feat: add resource parameter validation tests (RFC 8707)#118
Merged
Conversation
Adds conformance tests for OAuth Resource Indicators (RFC 8707) implementation: 1. Resource parameter checks added to token-endpoint-auth-basic scenario: - resource-parameter-in-authorization: Verify resource in auth request - resource-parameter-in-token: Verify resource in token request - resource-parameter-valid-uri: Verify valid canonical URI - resource-parameter-consistency: Verify consistency between requests 2. New auth/resource-mismatch scenario: - Tests that client rejects when PRM resource doesn't match server URL - Server returns mismatched resource in PRM - Test passes if client does NOT proceed with authorization Also adds spec references for RFC 8707 and MCP resource parameter spec. Closes #33
commit: |
- Change resource parameter consistency from WARNING to FAILURE - Remove unreachable protocol check in validateCanonicalUri (URL constructor already validates scheme presence)
felixweinberger
approved these changes
Jan 23, 2026
Contributor
felixweinberger
left a comment
felixweinberger
left a comment
There was a problem hiding this comment.
Could consider having a "negative" case as well - a bad client that has expected failures for these tests.
Member
Author
|
it's a little annoying to yank it out of the request flow, but I'll see if I can add one in a follow up |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
Adds conformance tests for OAuth Resource Indicators (RFC 8707) implementation per issue #33.
Changes
1. Resource parameter checks added to
token-endpoint-auth-basicscenarioThe following checks are now run as part of the existing token endpoint auth scenarios:
resource-parameter-in-authorization: Verifies resource parameter is present in authorization requestresource-parameter-in-token: Verifies resource parameter is present in token requestresource-parameter-valid-uri: Verifies resource is a valid canonical URI (has scheme, no fragment per RFC 8707)resource-parameter-consistency: Verifies same resource is used in both authorization and token requests2. New
auth/resource-mismatchscenarioTests that client correctly rejects when Protected Resource Metadata returns a
resourcefield that doesn't match the server URL being accessed.resource: "https://evil.example.com/mcp"(different origin)3. Helper updates
resourceparameter toonAuthorizationRequestcallback increateAuthServerprmResourceOverrideoption tocreateServerfor testing resource mismatch scenarios4. Spec references
Added references for:
Testing
All existing tests pass. New scenarios tested against TypeScript SDK's everything-client.
Closes #33