fix: Update ScopesSupported to match RFC 9728 Section 2

2025-10-22 16:23:03 +00:00 · 2025-10-12 21:26:05 +01:00 · 2025-10-12 21:26:05 +01:00 · 8ca4bb4787
commit 8ca4bb4787
parent 56d969b785
5 changed files with 17 additions and 66 deletions
--- a/internal/authz/default.go
+++ b/internal/authz/default.go
@ -100,10 +100,17 @@ func (p *defaultProvider) ProtectedResourceMetadataHandler() http.HandlerFunc {
 		w.Header().Set("Content-Type", "application/json")
 		meta := map[string]interface{}{
 			"audience":              p.cfg.ProtectedResourceMetadata.Audience,
-			"scopes_supported":      p.cfg.ProtectedResourceMetadata.ScopesSupported,
 			"authorization_servers": p.cfg.ProtectedResourceMetadata.AuthorizationServers,
 		}

+		if len(p.cfg.ProtectedResourceMetadata.ScopesSupported) > 0 {
+			meta["scopes_supported"] = p.cfg.ProtectedResourceMetadata.ScopesSupported
+		}
+
+		if p.cfg.ProtectedResourceMetadata.ResourceIdentifier != "" {
+			meta["resource"] = p.cfg.ProtectedResourceMetadata.ResourceIdentifier
+		}
+
 		if p.cfg.ProtectedResourceMetadata.JwksURI != "" {
 			meta["jwks_uri"] = p.cfg.ProtectedResourceMetadata.JwksURI
 		}
--- a/internal/authz/scope_validator.go
+++ b/internal/authz/scope_validator.go
@ -7,7 +7,6 @@ import (

 	"github.com/golang-jwt/jwt/v4"
 	"github.com/wso2/open-mcp-auth-proxy/internal/config"
-	"github.com/wso2/open-mcp-auth-proxy/internal/util"
 )

 type ScopeValidator struct{}
@ -18,11 +17,7 @@ func (d *ScopeValidator) ValidateAccess(
 	claims *jwt.MapClaims,
 	config *config.Config,
 ) AccessControlResult {
-	env, err := util.ParseRPCRequest(r)
-	if err != nil {
-		return AccessControlResult{DecisionDeny, "bad JSON-RPC request"}
-	}
-	requiredScopes := util.GetRequiredScopes(config, env)
+	requiredScopes := config.ProtectedResourceMetadata.ScopesSupported

 	if len(requiredScopes) == 0 {
 		return AccessControlResult{DecisionAllow, ""}