Implement per-service protected resource metadata (RFC 9728)

401 responses now include service-specific metadata URIs that advertise
the correct per-service resource, so clients request tokens with the
right audience claim.

Author: dgellow

integration/oauth_test.go

@@ -1403,22 +1403,50 @@ func TestRFC8707ResourceIndicators(t *testing.T) {
 
 	waitForMCPFront(t)
 
-	t.Run("ProtectedResourceMetadataEndpoint", func(t *testing.T) {
+	t.Run("BaseProtectedResourceMetadataReturns404", func(t *testing.T) {
+		// Base metadata endpoint should return 404, directing clients to per-service endpoints
 		resp, err := http.Get("http://localhost:8080/.well-known/oauth-protected-resource")
 		require.NoError(t, err)
 		defer resp.Body.Close()
 
-		assert.Equal(t, 200, resp.StatusCode, "Protected resource metadata endpoint should exist")
+		assert.Equal(t, 404, resp.StatusCode, "Base protected resource metadata endpoint should return 404")
+
+		var errResp map[string]any
+		err = json.NewDecoder(resp.Body).Decode(&errResp)
+		require.NoError(t, err)
+
+		assert.Contains(t, errResp["message"], "per-service", "Error message should direct to per-service endpoints")
+	})
+
+	t.Run("PerServiceProtectedResourceMetadataEndpoint", func(t *testing.T) {
+		// Per-service metadata endpoint should return service-specific resource URI
+		resp, err := http.Get("http://localhost:8080/.well-known/oauth-protected-resource/test-sse")
+		require.NoError(t, err)
+		defer resp.Body.Close()
+
+		assert.Equal(t, 200, resp.StatusCode, "Per-service protected resource metadata endpoint should exist")
 
 		var metadata map[string]any
 		err = json.NewDecoder(resp.Body).Decode(&metadata)
 		require.NoError(t, err)
 
-		assert.Equal(t, "http://localhost:8080", metadata["resource"])
+		// Resource should be service-specific, not base URL
+		assert.Equal(t, "http://localhost:8080/test-sse", metadata["resource"],
+			"Resource should be service-specific URL")
 
 		authzServers, ok := metadata["authorization_servers"].([]any)
 		require.True(t, ok, "Should have authorization_servers array")
 		require.NotEmpty(t, authzServers)
+		assert.Equal(t, "http://localhost:8080", authzServers[0],
+			"Authorization server should be base issuer")
+	})
+
+	t.Run("UnknownServiceReturns404", func(t *testing.T) {
+		resp, err := http.Get("http://localhost:8080/.well-known/oauth-protected-resource/nonexistent-service")
+		require.NoError(t, err)
+		defer resp.Body.Close()
+
+		assert.Equal(t, 404, resp.StatusCode, "Unknown service should return 404")
 	})
 
 	t.Run("TokenWithResourceParameter", func(t *testing.T) {
@@ -1517,5 +1545,33 @@ func TestRFC8707ResourceIndicators(t *testing.T) {
 		wwwAuth := streamableResp.Header.Get("WWW-Authenticate")
 		assert.Contains(t, wwwAuth, "Bearer resource_metadata=",
 			"401 response should include RFC 9728 WWW-Authenticate header")
+		// Per RFC 9728 Section 5.2, the metadata URI should be service-specific
+		assert.Contains(t, wwwAuth, "/.well-known/oauth-protected-resource/test-streamable",
+			"401 response should point to per-service metadata endpoint")
+	})
+
+	t.Run("401ResponseIncludesServiceSpecificMetadataURI", func(t *testing.T) {
+		// Request to a protected endpoint without token should get 401
+		// with service-specific metadata URI in WWW-Authenticate header
+		client := &http.Client{
+			CheckRedirect: func(req *http.Request, via []*http.Request) error {
+				return http.ErrUseLastResponse
+			},
+		}
+
+		req, _ := http.NewRequest("GET", "http://localhost:8080/test-sse/sse", nil)
+		req.Header.Set("Accept", "text/event-stream")
+
+		resp, err := client.Do(req)
+		require.NoError(t, err)
+		defer resp.Body.Close()
+
+		assert.Equal(t, 401, resp.StatusCode, "Request without token should return 401")
+
+		wwwAuth := resp.Header.Get("WWW-Authenticate")
+		assert.Contains(t, wwwAuth, "Bearer resource_metadata=",
+			"401 response should include RFC 9728 WWW-Authenticate header")
+		assert.Contains(t, wwwAuth, "/.well-known/oauth-protected-resource/test-sse",
+			"401 response should point to test-sse specific metadata endpoint")
 	})
 }

