diff --git a/config.yaml b/config.yaml index f73c5b2..d97c8ca 100644 --- a/config.yaml +++ b/config.yaml @@ -60,4 +60,3 @@ bearer_methods_supported: - header - body - query - \ No newline at end of file diff --git a/internal/authz/scope_validator.go b/internal/authz/scope_validator.go index 248cf8a..779a044 100644 --- a/internal/authz/scope_validator.go +++ b/internal/authz/scope_validator.go @@ -20,9 +20,6 @@ func (d *ScopeValidator) ValidateAccess( claims *TokenClaims, requiredScopes any, ) AccessControlResult { - - logger.Info("Required scopes: %v", requiredScopes) - var scopeStr string switch v := requiredScopes.(type) { case string: @@ -45,7 +42,6 @@ func (d *ScopeValidator) ValidateAccess( } } - logger.Info("Token scopes: %v", claims.Scopes) for _, tokenScope := range claims.Scopes { if _, ok := required[tokenScope]; ok { return AccessControlResult{DecisionAllow, ""} diff --git a/internal/util/jwks.go b/internal/util/jwks.go index 0692057..54ca735 100644 --- a/internal/util/jwks.go +++ b/internal/util/jwks.go @@ -12,7 +12,7 @@ import ( "github.com/golang-jwt/jwt/v4" "github.com/wso2/open-mcp-auth-proxy/internal/authz" "github.com/wso2/open-mcp-auth-proxy/internal/config" - logger "github.com/wso2/open-mcp-auth-proxy/internal/logging" + "github.com/wso2/open-mcp-auth-proxy/internal/logging" ) type TokenClaims struct { @@ -52,9 +52,9 @@ func FetchJWKS(jwksURL string) error { if parsed.Kty != "RSA" { continue } - pk, err := parseRSAPublicKey(parsed.N, parsed.E) + pubKey, err := parseRSAPublicKey(parsed.N, parsed.E) if err == nil { - publicKeys[parsed.Kid] = pk + publicKeys[parsed.Kid] = pubKey } } logger.Info("Loaded %d public keys.", len(publicKeys)) @@ -81,10 +81,6 @@ func parseRSAPublicKey(nStr, eStr string) (*rsa.PublicKey, error) { } // ValidateJWT checks the Bearer token according to the Mcp-Protocol-Version. -// - isLatestSpec: whether to use the latest spec validation -// - authHeader: the full "Authorization" header -// - audience: the resource identifier to check "aud" against -// - requiredScopes: the scopes required (empty ⇒ skip scope check) func ValidateJWT( isLatestSpec bool, authHeader, audience string, @@ -94,7 +90,7 @@ func ValidateJWT( return nil, errors.New("empty bearer token") } - // --- parse & verify signature --- + // Parse & verify the signature token, err := jwt.Parse(tokenStr, func(token *jwt.Token) (interface{}, error) { if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok { return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"]) @@ -116,19 +112,15 @@ func ValidateJWT( return nil, errors.New("token not valid") } - // --- extract raw claims --- claimsMap, ok := token.Claims.(jwt.MapClaims) if !ok { return nil, errors.New("unexpected claim type") } - // --- v1: skip audience check entirely --- if !isLatestSpec { - // we still want to return an empty set of scopes for policy to see return &authz.TokenClaims{Scopes: nil}, nil } - // --- v2: enforce audience --- audRaw, exists := claimsMap["aud"] if !exists { return nil, errors.New("aud claim missing") @@ -153,7 +145,6 @@ func ValidateJWT( return nil, errors.New("aud claim has unexpected type") } - // --- collect all scopes from the token, if any --- rawScope := claimsMap["scope"] scopeList := []string{} if s, ok := rawScope.(string); ok {