Support resource indicator in remote auth

eleftherias · eleftherias · commit 27bd9b9b57a7 · 2025-11-07T11:36:39.000+01:00
Fix #1192
diff --git a/cmd/thv/app/auth_flags.go b/cmd/thv/app/auth_flags.go
@@ -75,6 +75,7 @@ type RemoteAuthFlags struct {
 	RemoteAuthIssuer           string
 	RemoteAuthAuthorizeURL     string
 	RemoteAuthTokenURL         string
+	RemoteAuthResource         string
 
 	// Token Exchange Configuration
 	TokenExchangeURL              string
@@ -162,6 +163,8 @@ func AddRemoteAuthFlags(cmd *cobra.Command, config *RemoteAuthFlags) {
 		"OAuth authorization endpoint URL (alternative to --remote-auth-issuer for non-OIDC OAuth)")
 	cmd.Flags().StringVar(&config.RemoteAuthTokenURL, "remote-auth-token-url", "",
 		"OAuth token endpoint URL (alternative to --remote-auth-issuer for non-OIDC OAuth)")
+	cmd.Flags().StringVar(&config.RemoteAuthResource, "remote-auth-resource", "",
+		"OAuth 2.0 resource indicator (RFC 8707)")
 
 	// Token Exchange flags
 	cmd.Flags().StringVar(&config.TokenExchangeURL, "token-exchange-url", "",
diff --git a/cmd/thv/app/run_flags.go b/cmd/thv/app/run_flags.go
@@ -677,10 +677,11 @@ func getRemoteAuthFromRemoteServerMetadata(
 		authCfg.CallbackPort = runner.DefaultCallbackPort
 	}
 
-	// Issuer / URLs: CLI non-empty wins
+	// Issuer / URLs / Resource: CLI non-empty wins
 	authCfg.Issuer = firstNonEmpty(f.RemoteAuthIssuer, oc.Issuer)
 	authCfg.AuthorizeURL = firstNonEmpty(f.RemoteAuthAuthorizeURL, oc.AuthorizeURL)
 	authCfg.TokenURL = firstNonEmpty(f.RemoteAuthTokenURL, oc.TokenURL)
+	authCfg.Resource = firstNonEmpty(f.RemoteAuthResource, oc.Resource)
 
 	// OAuthParams: REPLACE metadata when CLI provides any key/value.
 	if len(runFlags.OAuthParams) > 0 {
@@ -725,6 +726,7 @@ func getRemoteAuthFromRunFlags(runFlags *RunFlags) (*remote.Config, error) {
 		Issuer:       runFlags.RemoteAuthFlags.RemoteAuthIssuer,
 		AuthorizeURL: runFlags.RemoteAuthFlags.RemoteAuthAuthorizeURL,
 		TokenURL:     runFlags.RemoteAuthFlags.RemoteAuthTokenURL,
+		Resource:     runFlags.RemoteAuthFlags.RemoteAuthResource,
 		OAuthParams:  runFlags.OAuthParams,
 	}, nil
 }
diff --git a/docs/cli/thv_proxy.md b/docs/cli/thv_proxy.md
diff --git a/docs/cli/thv_run.md b/docs/cli/thv_run.md
diff --git a/docs/server/docs.go b/docs/server/docs.go
diff --git a/docs/server/swagger.json b/docs/server/swagger.json
diff --git a/docs/server/swagger.yaml b/docs/server/swagger.yaml
diff --git a/pkg/api/v1/workload_service.go b/pkg/api/v1/workload_service.go
@@ -160,6 +160,7 @@ func (s *WorkloadService) BuildFullRunConfig(ctx context.Context, req *createReq
 					AuthorizeURL: remoteServerMetadata.OAuthConfig.AuthorizeURL,
 					TokenURL:     remoteServerMetadata.OAuthConfig.TokenURL,
 					UsePKCE:      remoteServerMetadata.OAuthConfig.UsePKCE,
+					Resource:     remoteServerMetadata.OAuthConfig.Resource,
 					OAuthParams:  remoteServerMetadata.OAuthConfig.OAuthParams,
 					Headers:      remoteServerMetadata.Headers,
 					EnvVars:      remoteServerMetadata.EnvVars,
diff --git a/pkg/api/v1/workload_types.go b/pkg/api/v1/workload_types.go
@@ -110,6 +110,8 @@ type remoteOAuthConfig struct {
 	CallbackPort int `json:"callback_port,omitempty"`
 	// Whether to skip opening browser for OAuth flow (defaults to false)
 	SkipBrowser bool `json:"skip_browser,omitempty"`
+	// OAuth 2.0 resource indicator (RFC 8707)
+	Resource string `json:"resource,omitempty"`
 }
 
