Add dangerouslyAcceptIssuerAudience config option

Workaround for MCP clients (like Claude Code) that don't properly
implement RFC 8707 resource indicators. When enabled, tokens with
just the base issuer as audience are accepted for any service.

Author: dgellow

internal/config/types.go

@@ -216,6 +216,11 @@ type OAuthAuthConfig struct {
 	GoogleRedirectURI   string        `json:"googleRedirectUri"`
 	JWTSecret           Secret        `json:"jwtSecret"`
 	EncryptionKey       Secret        `json:"encryptionKey"`
+	// DangerouslyAcceptIssuerAudience allows tokens with just the base issuer as audience
+	// to be accepted for any service. This is a workaround for MCP clients that don't
+	// properly implement RFC 8707 resource indicators, but it defeats per-service token
+	// isolation. Only enable this if you understand the security implications.
+	DangerouslyAcceptIssuerAudience bool `json:"dangerouslyAcceptIssuerAudience,omitempty"`
 }
 
 // ProxyConfig represents the proxy configuration with resolved values

internal/mcpfront.go

@@ -15,7 +15,6 @@ import (
 	"github.com/dgellow/mcp-front/internal/config"
 	"github.com/dgellow/mcp-front/internal/crypto"
 	"github.com/dgellow/mcp-front/internal/inline"
-	jsonwriter "github.com/dgellow/mcp-front/internal/json"
 	"github.com/dgellow/mcp-front/internal/log"
 	"github.com/dgellow/mcp-front/internal/oauth"
 	"github.com/dgellow/mcp-front/internal/server"
@@ -349,10 +348,9 @@ func buildHTTPHandler(
 		// Per-service protected resource metadata (RFC 9728 Section 5.2)
 		// Clients discover service-specific resource URIs for per-service audience validation (RFC 8707)
 		mux.Handle(route("/.well-known/oauth-protected-resource/{service}"), server.ChainMiddleware(http.HandlerFunc(authHandlers.ServiceProtectedResourceMetadataHandler), oauthMiddleware...))
-		// Base protected resource metadata endpoint - returns 404 directing clients to per-service endpoints
-		mux.Handle(route("/.well-known/oauth-protected-resource"), server.ChainMiddleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			jsonwriter.WriteNotFound(w, "Use /.well-known/oauth-protected-resource/{service} for per-service metadata")
-		}), oauthMiddleware...))
+		// Base protected resource metadata endpoint
+		// Returns 404 by default, or base issuer metadata if dangerouslyAcceptIssuerAudience is enabled
+		mux.Handle(route("/.well-known/oauth-protected-resource"), server.ChainMiddleware(http.HandlerFunc(authHandlers.ProtectedResourceMetadataHandler), oauthMiddleware...))
 		mux.Handle(route("/authorize"), server.ChainMiddleware(http.HandlerFunc(authHandlers.AuthorizeHandler), oauthMiddleware...))
 		mux.Handle(route("/oauth/callback"), server.ChainMiddleware(http.HandlerFunc(authHandlers.GoogleCallbackHandler), oauthMiddleware...))
 		mux.Handle(route("/token"), server.ChainMiddleware(http.HandlerFunc(authHandlers.TokenHandler), oauthMiddleware...))
@@ -439,7 +437,7 @@ func buildHTTPHandler(
 
 		// Add OAuth validation if OAuth is enabled
 		if oauthProvider != nil {
-			mcpMiddlewares = append(mcpMiddlewares, oauth.NewValidateTokenMiddleware(oauthProvider, authConfig.Issuer))
+			mcpMiddlewares = append(mcpMiddlewares, oauth.NewValidateTokenMiddleware(oauthProvider, authConfig.Issuer, authConfig.DangerouslyAcceptIssuerAudience))
 		}
 
 		// Add service auth middleware if configured

internal/oauth/provider.go

@@ -118,7 +118,11 @@ func GenerateJWTSecret(providedSecret string) ([]byte, error) {
 // The middleware dynamically builds the service-specific metadata URI based on the
 // request path, ensuring 401 responses point clients to the correct per-service
 // protected resource metadata endpoint.
-func NewValidateTokenMiddleware(provider fosite.OAuth2Provider, issuer string) func(http.Handler) http.Handler {
+//
+// If acceptIssuerAudience is true, tokens with just the base issuer as audience are
+// accepted for any service. This is a workaround for MCP clients that don't properly
+// implement RFC 8707 resource indicators.
+func NewValidateTokenMiddleware(provider fosite.OAuth2Provider, issuer string, acceptIssuerAudience bool) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()
@@ -162,7 +166,7 @@ func NewValidateTokenMiddleware(provider fosite.OAuth2Provider, issuer string) f
 			}
 
