Add RFC-9728 discovery endpoint (#1287)

Author: jhrozek

cmd/thv-operator/controllers/mcpserver_controller.go

@@ -213,7 +213,7 @@ func (r *MCPServerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 
 	// Update the MCPServer status with the service URL
 	if mcpServer.Status.URL == "" {
-		mcpServer.Status.URL = fmt.Sprintf("http://%s.%s.svc.cluster.local:%d", service.Name, service.Namespace, mcpServer.Spec.Port)
+		mcpServer.Status.URL = createServiceURL(mcpServer.Name, mcpServer.Namespace, mcpServer.Spec.Port)
 		err = r.Status().Update(ctx, mcpServer)
 		if err != nil {
 			ctxLogger.Error(err, "Failed to update MCPServer status")
@@ -428,6 +428,10 @@ func (r *MCPServerReconciler) deploymentForMCPServer(m *mcpv1alpha1.MCPServer) *
 
 		oidcArgs := r.generateOIDCArgs(ctx, m)
 		args = append(args, oidcArgs...)
+
+		// Add OAuth discovery resource URL for RFC 9728 compliance
+		resourceURL := createServiceURL(m.Name, m.Namespace, m.Spec.Port)
+		args = append(args, fmt.Sprintf("--resource-url=%s", resourceURL))
 	}
 
 	// Add authorization configuration args
@@ -625,6 +629,12 @@ func createServiceName(mcpServerName string) string {
 	return fmt.Sprintf("mcp-%s-proxy", mcpServerName)
 }
 
+// createServiceURL generates the full cluster-local service URL for an MCP server
+func createServiceURL(mcpServerName, namespace string, port int32) string {
+	serviceName := createServiceName(mcpServerName)
+	return fmt.Sprintf("http://%s.%s.svc.cluster.local:%d", serviceName, namespace, port)
+}
+
 // serviceForMCPServer returns a MCPServer Service object
 func (r *MCPServerReconciler) serviceForMCPServer(m *mcpv1alpha1.MCPServer) *corev1.Service {
 	ls := labelsForMCPServer(m.Name)

cmd/thv-proxyrunner/app/run.go

@@ -78,6 +78,9 @@ var (
 
 	// Tools filter
 	runToolsFilter []string
+
+	// OAuth discovery resource URL
+	runResourceURL string
 )
 
 func init() {
@@ -185,6 +188,12 @@ func init() {
 		nil,
 		"Filter MCP server tools (comma-separated list of tool names)",
 	)
+	runCmd.Flags().StringVar(
+		&runResourceURL,
+		"resource-url",
+		"",
+		"Explicit resource URL for OAuth discovery endpoint (RFC 9728)",
+	)
 }
 
 func runCmdFunc(cmd *cobra.Command, args []string) error {
@@ -248,7 +257,7 @@ func runCmdFunc(cmd *cobra.Command, args []string) error {
 		WithTransportAndPorts(runTransport, runProxyPort, runTargetPort).
 		WithAuditEnabled(runEnableAudit, runAuditConfig).
 		WithOIDCConfig(oidcIssuer, oidcAudience, oidcJwksURL, oidcIntrospectionURL, oidcClientID, oidcClientSecret,
-			runThvCABundle, runJWKSAuthTokenFile, runJWKSAllowPrivateIP).
+			runThvCABundle, runJWKSAuthTokenFile, runResourceURL, runJWKSAllowPrivateIP).
 		WithTelemetryConfig(finalOtelEndpoint, runOtelEnablePrometheusMetricsPath, runOtelServiceName,
 			finalOtelSamplingRate, runOtelHeaders, runOtelInsecure, finalOtelEnvironmentVariables).
 		WithToolsFilter(runToolsFilter).

cmd/thv/app/proxy.go

@@ -86,6 +86,8 @@ var (
 	proxyPort      int
 	proxyTargetURI string
 
+	resourceURL string // Explicit resource URL for OAuth discovery endpoint (RFC 9728)
+
 	// Remote server authentication flags
 	remoteAuthIssuer           string
 	remoteAuthClientID         string
@@ -126,6 +128,9 @@ func init() {
 	// Add OIDC validation flags
 	AddOIDCFlags(proxyCmd)
 