 // createRequest represents the request to create a new workload
@@ -222,6 +224,7 @@ func runConfigToCreateRequest(runConfig *runner.RunConfig) *createRequest {
 			OAuthParams:  runConfig.RemoteAuthConfig.OAuthParams,
 			CallbackPort: runConfig.RemoteAuthConfig.CallbackPort,
 			SkipBrowser:  runConfig.RemoteAuthConfig.SkipBrowser,
+			Resource:     runConfig.RemoteAuthConfig.Resource,
 		}
 		headers = runConfig.RemoteAuthConfig.Headers
 	}
diff --git a/pkg/auth/discovery/discovery.go b/pkg/auth/discovery/discovery.go
@@ -374,6 +374,7 @@ type OAuthFlowConfig struct {
 	CallbackPort         int
 	Timeout              time.Duration
 	SkipBrowser          bool
+	Resource             string // RFC 8707 resource indicator (optional)
 	OAuthParams          map[string]string
 }
 
@@ -494,6 +495,7 @@ func createOAuthConfig(ctx context.Context, issuer string, config *OAuthFlowConf
 			config.Scopes,
 			true, // Enable PKCE by default for security
 			config.CallbackPort,
+			config.Resource,
 			config.OAuthParams,
 		)
 	}
@@ -508,6 +510,7 @@ func createOAuthConfig(ctx context.Context, issuer string, config *OAuthFlowConf
 		config.Scopes,
 		true, // Enable PKCE by default for security
 		config.CallbackPort,
+		config.Resource,
 	)
 }
 
diff --git a/pkg/auth/oauth/flow.go b/pkg/auth/oauth/flow.go
@@ -52,6 +52,9 @@ type Config struct {
 	// IntrospectionEndpoint is the optional introspection endpoint for validating tokens
 	IntrospectionEndpoint string
 
+	// Resource is the OAuth 2.0 resource indicator (RFC 8707).
+	Resource string
+
 	// OAuthParams are additional parameters to pass to the authorization URL
 	OAuthParams map[string]string
 }
@@ -244,6 +247,10 @@ func (f *Flow) buildAuthURL() string {
 		oauth2.SetAuthURLParam("state", f.state),
 	}
 
+	if f.config.Resource != "" {
+		opts = append(opts, oauth2.SetAuthURLParam("resource", f.config.Resource))
+	}
+
 	if f.config.OAuthParams != nil {
 		for key, value := range f.config.OAuthParams {
 			opts = append(opts, oauth2.SetAuthURLParam(key, value))
@@ -303,6 +310,10 @@ func (f *Flow) handleCallback(tokenChan chan<- *oauth2.Token, errorChan chan<- e
 			opts = append(opts, oauth2.SetAuthURLParam("code_verifier", f.codeVerifier))
 		}
 