 			// Validate audience claim matches requested service (RFC 8707)
-			if err := ValidateAudienceForService(r.URL.Path, accessRequest.GetGrantedAudience(), issuer); err != nil {
+			if err := ValidateAudienceForService(r.URL.Path, accessRequest.GetGrantedAudience(), issuer, acceptIssuerAudience); err != nil {
 				log.LogErrorWithFields("oauth", "Audience validation failed", map[string]any{
 					"path":     r.URL.Path,
 					"audience": accessRequest.GetGrantedAudience(),

internal/oauth/resource_indicators.go

@@ -157,14 +157,21 @@ func BuildResourceURI(issuer string, serviceName string) (string, error) {
 // in the token's audience claim. This prevents confused deputy attacks where a token
 // intended for one service is misused to access another.
 //
+// If acceptIssuerAudience is true, the base issuer URI is also accepted as a valid audience
+// for any service. This is a workaround for MCP clients that don't properly implement
+// RFC 8707 resource indicators, but it defeats per-service token isolation.
+//
 // Example:
 //
-//	ValidateAudienceForService("/postgres/sse", []string{"https://mcp.company.com/postgres"}, "https://mcp.company.com")
+//	ValidateAudienceForService("/postgres/sse", []string{"https://mcp.company.com/postgres"}, "https://mcp.company.com", false)
 //	Returns: nil (valid - postgres is in audience)
 //
-//	ValidateAudienceForService("/linear/sse", []string{"https://mcp.company.com/postgres"}, "https://mcp.company.com")
+//	ValidateAudienceForService("/linear/sse", []string{"https://mcp.company.com/postgres"}, "https://mcp.company.com", false)
 //	Returns: error (invalid - linear not in audience)
-func ValidateAudienceForService(requestPath string, tokenAudience []string, issuer string) error {
+//
+//	ValidateAudienceForService("/linear/sse", []string{"https://mcp.company.com"}, "https://mcp.company.com", true)
+//	Returns: nil (valid - issuer is in audience and acceptIssuerAudience is true)
+func ValidateAudienceForService(requestPath string, tokenAudience []string, issuer string, acceptIssuerAudience bool) error {
 	u, err := url.Parse(issuer)
 	if err != nil {
 		return fmt.Errorf("invalid issuer URL: %w", err)
@@ -193,10 +200,16 @@ func ValidateAudienceForService(requestPath string, tokenAudience []string, issu
 		return fmt.Errorf("failed to build resource URI for service %s: %w", serviceName, err)
 	}
 
+	// Check for per-service audience (preferred)
 	if slices.Contains(tokenAudience, expectedResource) {
 		return nil
 	}
 
+	// Workaround: accept base issuer as audience if enabled
+	if acceptIssuerAudience && slices.Contains(tokenAudience, issuer) {
+		return nil
+	}
+
 	return fmt.Errorf("token audience %v does not include required resource %s for service %s",
 		tokenAudience, expectedResource, serviceName)
 }

internal/oauth/resource_indicators_test.go

@@ -253,70 +253,117 @@ func TestValidateAudienceForService(t *testing.T) {
 	issuer := "https://mcp.company.com"
 
