Skip to content

fix(auth): validate token audience by default#149

Open
SVilgelm wants to merge 1 commit into
rust-mcp-stack:mainfrom
SVilgelm:fix/audience-validation-default
Open

fix(auth): validate token audience by default#149
SVilgelm wants to merge 1 commit into
rust-mcp-stack:mainfrom
SVilgelm:fix/audience-validation-default

Conversation

@SVilgelm
Copy link
Copy Markdown
Contributor

@SVilgelm SVilgelm commented May 25, 2026

📌 Summary

Every shipped auth provider passed validate_audience: None, disabling aud validation. A token issued for another resource could therefore be replayed against this server. Audience validation is now on by default, defaulting to the MCP server's resource identifier (mcp_server_url), with an explicit opt-out.

🔍 Related Issues

✨ Changes Made

  • Add validate_audience and disable_audience_validation options to the ScaleKit, WorkOS, and Keycloak providers.
  • Default the audience to the resource identifier via a shared resolve_audience helper.
  • Update examples to the secure-by-default configuration.

@SVilgelm
fix(auth): validate token audience by default
1285671 
Built-in providers now default the audience to the MCP server's resource identifier, with an explicit opt-out, instead of disabling audience validation.

Assisted-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Sergey Vilgelm <sergey@vilgelm.com>
@SVilgelm SVilgelm mentioned this pull request May 25, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SVilgelm