Skip to content

Add token endpoint handler #3408

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jhrozek wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add token endpoint handler #3408

jhrozek wants to merge 2 commits into from
+593 −10

Conversation

@jhrozek
Copy link
Contributor

@jhrozek jhrozek commented Jan 22, 2026

Implement POST /oauth/token handler that exchanges authorization codes for access tokens using fosite's access request/response flow. The handler validates the incoming token request, retrieves the stored authorization session, generates JWT access tokens, and supports RFC 8707 resource parameter for audience-restricted tokens targeting specific MCP servers.

This handler completes the OAuth 2.0 authorization code flow started by the authorize and callback handlers. When a client presents an authorization code, fosite retrieves the session that was stored during the callback phase - this session contains the user's subject, the upstream token session ID (tsid), and the client ID binding. The token endpoint uses these stored claims to generate the access token, maintaining the link between issued tokens and upstream IDP tokens for later token injection by the proxy middleware. The test infrastructure is extended to properly track authorization code and PKCE sessions across the full authorize→callback→token flow.

@github-actions github-actions bot added the size/M Medium PR: 300-599 lines changed label Jan 22, 2026
@codecov
Copy link

codecov bot commented Jan 22, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 59.25926% with 33 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.88%. Comparing base (a5b8c80) to head (f78d47e).

Files with missing lines Patch % Lines
pkg/authserver/server/handlers/token.go 41.30% 23 Missing and 4 partials ⚠️
pkg/authserver/server/provider.go 63.63% 2 Missing and 2 partials ⚠️
pkg/authserver/server/audience.go 91.30% 1 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3408      +/-   ##
==========================================
+ Coverage   64.83%   64.88%   +0.05%     
==========================================
  Files         380      382       +2     
  Lines       37004    37082      +78     
==========================================
+ Hits        23992    24062      +70     
- Misses      11127    11128       +1     
- Partials     1885     1892       +7

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

tgrunnagle
tgrunnagle previously approved these changes Jan 22, 2026
View reviewed changes
jhrozek and others added 2 commits January 22, 2026 18:58
@jhrozek
Add token endpoint handler
2d3f52a 
Implement POST /oauth/token handler that exchanges authorization codes for
access tokens using fosite's access request/response flow. The handler
validates the incoming token request, retrieves the stored authorization
session, generates JWT access tokens, and supports RFC 8707 resource
parameter for audience-restricted tokens targeting specific MCP servers.

This handler completes the OAuth 2.0 authorization code flow started by the
authorize and callback handlers. When a client presents an authorization code,
fosite retrieves the session that was stored during the callback phase - this
session contains the user's subject, the upstream token session ID (tsid), and
the client ID binding. The token endpoint uses these stored claims to generate
the access token, maintaining the link between issued tokens and upstream IDP
tokens for later token injection by the proxy middleware. The test
infrastructure is extended to properly track authorization code and PKCE
sessions across the full authorize→callback→token flow.
@jhrozek @claude
Add RFC 8707 audience validation for token endpoint
f78d47e 
Implement proper validation of the resource parameter in the token
endpoint per RFC 8707. Previously, any client-provided resource was
blindly granted as the token audience, which was a security risk.

Changes:
- Add ErrInvalidTarget error for RFC 8707 invalid_target responses
- Add ValidateAudienceURI to validate URI format (absolute, no fragment,
  http/https only)
- Add ValidateAudienceAllowed to check resources against an allowlist
- Add AllowedAudiences config field to AuthorizationServerParams and
  AuthorizationServerConfig
- Update TokenHandler to validate before granting audience
- Secure default: empty AllowedAudiences rejects all resource requests

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@jhrozek jhrozek force-pushed the auth-proxy-pr-10-2-handlers-token branch from b09fb39 to f78d47e Compare January 22, 2026 20:53
@github-actions github-actions bot added size/L Large PR: 600-999 lines changed and removed size/M Medium PR: 300-599 lines changed labels Jan 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tgrunnagle tgrunnagle tgrunnagle left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size/L Large PR: 600-999 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jhrozek @tgrunnagle