merge: resolve conflicts with origin/main

Integrate GrantAudience, trailing-slash normalization, healthz endpoint,
and state-generation changes from main while preserving header-mapping
feature additions.

Author: hrntknr

.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "2.5.4"
+  ".": "2.7.0"
 }

CHANGELOG.md

@@ -1,5 +1,39 @@
 # Changelog
 
+## [2.7.0](https://github.com/sigbit/mcp-auth-proxy/compare/v2.6.1...v2.7.0) (2026-04-03)
+
+
+### Features
+
+* add unauthenticated /healthz endpoint for health checks ([#131](https://github.com/sigbit/mcp-auth-proxy/issues/131)) ([9803d0f](https://github.com/sigbit/mcp-auth-proxy/commit/9803d0fb3bc3e7c1bb915a01ce99495e02a27c53))
+
+
+### Bug Fixes
+
+* prevent panic on SSE reverse proxy when backend closes connection ([#128](https://github.com/sigbit/mcp-auth-proxy/issues/128)) ([76d1ac5](https://github.com/sigbit/mcp-auth-proxy/commit/76d1ac516899a763f75c8e015c3bfc08cb5a36b2))
+* set JWT audience claim to external URL for RFC 8707 compliance ([#133](https://github.com/sigbit/mcp-auth-proxy/issues/133)) ([351305a](https://github.com/sigbit/mcp-auth-proxy/commit/351305a8bb6a34f3ce8f4b5444c7834c469e364c)), closes [#129](https://github.com/sigbit/mcp-auth-proxy/issues/129)
+
+## [2.6.1](https://github.com/sigbit/mcp-auth-proxy/compare/v2.6.0...v2.6.1) (2026-03-18)
+
+
+### Bug Fixes
+
+* generate server-side OAuth state when client omits it ([#126](https://github.com/sigbit/mcp-auth-proxy/issues/126)) ([940e91e](https://github.com/sigbit/mcp-auth-proxy/commit/940e91e5979e3441cb590f2d706661bd7fdccf99))
+
+## [2.6.0](https://github.com/sigbit/mcp-auth-proxy/compare/v2.5.4...v2.6.0) (2026-03-16)
+
+
+### Features
+
+* Add OIDC Attribute-Based Authorization ([#120](https://github.com/sigbit/mcp-auth-proxy/issues/120)) ([51b6e85](https://github.com/sigbit/mcp-auth-proxy/commit/51b6e85ff100a621e28720822908781b2561452d))
+* support injecting cryptographic keys via env vars ([#119](https://github.com/sigbit/mcp-auth-proxy/issues/119)) ([ec9e857](https://github.com/sigbit/mcp-auth-proxy/commit/ec9e857c821e5b7cd1538f473427a366eefbc01f))
+
+
+### Bug Fixes
+
+* fix prettier formatting in oauth-setup.md ([#124](https://github.com/sigbit/mcp-auth-proxy/issues/124)) ([ef5731d](https://github.com/sigbit/mcp-auth-proxy/commit/ef5731dc8be1c2294b39f3eaabeb9f92df094689))
+* normalize external URL with trailing slash per RFC 3986 ([#125](https://github.com/sigbit/mcp-auth-proxy/issues/125)) ([e377aa9](https://github.com/sigbit/mcp-auth-proxy/commit/e377aa9ed27b14a8f5d557512b1b9ad521e3fe35))
+
 ## [2.5.4](https://github.com/sigbit/mcp-auth-proxy/compare/v2.5.3...v2.5.4) (2026-03-03)
 