+		if f.config.Resource != "" {
+			opts = append(opts, oauth2.SetAuthURLParam("resource", f.config.Resource))
+		}
+
 		token, err := f.oauth2Config.Exchange(ctx, code, opts...)
 		if err != nil {
 			err = fmt.Errorf("failed to exchange code for token: %w", err)
diff --git a/pkg/auth/oauth/manual.go b/pkg/auth/oauth/manual.go
@@ -14,6 +14,7 @@ func CreateOAuthConfigManual(
 	scopes []string,
 	usePKCE bool,
 	callbackPort int,
+	resource string,
 	oauthParams map[string]string,
 ) (*Config, error) {
 	if clientID == "" {
@@ -47,6 +48,7 @@ func CreateOAuthConfigManual(
 		Scopes:       scopes,
 		UsePKCE:      usePKCE,
 		CallbackPort: callbackPort,
+		Resource:     resource,
 		OAuthParams:  oauthParams,
 	}, nil
 }
diff --git a/pkg/auth/oauth/manual_test.go b/pkg/auth/oauth/manual_test.go
@@ -19,6 +19,7 @@ func TestCreateOAuthConfigManual(t *testing.T) {
 		scopes       []string
 		usePKCE      bool
 		callbackPort int
+		resource     string
 		expectError  bool
 		errorMsg     string
 		validate     func(t *testing.T, config *Config)
@@ -32,6 +33,7 @@ func TestCreateOAuthConfigManual(t *testing.T) {
 			scopes:       []string{"read", "write"},
 			usePKCE:      true,
 			callbackPort: 8080,
+			resource:     "https://example.com/foo/bar",
 			expectError:  false,
 			validate: func(t *testing.T, config *Config) {
 				t.Helper()
@@ -42,6 +44,7 @@ func TestCreateOAuthConfigManual(t *testing.T) {
 				assert.Equal(t, []string{"read", "write"}, config.Scopes)
 				assert.True(t, config.UsePKCE)
 				assert.Equal(t, 8080, config.CallbackPort)
+				assert.Equal(t, "https://example.com/foo/bar", config.Resource)
 			},
 		},
 		{
@@ -261,6 +264,7 @@ func TestCreateOAuthConfigManual(t *testing.T) {
 				tt.scopes,
 				tt.usePKCE,
 				tt.callbackPort,
+				tt.resource,
 				oauthParams,
 			)
 
@@ -326,6 +330,7 @@ func TestCreateOAuthConfigManual_ScopeDefaultBehavior(t *testing.T) {
 				tt.scopes,
 				true,
 				8080,
+				"",
 				nil, // No OAuth params for basic tests
 			)
 
@@ -368,6 +373,7 @@ func TestCreateOAuthConfigManual_PKCEBehavior(t *testing.T) {
 				[]string{"read"},
 				tt.usePKCE,
 				8080,
+				"",
 				nil, // No OAuth params for basic tests
 			)
 
@@ -415,6 +421,7 @@ func TestCreateOAuthConfigManual_CallbackPortBehavior(t *testing.T) {
 				[]string{"read"},
 				true,
 				tt.port,
+				"",
 				nil, // No OAuth params for basic tests
 			)
 
@@ -479,6 +486,7 @@ func TestCreateOAuthConfigManual_OAuthParamsBehavior(t *testing.T) {
 				[]string{"read"},
 				true,
 				8080,
+				"",
 				tt.oauthParams,
 			)
 
diff --git a/pkg/auth/oauth/oidc.go b/pkg/auth/oauth/oidc.go
@@ -200,8 +200,9 @@ func CreateOAuthConfigFromOIDC(
 	scopes []string,
 	usePKCE bool,
 	callbackPort int,
+	resource string,
 ) (*Config, error) {
-	return createOAuthConfigFromOIDCWithClient(ctx, issuer, clientID, clientSecret, scopes, usePKCE, callbackPort, nil)
+	return createOAuthConfigFromOIDCWithClient(ctx, issuer, clientID, clientSecret, scopes, usePKCE, callbackPort, resource, nil)
 }
 
 // createOAuthConfigFromOIDCWithClient creates an OAuth config from OIDC discovery with a custom HTTP client (private for testing)
@@ -211,6 +212,7 @@ func createOAuthConfigFromOIDCWithClient(
 	scopes []string,
 	usePKCE bool,
 	callbackPort int,
+	resource string,
 	client httpClient,
 ) (*Config, error) {
 	// Discover OIDC endpoints (insecureAllowHTTP is false for OAuth config creation)
@@ -243,5 +245,6 @@ func createOAuthConfigFromOIDCWithClient(
 		Scopes:                scopes,
 		UsePKCE:               usePKCE,
 		CallbackPort:          callbackPort,
+		Resource:              resource,
 	}, nil
 }
diff --git a/pkg/auth/oauth/oidc_test.go b/pkg/auth/oauth/oidc_test.go
@@ -1184,7 +1184,8 @@ func TestCreateOAuthConfigFromOIDC_Production(t *testing.T) {
 				tt.clientSecret,
 				tt.scopes,
 				tt.usePKCE,
-				0, // Use auto-select port for tests
+				0,  // Use auto-select port for tests
+				"", // No resource
 				client,
 			)
 
diff --git a/pkg/auth/remote/config.go b/pkg/auth/remote/config.go
@@ -20,6 +20,9 @@ type Config struct {
 	CallbackPort     int           `json:"callback_port,omitempty" yaml:"callback_port,omitempty"`
 	UsePKCE          bool          `json:"use_pkce" yaml:"use_pkce"`
 