+	proxyCmd.Flags().StringVar(&resourceURL, "resource-url", "",
+		"Explicit resource URL for OAuth discovery endpoint (RFC 9728)")
+
 	// Add remote server authentication flags
 	proxyCmd.Flags().BoolVar(&enableRemoteAuth, "remote-auth", false, "Enable OAuth authentication to remote MCP server")
 	proxyCmd.Flags().StringVar(&remoteAuthIssuer, "remote-auth-issuer", "",
@@ -215,11 +220,12 @@ func proxyCmdFunc(cmd *cobra.Command, args []string) error {
 			IntrospectionURL: introspectionURL,
 			ClientID:         clientID,
 			ClientSecret:     clientSecret,
+			ResourceURL:      resourceURL,
 		}
 	}
 
 	// Get authentication middleware for incoming requests
-	authMiddleware, err := auth.GetAuthenticationMiddleware(ctx, oidcConfig)
+	authMiddleware, authInfoHandler, err := auth.GetAuthenticationMiddleware(ctx, oidcConfig)
 	if err != nil {
 		return fmt.Errorf("failed to create authentication middleware: %v", err)
 	}
@@ -236,7 +242,11 @@ func proxyCmdFunc(cmd *cobra.Command, args []string) error {
 		port, proxyTargetURI)
 
 	// Create the transparent proxy with middlewares
-	proxy := transparent.NewTransparentProxy(proxyHost, port, serverName, proxyTargetURI, nil, false, middlewares...)
+	proxy := transparent.NewTransparentProxy(
+		proxyHost, port, serverName, proxyTargetURI,
+		nil, authInfoHandler,
+		false,
+		middlewares...)
 	if err := proxy.Start(ctx); err != nil {
 		return fmt.Errorf("failed to start proxy: %v", err)
 	}

cmd/thv/app/run_flags.go

@@ -52,6 +52,9 @@ type RunFlags struct {
 	JWKSAuthTokenFile  string
 	JWKSAllowPrivateIP bool
 
+	// OAuth discovery configuration
+	ResourceURL string
+
 	// Telemetry configuration
 	OtelEndpoint                    string
 	OtelServiceName                 string
@@ -140,6 +143,10 @@ func AddRunFlags(cmd *cobra.Command, config *RunFlags) {
 	cmd.Flags().BoolVar(&config.JWKSAllowPrivateIP, "jwks-allow-private-ip", false,
 		"Allow JWKS/OIDC endpoints on private IP addresses (use with caution)")
 
+	// OAuth discovery configuration
+	cmd.Flags().StringVar(&config.ResourceURL, "resource-url", "",
+		"Explicit resource URL for OAuth discovery endpoint (RFC 9728)")
+
 	// OpenTelemetry flags updated per origin/main
 	cmd.Flags().StringVar(&config.OtelEndpoint, "otel-endpoint", "",
 		"OpenTelemetry OTLP endpoint URL (e.g., https://api.honeycomb.io)")
@@ -271,7 +278,7 @@ func BuildRunnerConfig(
 		WithLabels(runConfig.Labels).
 		WithGroup(runConfig.Group).
 		WithOIDCConfig(oidcIssuer, oidcAudience, oidcJwksURL, oidcIntrospectionURL, oidcClientID, oidcClientSecret,
-			runConfig.ThvCABundle, runConfig.JWKSAuthTokenFile, runConfig.JWKSAllowPrivateIP).
+			runConfig.ThvCABundle, runConfig.JWKSAuthTokenFile, runConfig.ResourceURL, runConfig.JWKSAllowPrivateIP).
 		WithTelemetryConfig(finalOtelEndpoint, runConfig.OtelEnablePrometheusMetricsPath, runConfig.OtelServiceName,
 			finalOtelSamplingRate, runConfig.OtelHeaders, runConfig.OtelInsecure, finalOtelEnvironmentVariables).
 		WithToolsFilter(runConfig.ToolsFilter).

docs/cli/thv_proxy.md

@@ -155,7 +155,7 @@ func Serve(
 	r.Use(updateCheckMiddleware())
 
 	// Add authentication middleware
-	authMiddleware, err := auth.GetAuthenticationMiddleware(ctx, oidcConfig)
+	authMiddleware, _, err := auth.GetAuthenticationMiddleware(ctx, oidcConfig)
 	if err != nil {
 		return fmt.Errorf("failed to create authentication middleware: %v", err)
 	}