add more custom config vars (#9)

WhammyLeaf · web-flow · commit cc0cd7e0b565 · 2025-12-21T13:48:02.000-08:00
Signed-off-by: Christian Troelsen &lt;christian.troelsen@tryg.dk&gt;

fix suggestions by coderabbit

Signed-off-by: Christian Troelsen &lt;christian.troelsen@tryg.dk&gt;

a few more changes

add logging

some fixes to metadata endpoints

add more token logging

try to update resource value

try another update

more updates

remove unnnecessary stuff
diff --git a/config.go b/config.go
@@ -2,6 +2,8 @@ package oauth
 
 import (
 	"fmt"
+	"strconv"
+	"strings"
 
 	"github.com/tuannvm/oauth-mcp-proxy/provider"
 )
@@ -18,6 +20,7 @@ type Config struct {
 	Audience     string
 	ClientID     string
 	ClientSecret string
+	Scopes       []string // OIDC scopes
 
 	// Server configuration
 	ServerURL string // Full URL of the MCP server
@@ -31,6 +34,11 @@ type Config struct {
 	// Implement the Logger interface (Debug, Info, Warn, Error methods) to
 	// integrate with your application's logging system (e.g., zap, logrus).
 	Logger Logger
+
+	SkipAudienceCheck bool // whether to skip audience validation
+	// The issuer URL to use for issuer validation.
+	// This should only be set if the issuer in the token differs from the standard issuer URL.
+	ValidatorIssuer string
 }
 
 // Validate validates the configuration
@@ -119,11 +127,13 @@ func SetupOAuth(cfg *Config) (provider.TokenValidator, error) {
 func createValidator(cfg *Config, logger Logger) (provider.TokenValidator, error) {
 	// Convert root Config to provider.Config
 	providerCfg := &provider.Config{
-		Provider:  cfg.Provider,
-		Issuer:    cfg.Issuer,
-		Audience:  cfg.Audience,
-		JWTSecret: cfg.JWTSecret,
-		Logger:    logger,
+		Provider:          cfg.Provider,
+		Issuer:            cfg.Issuer,
+		Audience:          cfg.Audience,
+		JWTSecret:         cfg.JWTSecret,
+		Logger:            logger,
+		SkipAudienceCheck: cfg.SkipAudienceCheck,
+		ValidatorIssuer:   cfg.ValidatorIssuer,
 	}
 
 	var validator provider.TokenValidator
@@ -217,12 +227,30 @@ func (b *ConfigBuilder) WithJWTSecret(secret []byte) *ConfigBuilder {
 	return b
 }
 
+// WithScopes sets the OIDC scopes
+func (b *ConfigBuilder) WithScopes(scopes []string) *ConfigBuilder {
+	b.config.Scopes = scopes
+	return b
+}
+
 // WithLogger sets the logger
 func (b *ConfigBuilder) WithLogger(logger Logger) *ConfigBuilder {
 	b.config.Logger = logger
 	return b
 }
 
+// WithSkipAudienceCheck sets audience check toggle
+func (b *ConfigBuilder) WithSkipAudienceCheck(skipAudienceCheck bool) *ConfigBuilder {
+	b.config.SkipAudienceCheck = skipAudienceCheck
+	return b
+}
+
+// WithValidatorIssuer sets the validator issuer URL
+func (b *ConfigBuilder) WithValidatorIssuer(validatorIssuer string) *ConfigBuilder {
+	b.config.ValidatorIssuer = validatorIssuer
+	return b
+}
+
 // WithServerURL sets the full server URL directly
 func (b *ConfigBuilder) WithServerURL(url string) *ConfigBuilder {
 	b.config.ServerURL = url
@@ -281,6 +309,12 @@ func FromEnv() (*Config, error) {
 
 	jwtSecret := getEnv("JWT_SECRET", "")
 