 	tests := []struct {
-		name          string
-		requestPath   string
-		tokenAudience []string
-		wantErr       bool
-		errContains   string
+		name                 string
+		requestPath          string
+		tokenAudience        []string
+		acceptIssuerAudience bool
+		wantErr              bool
+		errContains          string
 	}{
 		{
-			name:          "matching audience",
-			requestPath:   "/postgres/sse",
-			tokenAudience: []string{"https://mcp.company.com/postgres"},
-			wantErr:       false,
+			name:                 "matching audience",
+			requestPath:          "/postgres/sse",
+			tokenAudience:        []string{"https://mcp.company.com/postgres"},
+			acceptIssuerAudience: false,
+			wantErr:              false,
 		},
 		{
-			name:          "matching audience with message endpoint",
-			requestPath:   "/postgres/message",
-			tokenAudience: []string{"https://mcp.company.com/postgres"},
-			wantErr:       false,
+			name:                 "matching audience with message endpoint",
+			requestPath:          "/postgres/message",
+			tokenAudience:        []string{"https://mcp.company.com/postgres"},
+			acceptIssuerAudience: false,
+			wantErr:              false,
 		},
 		{
-			name:          "matching audience in multi-audience token",
-			requestPath:   "/postgres/sse",
-			tokenAudience: []string{"https://mcp.company.com/linear", "https://mcp.company.com/postgres"},
-			wantErr:       false,
+			name:                 "matching audience in multi-audience token",
+			requestPath:          "/postgres/sse",
+			tokenAudience:        []string{"https://mcp.company.com/linear", "https://mcp.company.com/postgres"},
+			acceptIssuerAudience: false,
+			wantErr:              false,
 		},
 		{
-			name:          "wrong audience",
-			requestPath:   "/postgres/sse",
-			tokenAudience: []string{"https://mcp.company.com/linear"},
-			wantErr:       true,
-			errContains:   "does not include required resource",
+			name:                 "wrong audience",
+			requestPath:          "/postgres/sse",
+			tokenAudience:        []string{"https://mcp.company.com/linear"},
+			acceptIssuerAudience: false,
+			wantErr:              true,
+			errContains:          "does not include required resource",
 		},
 		{
-			name:          "empty audience",
-			requestPath:   "/postgres/sse",
-			tokenAudience: []string{},
-			wantErr:       true,
-			errContains:   "does not include required resource",
+			name:                 "empty audience",
+			requestPath:          "/postgres/sse",
+			tokenAudience:        []string{},
+			acceptIssuerAudience: false,
+			wantErr:              true,
+			errContains:          "does not include required resource",
 		},
 		{
-			name:          "nil audience",
-			requestPath:   "/postgres/sse",
-			tokenAudience: nil,
-			wantErr:       true,
-			errContains:   "does not include required resource",
+			name:                 "nil audience",
+			requestPath:          "/postgres/sse",
+			tokenAudience:        nil,
+			acceptIssuerAudience: false,
+			wantErr:              true,
+			errContains:          "does not include required resource",
 		},
 		{
-			name:          "malformed request path",
-			requestPath:   "/",
-			tokenAudience: []string{"https://mcp.company.com/postgres"},
-			wantErr:       true,
-			errContains:   "does not contain service name",
+			name:                 "malformed request path",
+			requestPath:          "/",
+			tokenAudience:        []string{"https://mcp.company.com/postgres"},
+			acceptIssuerAudience: false,
+			wantErr:              true,
+			errContains:          "does not contain service name",
 		},
 		{
-			name:          "empty request path",
-			requestPath:   "",
-			tokenAudience: []string{"https://mcp.company.com/postgres"},
-			wantErr:       true,
-			errContains:   "does not contain service name",
+			name:                 "empty request path",
+			requestPath:          "",
+			tokenAudience:        []string{"https://mcp.company.com/postgres"},
+			acceptIssuerAudience: false,
+			wantErr:              true,
+			errContains:          "does not contain service name",
+		},
+		// Tests for acceptIssuerAudience workaround
+		{
+			name:                 "issuer audience accepted when enabled",
+			requestPath:          "/postgres/sse",
+			tokenAudience:        []string{"https://mcp.company.com"},
+			acceptIssuerAudience: true,
+			wantErr:              false,
+		},
+		{
+			name:                 "issuer audience rejected when disabled",
+			requestPath:          "/postgres/sse",
+			tokenAudience:        []string{"https://mcp.company.com"},
+			acceptIssuerAudience: false,
+			wantErr:              true,
+			errContains:          "does not include required resource",
+		},
+		{
+			name:                 "per-service audience still works when issuer fallback enabled",
+			requestPath:          "/postgres/sse",
+			tokenAudience:        []string{"https://mcp.company.com/postgres"},
+			acceptIssuerAudience: true,
+			wantErr:              false,
+		},
+		{
+			name:                 "issuer audience works for any service when enabled",
+			requestPath:          "/linear/sse",
+			tokenAudience:        []string{"https://mcp.company.com"},
+			acceptIssuerAudience: true,
+			wantErr:              false,
+		},
+		{
+			name:                 "wrong issuer still rejected even when fallback enabled",
+			requestPath:          "/postgres/sse",
+			tokenAudience:        []string{"https://other.company.com"},
+			acceptIssuerAudience: true,
+			wantErr:              true,
+			errContains:          "does not include required resource",
 		},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			err := ValidateAudienceForService(tt.requestPath, tt.tokenAudience, issuer)
+			err := ValidateAudienceForService(tt.requestPath, tt.tokenAudience, issuer, tt.acceptIssuerAudience)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("ValidateAudienceForService() error = %v, wantErr %v", err, tt.wantErr)
 				return

internal/server/auth_handlers.go

@@ -86,12 +86,23 @@ func (h *AuthHandlers) WellKnownHandler(w http.ResponseWriter, r *http.Request)
 // ProtectedResourceMetadataHandler serves OAuth 2.0 Protected Resource Metadata (RFC 9728)
 // This endpoint helps clients discover which authorization servers this resource server trusts
 //
-// Deprecated: Use ServiceProtectedResourceMetadataHandler for per-service metadata.
-// This handler returns the base issuer as the resource, which doesn't support per-service
-// audience validation required by RFC 8707.
+// By default, this returns 404 directing clients to per-service metadata endpoints.
+// When DangerouslyAcceptIssuerAudience is enabled, it returns base issuer metadata as a
+// workaround for MCP clients that don't properly implement RFC 8707 resource indicators.
 func (h *AuthHandlers) ProtectedResourceMetadataHandler(w http.ResponseWriter, r *http.Request) {
 	log.Logf("Protected resource metadata handler called: %s %s", r.Method, r.URL.Path)
 
+	// By default, return 404 to direct clients to per-service metadata
+	if !h.authConfig.DangerouslyAcceptIssuerAudience {
+		jsonwriter.WriteNotFound(w, "Use /.well-known/oauth-protected-resource/{service} for per-service metadata")
+		return
+	}
+
+	// Workaround mode: return base issuer metadata for broken clients
+	log.LogWarnWithFields("oauth", "Serving base protected resource metadata (dangerouslyAcceptIssuerAudience enabled)", map[string]any{
+		"issuer": h.authConfig.Issuer,
+	})
+
 	metadata, err := oauth.ProtectedResourceMetadata(h.authConfig.Issuer)
 	if err != nil {
 		log.LogError("Failed to build protected resource metadata: %v", err)