internal/mcpfront.go

@@ -15,6 +15,7 @@ import (
 	"github.com/dgellow/mcp-front/internal/config"
 	"github.com/dgellow/mcp-front/internal/crypto"
 	"github.com/dgellow/mcp-front/internal/inline"
+	jsonwriter "github.com/dgellow/mcp-front/internal/json"
 	"github.com/dgellow/mcp-front/internal/log"
 	"github.com/dgellow/mcp-front/internal/oauth"
 	"github.com/dgellow/mcp-front/internal/server"
@@ -345,7 +346,13 @@ func buildHTTPHandler(
 
 		// Register OAuth endpoints
 		mux.Handle(route("/.well-known/oauth-authorization-server"), server.ChainMiddleware(http.HandlerFunc(authHandlers.WellKnownHandler), oauthMiddleware...))
-		mux.Handle(route("/.well-known/oauth-protected-resource"), server.ChainMiddleware(http.HandlerFunc(authHandlers.ProtectedResourceMetadataHandler), oauthMiddleware...))
+		// Per-service protected resource metadata (RFC 9728 Section 5.2)
+		// Clients discover service-specific resource URIs for per-service audience validation (RFC 8707)
+		mux.Handle(route("/.well-known/oauth-protected-resource/{service}"), server.ChainMiddleware(http.HandlerFunc(authHandlers.ServiceProtectedResourceMetadataHandler), oauthMiddleware...))
+		// Base protected resource metadata endpoint - returns 404 directing clients to per-service endpoints
+		mux.Handle(route("/.well-known/oauth-protected-resource"), server.ChainMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			jsonwriter.WriteNotFound(w, "Use /.well-known/oauth-protected-resource/{service} for per-service metadata")
+		}), oauthMiddleware...))
 		mux.Handle(route("/authorize"), server.ChainMiddleware(http.HandlerFunc(authHandlers.AuthorizeHandler), oauthMiddleware...))
 		mux.Handle(route("/oauth/callback"), server.ChainMiddleware(http.HandlerFunc(authHandlers.GoogleCallbackHandler), oauthMiddleware...))
 		mux.Handle(route("/token"), server.ChainMiddleware(http.HandlerFunc(authHandlers.TokenHandler), oauthMiddleware...))

internal/oauth/metadata.go

@@ -55,6 +55,10 @@ func AuthorizationServerMetadata(issuer string) (map[string]any, error) {
 
 // ProtectedResourceMetadata builds OAuth 2.0 Protected Resource Metadata per RFC 9728
 // https://datatracker.ietf.org/doc/html/rfc9728
+//
+// Deprecated: Use ServiceProtectedResourceMetadata for per-service metadata endpoints.
+// This function returns the base issuer as the resource, which doesn't support
+// per-service audience validation required by RFC 8707.
 func ProtectedResourceMetadata(issuer string) (map[string]any, error) {
 	authzServerURL, err := urlutil.JoinPath(issuer, ".well-known", "oauth-authorization-server")
 	if err != nil {
@@ -74,6 +78,50 @@ func ProtectedResourceMetadata(issuer string) (map[string]any, error) {
 	}, nil
 }
 