 

docs/docs/oauth-setup.md

@@ -172,7 +172,6 @@ For group-based authorization with Okta:
    ```
 
 2. Configure a groups claim in Okta Admin:
-
    - Go to Security → API → Authorization Servers
    - Select your authorization server → Claims tab
    - Add a claim named "groups" with value type "Groups" and filter as needed

pkg/backend/transparent.go

@@ -125,6 +125,7 @@ func (p *TransparentBackend) Run(ctx context.Context) (http.Handler, error) {
 			base:       http.DefaultTransport,
 			targetHost: p.url.Host,
 		},
+		FlushInterval: -1,
 		Rewrite: func(pr *httputil.ProxyRequest) {
 			pr.SetURL(p.url)
 			if p.isTrusted(pr.In.RemoteAddr) {

pkg/idp/idp.go

@@ -116,6 +116,22 @@ func (a *IDPRouter) SetupRoutes(router gin.IRouter) {
 func (a *IDPRouter) handleAuth(c *gin.Context) {
 	ctx := c.Request.Context()
 
+	// RFC 6749 makes state RECOMMENDED, not REQUIRED, but fosite enforces
+	// minimum entropy (8 chars). Generate a server-side state for clients
+	// that omit it (e.g., MCP Inspector, Cursor CLI) so they can complete
+	// the OAuth flow. The generated state is echoed back in the redirect;
+	// clients that didn't send state will simply ignore it.
+	if c.Request.URL.Query().Get("state") == "" {
+		state, err := utils.GenerateState()
+		if err != nil {
+			a.provider.WriteAuthorizeError(ctx, c.Writer, nil, fosite.ErrServerError.WithWrap(err))
+			return
+		}
+		q := c.Request.URL.Query()
+		q.Set("state", state)
+		c.Request.URL.RawQuery = q.Encode()
+	}
+
 	ar, err := a.provider.NewAuthorizeRequest(ctx, c.Request)
 	if err != nil {
 		a.provider.WriteAuthorizeError(ctx, c.Writer, ar, err)
@@ -144,6 +160,7 @@ func (a *IDPRouter) handleAuthorizationReturn(c *gin.Context) {
 	for _, scope := range ar.GetRequestedScopes() {
 		ar.GrantScope(scope)
 	}
+	ar.GrantAudience(a.externalURL)
 
 	session := sessions.Default(c)
 	subject := "user"
@@ -281,6 +298,7 @@ func (a *IDPRouter) handleRegister(c *gin.Context) {
 		GrantTypes:    req.GrantTypes,
 		ResponseTypes: req.ResponseTypes,
 		Scopes:        strings.Fields(req.Scope),
+		Audience:      []string{a.externalURL},
 		Public:        isPublic,
 	}
 	if err := a.repo.RegisterClient(ctx, client); err != nil {

