Wire server-url to audience, if it is set

Author: ardaguclu

pkg/http/authorization.go

@@ -19,7 +19,7 @@ const (
 )
 
 // AuthorizationMiddleware validates the OAuth flow using Kubernetes TokenReview API
-func AuthorizationMiddleware(requireOAuth bool, mcpServer *mcp.Server) func(http.Handler) http.Handler {
+func AuthorizationMiddleware(requireOAuth bool, serverURL string, mcpServer *mcp.Server) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if r.URL.Path == "/healthz" || r.URL.Path == "/.well-known/oauth-protected-resource" {
@@ -42,7 +42,12 @@ func AuthorizationMiddleware(requireOAuth bool, mcpServer *mcp.Server) func(http
 
 			token := strings.TrimPrefix(authHeader, "Bearer ")
 
-			err := validateJWTToken(token)
+			audience := Audience
+			if serverURL != "" {
+				audience = serverURL
+			}
+
+			err := validateJWTToken(token, audience)
 			if err != nil {
 				klog.V(1).Infof("Authentication failed - JWT validation error: %s %s from %s, error: %v", r.Method, r.URL.Path, r.RemoteAddr, err)
 
@@ -73,7 +78,7 @@ type JWTClaims struct {
 }
 
 // validateJWTToken validates basic JWT claims without signature verification
-func validateJWTToken(token string) error {
+func validateJWTToken(token, audience string) error {
 	parts := strings.Split(token, ".")
 	if len(parts) != 3 {
 		return fmt.Errorf("invalid JWT token format")
@@ -88,7 +93,7 @@ func validateJWTToken(token string) error {
 		return fmt.Errorf("token expired")
 	}
 
-	if !slices.Contains(claims.Audience, Audience) {
+	if !slices.Contains(claims.Audience, audience) {
 		return fmt.Errorf("token audience mismatch: %v", claims.Audience)
 	}
 

pkg/http/authorization_test.go

@@ -98,7 +98,7 @@ func TestValidateJWTToken(t *testing.T) {
 	t.Run("invalid token format - not enough parts", func(t *testing.T) {
 		invalidToken := "header.payload"
 
-		err := validateJWTToken(invalidToken)
+		err := validateJWTToken(invalidToken, "test")
 		if err == nil {
 			t.Error("expected error for invalid token format, got nil")
 		}
@@ -120,7 +120,7 @@ func TestValidateJWTToken(t *testing.T) {
 		payload := base64.URLEncoding.EncodeToString(jsonBytes)
 		expiredToken := "header." + payload + ".signature"
 
-		err := validateJWTToken(expiredToken)
+		err := validateJWTToken(expiredToken, "kubernetes-mcp-server")
 		if err == nil {
 			t.Error("expected error for expired token, got nil")
 		}
@@ -142,7 +142,7 @@ func TestValidateJWTToken(t *testing.T) {
 		payload := base64.URLEncoding.EncodeToString(jsonBytes)
 		multiAudToken := "header." + payload + ".signature"
 
-		err := validateJWTToken(multiAudToken)
+		err := validateJWTToken(multiAudToken, "kubernetes-mcp-server")
 		if err != nil {
 			t.Errorf("expected no error for token with multiple audiences, got %v", err)
 		}
@@ -160,7 +160,7 @@ func TestValidateJWTToken(t *testing.T) {
 		payload := base64.URLEncoding.EncodeToString(jsonBytes)
 		wrongAudToken := "header." + payload + ".signature"
 
-		err := validateJWTToken(wrongAudToken)
+		err := validateJWTToken(wrongAudToken, "audience")
 		if err == nil {
 			t.Error("expected error for token with wrong audience, got nil")
 		}
@@ -183,7 +183,7 @@ func TestAuthorizationMiddleware(t *testing.T) {
 		handlerCalled = false
 
 		// Create middleware with OAuth disabled
-		middleware := AuthorizationMiddleware(false, nil)
+		middleware := AuthorizationMiddleware(false, "", nil)
 		wrappedHandler := middleware(handler)
 
 		// Create request without authorization header
@@ -204,7 +204,7 @@ func TestAuthorizationMiddleware(t *testing.T) {
 		handlerCalled = false
 
 		// Create middleware with OAuth enabled
-		middleware := AuthorizationMiddleware(true, nil)
+		middleware := AuthorizationMiddleware(true, "", nil)
 		wrappedHandler := middleware(handler)
 
 		// Create request to healthz endpoint
@@ -225,7 +225,7 @@ func TestAuthorizationMiddleware(t *testing.T) {
 		handlerCalled = false
 
 		// Create middleware with OAuth enabled
-		middleware := AuthorizationMiddleware(true, nil)
+		middleware := AuthorizationMiddleware(true, "", nil)
 		wrappedHandler := middleware(handler)
 
 		// Create request without authorization header
@@ -249,7 +249,7 @@ func TestAuthorizationMiddleware(t *testing.T) {
 		handlerCalled = false
 
 		// Create middleware with OAuth enabled
-		middleware := AuthorizationMiddleware(true, nil)
+		middleware := AuthorizationMiddleware(true, "", nil)
 		wrappedHandler := middleware(handler)
 
 		// Create request with invalid bearer token

pkg/http/http.go

@@ -20,7 +20,7 @@ func Serve(ctx context.Context, mcpServer *mcp.Server, staticConfig *config.Stat
 	mux := http.NewServeMux()
 
 	wrappedMux := RequestMiddleware(
-		AuthorizationMiddleware(staticConfig.RequireOAuth, mcpServer)(mux),
+		AuthorizationMiddleware(staticConfig.RequireOAuth, staticConfig.ServerURL, mcpServer)(mux),
 	)
 
 	httpServer := &http.Server{