+// ServiceProtectedResourceMetadata builds OAuth 2.0 Protected Resource Metadata per RFC 9728
+// for a specific service. Per RFC 9728 Section 5.2, multiple resources on a single host
+// use path-based differentiation, with each resource having its own metadata endpoint.
+//
+// Example:
+//
+//	ServiceProtectedResourceMetadata("https://mcp.company.com", "postgres")
+//	Returns: {"resource": "https://mcp.company.com/postgres", ...}
+func ServiceProtectedResourceMetadata(issuer string, serviceName string) (map[string]any, error) {
+	resourceURI, err := urlutil.JoinPath(issuer, serviceName)
+	if err != nil {
+		return nil, err
+	}
+
+	authzServerURL, err := urlutil.JoinPath(issuer, ".well-known", "oauth-authorization-server")
+	if err != nil {
+		return nil, err
+	}
+
+	return map[string]any{
+		"resource": resourceURI,
+		"authorization_servers": []string{
+			issuer,
+		},
+		"_links": map[string]any{
+			"oauth-authorization-server": map[string]string{
+				"href": authzServerURL,
+			},
+		},
+	}, nil
+}
+
+// ServiceProtectedResourceMetadataURI builds the URI for a service-specific protected
+// resource metadata endpoint per RFC 9728. Used in WWW-Authenticate headers to direct
+// clients to the correct per-service metadata endpoint.
+//
+// Example:
+//
+//	ServiceProtectedResourceMetadataURI("https://mcp.company.com", "postgres")
+//	Returns: "https://mcp.company.com/.well-known/oauth-protected-resource/postgres"
+func ServiceProtectedResourceMetadataURI(issuer string, serviceName string) (string, error) {
+	return urlutil.JoinPath(issuer, ".well-known", "oauth-protected-resource", serviceName)
+}
+
 // ClientMetadata represents OAuth 2.0 client metadata
 type ClientMetadata struct {
 	ClientID                string   `json:"client_id"`

internal/oauth/metadata_test.go

@@ -150,3 +150,143 @@ func TestProtectedResourceMetadata(t *testing.T) {
 		})
 	}
 }
+
+func TestServiceProtectedResourceMetadata(t *testing.T) {
+	tests := []struct {
+		name         string
+		issuer       string
+		serviceName  string
+		wantResource string
+		wantErr      bool
+	}{
+		{
+			name:         "standard case",
+			issuer:       "https://mcp.company.com",
+			serviceName:  "postgres",
+			wantResource: "https://mcp.company.com/postgres",
+		},
+		{
+			name:         "issuer with base path",
+			issuer:       "https://mcp.company.com/api",
+			serviceName:  "postgres",
+			wantResource: "https://mcp.company.com/api/postgres",
+		},
+		{
+			name:         "issuer with trailing slash",
+			issuer:       "https://mcp.company.com/",
+			serviceName:  "linear",
+			wantResource: "https://mcp.company.com/linear",
+		},
+		{
+			name:         "different service",
+			issuer:       "https://mcp.company.com",
+			serviceName:  "gong",
+			wantResource: "https://mcp.company.com/gong",
+		},
+		{
+			name:        "invalid issuer",
+			issuer:      "://invalid",
+			serviceName: "postgres",
+			wantErr:     true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			metadata, err := ServiceProtectedResourceMetadata(tt.issuer, tt.serviceName)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("ServiceProtectedResourceMetadata() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+
+			if tt.wantErr {
+				return
+			}
+
+			// Verify resource field is service-specific
+			resource := metadata["resource"].(string)
+			if resource != tt.wantResource {
+				t.Errorf("resource = %v, want %v", resource, tt.wantResource)
+			}
+
+			// Verify authorization_servers array contains issuer (not service-specific)
+			authzServers, ok := metadata["authorization_servers"].([]string)
+			if !ok || len(authzServers) == 0 {
+				t.Error("authorization_servers is missing or empty")
+			}
+
+			// Authorization server should not be empty
+			if authzServers[0] == "" {
+				t.Error("authorization_servers[0] is empty")
+			}
+
+			// Verify _links structure
+			links, ok := metadata["_links"].(map[string]any)
+			if !ok {
+				t.Error("_links is missing or wrong type")
+			}
+
+			authzServerLink, ok := links["oauth-authorization-server"].(map[string]string)
+			if !ok {
+				t.Error("oauth-authorization-server link is missing or wrong type")
+			}
+
+			if authzServerLink["href"] == "" {
+				t.Error("oauth-authorization-server href is empty")
+			}
+		})
+	}
+}
+
+func TestServiceProtectedResourceMetadataURI(t *testing.T) {
+	tests := []struct {
+		name        string
+		issuer      string
+		serviceName string
+		want        string
+		wantErr     bool
+	}{
+		{
+			name:        "standard case",
+			issuer:      "https://mcp.company.com",
+			serviceName: "postgres",
+			want:        "https://mcp.company.com/.well-known/oauth-protected-resource/postgres",
+		},
+		{
+			name:        "issuer with base path",
+			issuer:      "https://mcp.company.com/mcp",
+			serviceName: "linear",
+			want:        "https://mcp.company.com/mcp/.well-known/oauth-protected-resource/linear",
+		},
+		{
+			name:        "issuer with trailing slash",
+			issuer:      "https://mcp.company.com/",
+			serviceName: "gong",
+			want:        "https://mcp.company.com/.well-known/oauth-protected-resource/gong",
+		},
+		{
+			name:        "invalid issuer",
+			issuer:      "://invalid",
+			serviceName: "postgres",
+			wantErr:     true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := ServiceProtectedResourceMetadataURI(tt.issuer, tt.serviceName)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("ServiceProtectedResourceMetadataURI() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+
+			if tt.wantErr {
+				return
+			}
+
+			if got != tt.want {
+				t.Errorf("ServiceProtectedResourceMetadataURI() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}