+	scopes := []string{}
+	scopesEnv := getEnv("OIDC_SCOPES", "")
+	if scopesEnv != "" {
+		scopes = strings.Split(scopesEnv, " ")
+	}
+
 	return NewConfigBuilder().
 		WithMode(getEnv("OAUTH_MODE", "")).
 		WithProvider(getEnv("OAUTH_PROVIDER", "")).
@@ -289,7 +323,23 @@ func FromEnv() (*Config, error) {
 		WithAudience(getEnv("OIDC_AUDIENCE", "")).
 		WithClientID(getEnv("OIDC_CLIENT_ID", "")).
 		WithClientSecret(getEnv("OIDC_CLIENT_SECRET", "")).
+		WithScopes(scopes).
+		WithSkipAudienceCheck(parseBoolEnv("OIDC_SKIP_AUDIENCE_CHECK", false)).
+		WithValidatorIssuer(getEnv("OIDC_VALIDATOR_ISSUER", "")).
 		WithServerURL(serverURL).
 		WithJWTSecret([]byte(jwtSecret)).
 		Build()
 }
+
+// parseBoolEnv parses a boolean environment variable
+func parseBoolEnv(key string, defaultVal bool) bool {
+	val := getEnv(key, "")
+	if val == "" {
+		return defaultVal
+	}
+	parsed, err := strconv.ParseBool(val)
+	if err != nil {
+		return defaultVal
+	}
+	return parsed
+}
diff --git a/handlers.go b/handlers.go
@@ -46,6 +46,7 @@ type OAuth2Config struct {
 	Audience     string
 	ClientID     string
 	ClientSecret string
+	Scopes       []string // OIDC scopes
 
 	// Server configuration
 	MCPHost string
@@ -96,7 +97,7 @@ func NewOAuth2Handler(cfg *OAuth2Config, logger Logger) *OAuth2Handler {
 		ClientID:     cfg.ClientID,
 		ClientSecret: cfg.ClientSecret,
 		Endpoint:     endpoint,
-		Scopes:       []string{"openid", "profile", "email"},
+		Scopes:       cfg.Scopes,
 	}
 
 	// Log client configuration type for debugging
@@ -177,6 +178,11 @@ func NewOAuth2ConfigFromConfig(cfg *Config, version string) *OAuth2Config {
 		mcpURL = getEnv("MCP_URL", fmt.Sprintf("%s://%s:%s", scheme, mcpHost, mcpPort))
 	}
 
+	scopes := cfg.Scopes
+	if len(scopes) == 0 {
+		scopes = []string{"openid", "profile", "email"}
+	}
+
 	return &OAuth2Config{
 		Enabled:         true,
 		Mode:            cfg.Mode,
@@ -186,6 +192,7 @@ func NewOAuth2ConfigFromConfig(cfg *Config, version string) *OAuth2Config {
 		Audience:        cfg.Audience,
 		ClientID:        cfg.ClientID,
 		ClientSecret:    cfg.ClientSecret,
+		Scopes:          scopes,
 		MCPHost:         mcpHost,
 		MCPPort:         mcpPort,
 		MCPURL:          mcpURL,
@@ -287,7 +294,7 @@ func (h *OAuth2Handler) HandleAuthorize(w http.ResponseWriter, r *http.Request)
 	clientID := query.Get("client_id")
 
 	h.logger.Info("OAuth2: Authorization request - client_id: %s, redirect_uri: %s, code_challenge: %s",
-		clientID, clientRedirectURI, truncateString(codeChallenge, 10))
+		clientID, clientRedirectURI, codeChallenge)
 
 	// Determine redirect URI strategy based on configuration
 	var redirectURI string
diff --git a/metadata.go b/metadata.go
@@ -138,7 +138,7 @@ func (h *OAuth2Handler) HandleProtectedResourceMetadata(w http.ResponseWriter, r
 		"resource_documentation":                fmt.Sprintf("%s/docs", h.config.MCPURL),
 		"resource_policy_uri":                   fmt.Sprintf("%s/policy", h.config.MCPURL),
 		"resource_tos_uri":                      fmt.Sprintf("%s/tos", h.config.MCPURL),
-		"scopes_supported":                      []string{"openid", "profile", "email"},
+		"scopes_supported":                      h.config.Scopes,
 	}
 