+	// Resource is the OAuth 2.0 resource indicator (RFC 8707).
+	Resource string `json:"resource,omitempty" yaml:"resource,omitempty"`
+
 	// OAuth endpoint configuration (from registry)
 	Issuer       string `json:"issuer,omitempty" yaml:"issuer,omitempty"`
 	AuthorizeURL string `json:"authorize_url,omitempty" yaml:"authorize_url,omitempty"`
diff --git a/pkg/auth/remote/handler.go b/pkg/auth/remote/handler.go
@@ -57,6 +57,7 @@ func (h *Handler) Authenticate(ctx context.Context, remoteURL string) (oauth2.To
 				CallbackPort: h.config.CallbackPort,
 				Timeout:      h.config.Timeout,
 				SkipBrowser:  h.config.SkipBrowser,
+				Resource:     h.config.Resource,
 				OAuthParams:  h.config.OAuthParams,
 			}
 
diff --git a/pkg/registry/types.go b/pkg/registry/types.go
@@ -167,6 +167,8 @@ type OAuthConfig struct {
 	// CallbackPort is the specific port to use for the OAuth callback server
 	// If not specified, a random available port will be used
 	CallbackPort int `json:"callback_port,omitempty" yaml:"callback_port,omitempty"`
+	// Resource is the OAuth 2.0 resource indicator (RFC 8707)
+	Resource string `json:"resource,omitempty" yaml:"resource,omitempty"`
 }
 
 // RemoteServerMetadata represents the metadata for a remote MCP server accessed via HTTP/HTTPS.

Original file line number	Diff line number	Diff line change
`@@ -110,6 +110,8 @@ type remoteOAuthConfig struct {`
`110`	`110`	CallbackPort int `json:"callback_port,omitempty"`
`111`	`111`	`// Whether to skip opening browser for OAuth flow (defaults to false)`
`112`	`112`	SkipBrowser bool `json:"skip_browser,omitempty"`
	`113`	`+ // OAuth 2.0 resource indicator (RFC 8707)`
	`114`	+ Resource string `json:"resource,omitempty"`
`113`	`115`	`}`
`114`	`116`
`115`	`117`	`// createRequest represents the request to create a new workload`
`@@ -222,6 +224,7 @@ func runConfigToCreateRequest(runConfig runner.RunConfig) createRequest {`
`222`	`224`	`OAuthParams: runConfig.RemoteAuthConfig.OAuthParams,`
`223`	`225`	`CallbackPort: runConfig.RemoteAuthConfig.CallbackPort,`
`224`	`226`	`SkipBrowser: runConfig.RemoteAuthConfig.SkipBrowser,`
	`227`	`+ Resource: runConfig.RemoteAuthConfig.Resource,`
`225`	`228`	`}`
`226`	`229`	`headers = runConfig.RemoteAuthConfig.Headers`
`227`	`230`	`}`
Original file line number	Diff line number	Diff line change
`@@ -374,6 +374,7 @@ type OAuthFlowConfig struct {`
`374`	`374`	`CallbackPort int`
`375`	`375`	`Timeout time.Duration`
`376`	`376`	`SkipBrowser bool`
	`377`	`+ Resource string // RFC 8707 resource indicator (optional)`
`377`	`378`	`OAuthParams map[string]string`
`378`	`379`	`}`
`379`	`380`
`@@ -494,6 +495,7 @@ func createOAuthConfig(ctx context.Context, issuer string, config *OAuthFlowConf`
`494`	`495`	`config.Scopes,`
`495`	`496`	`true, // Enable PKCE by default for security`
`496`	`497`	`config.CallbackPort,`
	`498`	`+ config.Resource,`
`497`	`499`	`config.OAuthParams,`
`498`	`500`	`)`
`499`	`501`	`}`
`@@ -508,6 +510,7 @@ func createOAuthConfig(ctx context.Context, issuer string, config *OAuthFlowConf`
`508`	`510`	`config.Scopes,`
`509`	`511`	`true, // Enable PKCE by default for security`
`510`	`512`	`config.CallbackPort,`
	`513`	`+ config.Resource,`
`511`	`514`	`)`
`512`	`515`	`}`
`513`	`516`