fix(idp): replace hardcoded issuer with external URL in IDP router (#96)

hrntknr · web-flow · commit a7dbccb687e4 · 2025-12-04T23:51:08.000+09:00
diff --git a/pkg/idp/idp.go b/pkg/idp/idp.go
@@ -31,8 +31,6 @@ type IDPRouter struct {
 	authRouter  *auth.AuthRouter
 }
 
-const Issuer = "mcp-oauth-proxy"
-
 func NewIDPRouter(
 	repo repository.Repository,
 	privKey *rsa.PrivateKey,
@@ -51,7 +49,7 @@ func NewIDPRouter(
 		AccessTokenLifespan:            24 * time.Hour,
 		RefreshTokenLifespan:           30 * 24 * time.Hour,
 		RefreshTokenScopes:             []string{},
-		AccessTokenIssuer:              Issuer,
+		AccessTokenIssuer:              externalURL,
 		EnforcePKCE:                    false,
 		EnforcePKCEForPublicClients:    false,
 		EnablePKCEPlainChallengeMethod: true,
@@ -144,7 +142,7 @@ func (a *IDPRouter) handleAuthorizationReturn(c *gin.Context) {
 	for _, scope := range ar.GetRequestedScopes() {
 		ar.GrantScope(scope)
 	}
-	jwtSession, err := NewJWTSessionWithKey(Issuer, "user", a.privKey)
+	jwtSession, err := NewJWTSessionWithKey(a.externalURL, "user", a.privKey)
 	if err != nil {
 		a.logger.With(utils.Err(err)...).Error("Failed to create JWT session", zap.Error(err))
 		a.provider.WriteAuthorizeError(ctx, c.Writer, ar, err)
@@ -337,7 +335,7 @@ func (a *IDPRouter) handleOauthAuthorizationServer(c *gin.Context) {
 	}
 
 	res := &authorizationServerResponse{
-		Issuer:                            Issuer,
+		Issuer:                            a.externalURL,
 		AuthorizationEndpoint:             authorizationEndpoint,
 		TokenEndpoint:                     tokenEndpoint,
 		RegistrationEndpoint:              registrationEndpoint,
diff --git a/pkg/idp/idp_test.go b/pkg/idp/idp_test.go
@@ -68,7 +68,7 @@ func setupTestServer(t *testing.T) (*httptest.Server, repository.Repository, str
 	require.NoError(t, err)
 
 	logger, _ := zap.NewDevelopment()
-	idpRouter, err := NewIDPRouter(repo, privKey, logger, "", secret[:], authRouter)
+	idpRouter, err := NewIDPRouter(repo, privKey, logger, "http://localhost:8080", secret[:], authRouter)
 	require.NoError(t, err)
 
 	idpRouter.SetupRoutes(router)
@@ -94,7 +94,7 @@ func TestOAuthServerMetadata(t *testing.T) {
 	require.NoError(t, err)
 
 	// Verify OAuth server metadata
-	require.Equal(t, Issuer, metadata["issuer"])
+	require.Equal(t, "http://localhost:8080", metadata["issuer"])
 	authEndpoint, ok := metadata["authorization_endpoint"].(string)
 	require.True(t, ok)
 	require.Contains(t, authEndpoint, ".idp/auth")