internal/oauth/provider.go

@@ -5,6 +5,7 @@ import (
 	"crypto/rand"
 	"fmt"
 	"net/http"
+	"net/url"
 	"os"
 	"strings"
 	"time"
@@ -113,19 +114,25 @@ func GenerateJWTSecret(providedSecret string) ([]byte, error) {
 	return secret, nil
 }
 
-// NewValidateTokenMiddleware creates middleware that validates OAuth tokens per RFC 9728
+// NewValidateTokenMiddleware creates middleware that validates OAuth tokens per RFC 9728.
+// The middleware dynamically builds the service-specific metadata URI based on the
+// request path, ensuring 401 responses point clients to the correct per-service
+// protected resource metadata endpoint.
 func NewValidateTokenMiddleware(provider fosite.OAuth2Provider, issuer string) func(http.Handler) http.Handler {
-	// Build protected resource metadata URI once at middleware creation (per RFC 9728)
-	metadataURI, err := ProtectedResourceMetadataURI(issuer)
-	if err != nil {
-		log.LogError("Failed to build protected resource metadata URI: %v", err)
-		metadataURI = "" // Fallback to empty, will skip WWW-Authenticate header
-	}
-
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()
 
+			// Extract service name from request path and build per-service metadata URI
+			// Per RFC 9728 Section 5.2, multiple resources per host use path-based differentiation
+			serviceName := ExtractServiceNameFromPath(r.URL.Path, issuer)
+			metadataURI := ""
+			if serviceName != "" {
+				if uri, err := ServiceProtectedResourceMetadataURI(issuer, serviceName); err == nil {
+					metadataURI = uri
+				}
+			}
+
 			// Extract token from Authorization header
 			auth := r.Header.Get("Authorization")
 			if auth == "" {
@@ -187,6 +194,36 @@ func NewValidateTokenMiddleware(provider fosite.OAuth2Provider, issuer string) f
 	}
 }
 
+// ExtractServiceNameFromPath extracts the service name from a request path.
+// Given path "/postgres/sse" with issuer "https://host", returns "postgres".
+// Handles base paths like "/mcp/postgres/sse" with issuer "https://host/mcp".
+//
+// Returns empty string if no service name can be extracted.
+func ExtractServiceNameFromPath(requestPath string, issuer string) string {
+	u, err := url.Parse(issuer)
+	if err != nil {
+		return ""
+	}
+
+	basePath := u.Path
+	if basePath == "" {
+		basePath = "/"
+	}
+
+	path := requestPath
+	if basePath != "/" {
+		path = strings.TrimPrefix(path, basePath)
+	}
+	path = strings.TrimPrefix(path, "/")
+	parts := strings.Split(path, "/")
+
+	if len(parts) == 0 || parts[0] == "" {
+		return ""
+	}
+
+	return parts[0]
+}
+
 // ProtectedResourceMetadataURI builds the URI for the protected resource metadata endpoint
 // Per RFC 9728, this URI is used in WWW-Authenticate headers as the resource_metadata parameter
 func ProtectedResourceMetadataURI(issuer string) (string, error) {