Skip to content

fix(auth): make 2025-03-26 backcompat mock RFC 8414 §3.3-compliant #359

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pcarleton merged 2 commits into from
Jun 23, 2026
+13 −4
Merged

fix(auth): make 2025-03-26 backcompat mock RFC 8414 §3.3-compliant #359

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3341d58
fix(auth): make 2025-03-26 backcompat mock RFC 8414 §3.3-compliant
felixweinberger Jun 22, 2026
7640176
fix(auth): keep /oauth prefix in 2025-03-26 backcompat, override issu…
pcarleton Jun 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions src/scenarios/client/auth/helpers/createAuthServer.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,8 +59,10 @@ export interface AuthServerOptions {
* Override the `issuer` value served in the AS metadata document. Used to
* test that clients validate the metadata issuer against the issuer
* identifier used to construct the well-known URL (RFC 8414 §3.3).
* Accepts a lazy getter for callers that don't know the server URL until
* after `start()`.
*/
metadataIssuer?: string;
metadataIssuer?: string | (() => string);
tokenVerifier?: MockTokenVerifier;
onTokenRequest?: (requestData: {
scope?: string;
Expand Down Expand Up @@ -156,7 +158,10 @@ export function createAuthServer(
});

const metadata: any = {
issuer: metadataIssuer ?? `${getAuthBaseUrl()}${routePrefix}`,
issuer:
typeof metadataIssuer === 'function'
? metadataIssuer()
: (metadataIssuer ?? `${getAuthBaseUrl()}${routePrefix}`),
authorization_endpoint: `${getAuthBaseUrl()}${authRoutes.authorization_endpoint}`,
token_endpoint: `${getAuthBaseUrl()}${authRoutes.token_endpoint}`,
...(!disableDynamicRegistration && {
Expand Down
8 changes: 6 additions & 2 deletions src/scenarios/client/auth/march-spec-backcompat.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,12 @@ export class Auth20250326OAuthMetadataBackcompatScenario implements Scenario {
const authApp = createAuthServer(ctx, this.checks, this.server.getUrl, {
// Disable logging since the main server will already have logging enabled
loggingEnabled: false,
// Add a prefix to auth endpoints to avoid being caught by auth fallbacks
routePrefix: '/oauth'
// Keep auth endpoints off the 2025-03-26 fallback paths so a client that
// fetches metadata but ignores the advertised endpoints still 404s.
routePrefix: '/oauth',
// Metadata is served at the root well-known path, so per RFC 8414 §3.3
// the `issuer` must be the bare origin — not `<origin>/oauth`.
metadataIssuer: () => this.server.getUrl()
});
const app = createServer(
ctx,
Expand Down
Loading