fix: align token verifier audience with OAuth server response

shulkx · web-flow · commit 2bc3292c5ca1 · 2025-09-29T23:09:47.000+08:00
The OAuth server returns `aud` including the `/mcp` path, while the token verifier previously expected only the base URL. This mismatch caused introspection failures under `--oauth-strict`. Updated the verifier configuration to use the correct audience to ensure successful token introspection.
diff --git a/examples/servers/simple-auth/mcp_simple_auth/server.py b/examples/servers/simple-auth/mcp_simple_auth/server.py
@@ -63,7 +63,7 @@ def create_resource_server(settings: ResourceServerSettings) -> FastMCP:
     # Create token verifier for introspection with RFC 8707 resource validation
     token_verifier = IntrospectionTokenVerifier(
         introspection_endpoint=settings.auth_server_introspection_endpoint,
-        server_url=str(settings.server_url),
+        server_url=f"{str(settings.server_url).rstrip('/')}/mcp",
         validate_resource=settings.oauth_strict,  # Only validate when --oauth-strict is set
     )
 

Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ def create_resource_server(settings: ResourceServerSettings) -> FastMCP:`
`63`	`63`	`# Create token verifier for introspection with RFC 8707 resource validation`
`64`	`64`	`token_verifier = IntrospectionTokenVerifier(`
`65`	`65`	`introspection_endpoint=settings.auth_server_introspection_endpoint,`
`66`		`- server_url=str(settings.server_url),`
	`66`	`+ server_url=f"{str(settings.server_url).rstrip('/')}/mcp",`
`67`	`67`	`validate_resource=settings.oauth_strict, # Only validate when --oauth-strict is set`
`68`	`68`	`)`
`69`	`69`