Skip to content

fix(auth): validate token audience by default #149

Merged
hashemix merged 3 commits into
rust-mcp-stack:mainfrom
SVilgelm:fix/audience-validation-default
Jun 15, 2026
Merged

fix(auth): validate token audience by default #149
hashemix merged 3 commits into
rust-mcp-stack:mainfrom
SVilgelm:fix/audience-validation-default

Conversation

@SVilgelm

@SVilgelm SVilgelm commented May 25, 2026

Copy link
Copy Markdown
Contributor

📌 Summary

Every shipped auth provider passed validate_audience: None, disabling aud validation. A token issued for another resource could therefore be replayed against this server. Audience validation is now on by default, defaulting to the MCP server's resource identifier (mcp_server_url), with an explicit opt-out.

🔍 Related Issues

✨ Changes Made

  • Add validate_audience and disable_audience_validation options to the ScaleKit, WorkOS, and Keycloak providers.
  • Default the audience to the resource identifier via a shared resolve_audience helper.
  • Update examples to the secure-by-default configuration.

@SVilgelm
fix(auth): validate token audience by default
1285671 
Built-in providers now default the audience to the MCP server's resource identifier, with an explicit opt-out, instead of disabling audience validation.

Assisted-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Sergey Vilgelm <sergey@vilgelm.com>
@SVilgelm SVilgelm mentioned this pull request May 25, 2026
Open
Copilot AI review requested due to automatic review settings June 5, 2026 19:58
Copilot AI reviewed Jun 5, 2026

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review is ineligible. To be eligible to request a review, you need a paid Copilot license, or your organization must enable Copilot code review.

@hashemix hashemix changed the title fix(auth): validate token audience by default fix(auth): validate token audience by default Jun 6, 2026
@hashemix hashemix merged commit 1f714bf into rust-mcp-stack:main Jun 15, 2026
3 checks passed
@hashemix hashemix mentioned this pull request Jun 15, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@SVilgelm @hashemix