 	// Encode and send response
@@ -243,7 +243,7 @@ func (h *OAuth2Handler) HandleOIDCDiscovery(w http.ResponseWriter, r *http.Reque
 		"token_endpoint_auth_methods_supported": []string{"none"},
 		"code_challenge_methods_supported":      []string{"plain", "S256"},
 		"subject_types_supported":               []string{"public"},
-		"scopes_supported":                      []string{"openid", "profile", "email"},
+		"scopes_supported":                      h.config.Scopes,
 	}
 
 	// Add provider-specific fields
@@ -283,7 +283,7 @@ func (h *OAuth2Handler) GetAuthorizationServerMetadata() map[string]interface{}
 			"grant_types_supported":                 []string{"authorization_code"},
 			"token_endpoint_auth_methods_supported": []string{"none"},
 			"code_challenge_methods_supported":      []string{"plain", "S256"},
-			"scopes_supported":                      []string{"openid", "profile", "email"},
+			"scopes_supported":                      h.config.Scopes,
 		}
 
 		// Add provider-specific endpoints
@@ -315,7 +315,7 @@ func (h *OAuth2Handler) GetAuthorizationServerMetadata() map[string]interface{}
 			"grant_types_supported":                 []string{"authorization_code"},
 			"token_endpoint_auth_methods_supported": []string{"none"},
 			"code_challenge_methods_supported":      []string{"plain", "S256"},
-			"scopes_supported":                      []string{"openid", "profile", "email"},
+			"scopes_supported":                      h.config.Scopes,
 		}
 	}
 
diff --git a/provider/provider.go b/provider/provider.go
@@ -30,11 +30,13 @@ type Logger interface {
 
 // Config holds OAuth configuration (subset needed by provider)
 type Config struct {
-	Provider  string
-	Issuer    string
-	Audience  string
-	JWTSecret []byte
-	Logger    Logger
+	Provider          string
+	Issuer            string
+	Audience          string
+	JWTSecret         []byte
+	Logger            Logger
+	SkipAudienceCheck bool
+	ValidatorIssuer   string
 }
 
 // TokenValidator interface for OAuth token validation
@@ -52,10 +54,11 @@ type HMACValidator struct {
 
 // OIDCValidator validates JWT tokens using OIDC/JWKS (Okta, Google, Azure)
 type OIDCValidator struct {
-	verifier *oidc.IDTokenVerifier
-	provider *oidc.Provider
-	audience string
-	logger   Logger
+	verifier        *oidc.IDTokenVerifier
+	provider        *oidc.Provider
+	audience        string
+	TokenValidators []func(claims jwt.MapClaims) error
+	logger          Logger
 }
 
 // Initialize sets up the HMAC validator with JWT secret and audience
@@ -90,7 +93,6 @@ func (v *HMACValidator) ValidateToken(ctx context.Context, tokenString string) (
 		}
 		return []byte(v.secret), nil
 	})
-
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse and validate token: %w", err)
 	}
@@ -190,7 +192,9 @@ func (v *OIDCValidator) Initialize(cfg *Config) error {
 			MaxIdleConnsPerHost: 10,
 		},
 	}
-
+	if cfg.ValidatorIssuer != "" {
+		ctx = oidc.InsecureIssuerURLContext(ctx, cfg.ValidatorIssuer)
+	}
 	// Create OIDC provider with custom HTTP client
 	provider, err := oidc.NewProvider(
 		oidc.ClientContext(ctx, httpClient),
@@ -204,15 +208,17 @@ func (v *OIDCValidator) Initialize(cfg *Config) error {
 	verifier := provider.Verifier(&oidc.Config{
 		ClientID:             cfg.Audience, // Note: go-oidc uses ClientID field for audience validation - see https://github.com/coreos/go-oidc/blob/v3/oidc/verify.go#L85
 		SupportedSigningAlgs: []string{oidc.RS256, oidc.ES256},
-		SkipClientIDCheck:    false, // Always validate if ClientID is provided
-		SkipExpiryCheck:      false, // Verify expiration
-		SkipIssuerCheck:      false, // Verify issuer
+		SkipClientIDCheck:    cfg.SkipAudienceCheck,
+		SkipExpiryCheck:      false,
+		SkipIssuerCheck:      false,
 	})
 
