@@ -19,7 +19,7 @@ const (
1919)
2020
2121// AuthorizationMiddleware validates the OAuth flow using Kubernetes TokenReview API
22- func AuthorizationMiddleware (requireOAuth bool , mcpServer * mcp.Server ) func (http.Handler ) http.Handler {
22+ func AuthorizationMiddleware (requireOAuth bool , serverURL string , mcpServer * mcp.Server ) func (http.Handler ) http.Handler {
2323 return func (next http.Handler ) http.Handler {
2424 return http .HandlerFunc (func (w http.ResponseWriter , r * http.Request ) {
2525 if r .URL .Path == "/healthz" || r .URL .Path == "/.well-known/oauth-protected-resource" {
@@ -42,7 +42,12 @@ func AuthorizationMiddleware(requireOAuth bool, mcpServer *mcp.Server) func(http
4242
4343 token := strings .TrimPrefix (authHeader , "Bearer " )
4444
45- err := validateJWTToken (token )
45+ audience := Audience
46+ if serverURL != "" {
47+ audience = serverURL
48+ }
49+
50+ err := validateJWTToken (token , audience )
4651 if err != nil {
4752 klog .V (1 ).Infof ("Authentication failed - JWT validation error: %s %s from %s, error: %v" , r .Method , r .URL .Path , r .RemoteAddr , err )
4853
@@ -73,7 +78,7 @@ type JWTClaims struct {
7378}
7479
7580// validateJWTToken validates basic JWT claims without signature verification
76- func validateJWTToken (token string ) error {
81+ func validateJWTToken (token , audience string ) error {
7782 parts := strings .Split (token , "." )
7883 if len (parts ) != 3 {
7984 return fmt .Errorf ("invalid JWT token format" )
@@ -88,7 +93,7 @@ func validateJWTToken(token string) error {
8893 return fmt .Errorf ("token expired" )
8994 }
9095
91- if ! slices .Contains (claims .Audience , Audience ) {
96+ if ! slices .Contains (claims .Audience , audience ) {
9297 return fmt .Errorf ("token audience mismatch: %v" , claims .Audience )
9398 }
9499
0 commit comments