fml (#37)

Author: dgellow

internal/oauth/resource_indicators.go

@@ -206,8 +206,12 @@ func ValidateAudienceForService(requestPath string, tokenAudience []string, issu
 	}
 
 	// Workaround: accept base issuer as audience if enabled
-	if acceptIssuerAudience && slices.Contains(tokenAudience, issuer) {
-		return nil
+	// Check both with and without trailing slash since clients may normalize differently
+	if acceptIssuerAudience {
+		normalized := strings.TrimSuffix(issuer, "/")
+		if slices.Contains(tokenAudience, normalized) || slices.Contains(tokenAudience, normalized+"/") {
+			return nil
+		}
 	}
 
 	return fmt.Errorf("token audience %v does not include required resource %s for service %s",

internal/oauth/resource_indicators_test.go

@@ -359,6 +359,13 @@ func TestValidateAudienceForService(t *testing.T) {
 			wantErr:              true,
 			errContains:          "does not include required resource",
 		},
+		{
+			name:                 "issuer audience with trailing slash accepted",
+			requestPath:          "/postgres/sse",
+			tokenAudience:        []string{"https://mcp.company.com/"},
+			acceptIssuerAudience: true,
+			wantErr:              false,
+		},
 	}
 
 	for _, tt := range tests {