-	v.logger.Info("OAuth: OIDC validator initialized with audience validation: %s", cfg.Audience)
-
 	v.provider = provider
 	v.verifier = verifier
+	if !cfg.SkipAudienceCheck {
+		v.logger.Info("OAuth: OIDC validator initialized with audience validation: %s", cfg.Audience)
+		v.TokenValidators = append(v.TokenValidators, v.validateAudience)
+	}
 	return nil
 }
 
@@ -256,9 +262,12 @@ func (v *OIDCValidator) ValidateToken(ctx context.Context, tokenString string) (
 		return nil, fmt.Errorf("failed to extract raw claims: %w", err)
 	}
 
-	// Validate audience claim for security (explicit check)
-	if err := v.validateAudience(rawClaims); err != nil {
-		return nil, fmt.Errorf("audience validation failed: %w", err)
+	// Run extra validation functions
+	for i, fn := range v.TokenValidators {
+		err := fn(rawClaims)
+		if err != nil {
+			return nil, fmt.Errorf("validation function %d failed with error: %w", i, err)
+		}
 	}
 
 	return &User{

Original file line number	Diff line number	Diff line change
`@@ -138,7 +138,7 @@ func (h *OAuth2Handler) HandleProtectedResourceMetadata(w http.ResponseWriter, r`
`138`	`138`	`"resource_documentation": fmt.Sprintf("%s/docs", h.config.MCPURL),`
`139`	`139`	`"resource_policy_uri": fmt.Sprintf("%s/policy", h.config.MCPURL),`
`140`	`140`	`"resource_tos_uri": fmt.Sprintf("%s/tos", h.config.MCPURL),`
`141`		`- "scopes_supported": []string{"openid", "profile", "email"},`
	`141`	`+ "scopes_supported": h.config.Scopes,`
`142`	`142`	`}`
`143`	`143`
`144`	`144`	`// Encode and send response`
`@@ -243,7 +243,7 @@ func (h OAuth2Handler) HandleOIDCDiscovery(w http.ResponseWriter, r http.Reque`
`243`	`243`	`"token_endpoint_auth_methods_supported": []string{"none"},`
`244`	`244`	`"code_challenge_methods_supported": []string{"plain", "S256"},`
`245`	`245`	`"subject_types_supported": []string{"public"},`
`246`		`- "scopes_supported": []string{"openid", "profile", "email"},`
	`246`	`+ "scopes_supported": h.config.Scopes,`
`247`	`247`	`}`
`248`	`248`
`249`	`249`	`// Add provider-specific fields`
`@@ -283,7 +283,7 @@ func (h *OAuth2Handler) GetAuthorizationServerMetadata() map[string]interface{}`
`283`	`283`	`"grant_types_supported": []string{"authorization_code"},`
`284`	`284`	`"token_endpoint_auth_methods_supported": []string{"none"},`
`285`	`285`	`"code_challenge_methods_supported": []string{"plain", "S256"},`
`286`		`- "scopes_supported": []string{"openid", "profile", "email"},`
	`286`	`+ "scopes_supported": h.config.Scopes,`
`287`	`287`	`}`
`288`	`288`
`289`	`289`	`// Add provider-specific endpoints`
`@@ -315,7 +315,7 @@ func (h *OAuth2Handler) GetAuthorizationServerMetadata() map[string]interface{}`
`315`	`315`	`"grant_types_supported": []string{"authorization_code"},`
`316`	`316`	`"token_endpoint_auth_methods_supported": []string{"none"},`
`317`	`317`	`"code_challenge_methods_supported": []string{"plain", "S256"},`
`318`		`- "scopes_supported": []string{"openid", "profile", "email"},`
	`318`	`+ "scopes_supported": h.config.Scopes,`
`319`	`319`	`}`
`320`	`320`	`}`
`321`	`321`