck_board_view_permissions - PASSED ✅ test_prm_endpoint - PASSED All OAuth flows now properly specify target resources, resulting in correct audience validation throughout the system. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
@@ -2193,17 +2193,35 @@ async def _get_oauth_token_for_user(
|
||||
logger.info(f"Getting OAuth token for user: {username}...")
|
||||
logger.info(f"Using shared OAuth client: {client_id[:16]}...")
|
||||
|
||||
# Fetch resource identifier from PRM endpoint (RFC 9728)
|
||||
mcp_server_url = os.getenv("NEXTCLOUD_MCP_SERVER_URL", "http://localhost:8001")
|
||||
prm_url = f"{mcp_server_url}/.well-known/oauth-protected-resource"
|
||||
|
||||
logger.debug(f"Fetching PRM metadata from: {prm_url}")
|
||||
async with httpx.AsyncClient() as client:
|
||||
prm_response = await client.get(prm_url, timeout=10)
|
||||
if prm_response.status_code != 200:
|
||||
logger.warning(f"Failed to fetch PRM metadata: {prm_response.status_code}")
|
||||
# Fallback to default if PRM fetch fails
|
||||
mcp_server_resource = f"{mcp_server_url}/mcp"
|
||||
else:
|
||||
prm_data = prm_response.json()
|
||||
mcp_server_resource = prm_data.get("resource", f"{mcp_server_url}/mcp")
|
||||
logger.info(f"Using resource from PRM: {mcp_server_resource}")
|
||||
|
||||
# Generate unique state parameter for this OAuth flow
|
||||
state = secrets.token_urlsafe(32)
|
||||
logger.debug(f"Generated state for {username}: {state[:16]}...")
|
||||
|
||||
# Construct authorization URL with state parameter
|
||||
# Include resource parameter discovered from PRM endpoint
|
||||
auth_url = (
|
||||
f"{authorization_endpoint}?"
|
||||
f"response_type=code&"
|
||||
f"client_id={client_id}&"
|
||||
f"redirect_uri={quote(callback_url, safe='')}&"
|
||||
f"state={state}&"
|
||||
f"resource={quote(mcp_server_resource, safe='')}&" # Resource URI from PRM
|
||||
f"scope=openid%20profile%20email%20notes:read%20notes:write%20calendar:read%20calendar:write%20contacts:read%20contacts:write%20cookbook:read%20cookbook:write%20deck:read%20deck:write%20tables:read%20tables:write%20files:read%20files:write%20sharing:read%20sharing:write"
|
||||
)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user