Correctly construct aud for scope verification

futurGH · futurGH · commit b00ac046b0c1 · 2025-12-25T15:51:59.000-05:00
(different from aud for jwt)
diff --git a/pegasus/lib/xrpc.ml b/pegasus/lib/xrpc.ml
@@ -209,10 +209,10 @@ let service_proxy ?lxm ?aud (ctx : context) =
     | None ->
         Errors.invalid_request "invalid proxy header"
   in
-  let aud = Option.value aud ~default:(service_did ^ "#" ^ service_type) in
+  let aud = Option.value aud ~default:service_did in
   let lxm = Option.value lxm ~default:nsid in
-  Auth.assert_rpc_scope ctx.auth ~aud ~lxm ;
   let fragment = "#" ^ service_type in
+  Auth.assert_rpc_scope ctx.auth ~aud:(aud ^ fragment) ~lxm ;
   match%lwt Id_resolver.Did.resolve service_did with
   | Ok did_doc -> (
       let scheme, host =