pkg/idp/idp_test.go

@@ -5,7 +5,9 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha256"
+	"encoding/base64"
 	"encoding/json"
+	"fmt"
 	"net/http"
 	"net/http/cookiejar"
 	"net/http/httptest"
@@ -271,3 +273,196 @@ func TestPrivateClient(t *testing.T) {
 	require.NotEmpty(t, newAccessToken)
 	require.NotEqual(t, originalAccessToken, newAccessToken, "Access token should be different after refresh")
 }
+
+// registerTestClient is a helper that registers a private OAuth client and returns the registration response.
+func registerTestClient(t *testing.T, serverURL string) registrationResponse {
+	t.Helper()
+
+	regReq := registrationRequest{
+		ClientName:              "Test OAuth Client",
+		GrantTypes:              []string{"authorization_code", "refresh_token"},
+		ResponseTypes:           []string{"code"},
+		TokenEndpointAuthMethod: "client_secret_basic",
+		Scope:                   "test",
+		RedirectURIs:            []string{"http://localhost:8080/callback"},
+	}
+
+	reqBody, err := json.Marshal(regReq)
+	require.NoError(t, err)
+
+	resp, err := http.Post(serverURL+RegistrationEndpoint, "application/json", bytes.NewReader(reqBody))
+	require.NoError(t, err)
+	defer resp.Body.Close()
+
+	require.Equal(t, http.StatusCreated, resp.StatusCode)
+
+	var regResp registrationResponse
+	err = json.NewDecoder(resp.Body).Decode(&regResp)
+	require.NoError(t, err)
+
+	return regResp
+}
+
+// testAuthFlowWithURL performs the OAuth authorization flow given a raw authorization URL
+// and returns the callback URL after authorization completes.
+func testAuthFlowWithURL(t *testing.T, serverURL, authURL string) *url.URL {
+	t.Helper()
+
+	jar, err := cookiejar.New(nil)
+	require.NoError(t, err)
+	client := &http.Client{
+		Jar: jar,
+		CheckRedirect: func(req *http.Request, via []*http.Request) error {
+			return http.ErrUseLastResponse
+		},
+	}
+
+	// Step 1: Make initial authorization request
+	authResp, err := client.Get(authURL)
+	require.NoError(t, err)
+	defer authResp.Body.Close()
+
+	require.Contains(t, []int{http.StatusFound, http.StatusSeeOther}, authResp.StatusCode,
+		"expected redirect, got %d", authResp.StatusCode)
+	location := authResp.Header.Get("Location")
+	require.NotEmpty(t, location)
+	require.Contains(t, location, strings.ReplaceAll(AuthorizationReturnEndpoint, ":ar_id", ""))
+
+	// Step 2: Follow the redirect to complete authorization
+	authReturnResp, err := client.Get(serverURL + location)
+	require.NoError(t, err)
+	defer authReturnResp.Body.Close()
+
+	require.Contains(t, []int{http.StatusFound, http.StatusSeeOther}, authReturnResp.StatusCode,
+		"expected redirect with authorization code, got %d", authReturnResp.StatusCode)
+	callbackLocation := authReturnResp.Header.Get("Location")
+	require.NotEmpty(t, callbackLocation)
+
+	callbackURL, err := url.Parse(callbackLocation)
+	require.NoError(t, err)
+	require.NotEmpty(t, callbackURL.Query().Get("code"), "callback URL should contain an authorization code")
+
+	return callbackURL
+}
+
+func TestAuthWithoutState(t *testing.T) {
+	server, _, _ := setupTestServer(t)
+	regResp := registerTestClient(t, server.URL)
+
+	// Build authorization URL manually WITHOUT a state parameter
+	authURL := fmt.Sprintf("%s%s?response_type=code&client_id=%s&redirect_uri=%s",
+		server.URL, AuthorizationEndpoint, regResp.ClientID,
+		url.QueryEscape("http://localhost:8080/callback"))
+
+	callbackURL := testAuthFlowWithURL(t, server.URL, authURL)
+
+	// Server should have generated a state and echoed it back
+	require.NotEmpty(t, callbackURL.Query().Get("state"), "server should generate a state when client omits it")
+
+	// Exchange authorization code for tokens
+	code := callbackURL.Query().Get("code")
+	tokenReq := url.Values{}
+	tokenReq.Set("grant_type", "authorization_code")
+	tokenReq.Set("code", code)
+	tokenReq.Set("redirect_uri", "http://localhost:8080/callback")
+	tokenReq.Set("client_id", regResp.ClientID)
+	tokenReq.Set("client_secret", regResp.ClientSecret)
+
+	tokenResp, err := http.PostForm(server.URL+TokenEndpoint, tokenReq)
+	require.NoError(t, err)
+	defer tokenResp.Body.Close()
+
+	require.Equal(t, http.StatusOK, tokenResp.StatusCode)
+
+	var tokenResult map[string]any
+	err = json.NewDecoder(tokenResp.Body).Decode(&tokenResult)
+	require.NoError(t, err)
+	require.NotEmpty(t, tokenResult["access_token"])
+}
+
+func TestAuthWithEmptyState(t *testing.T) {
+	server, _, _ := setupTestServer(t)
+	regResp := registerTestClient(t, server.URL)
+
+	// Build authorization URL with an empty state parameter
+	authURL := fmt.Sprintf("%s%s?response_type=code&client_id=%s&redirect_uri=%s&state=",
+		server.URL, AuthorizationEndpoint, regResp.ClientID,
+		url.QueryEscape("http://localhost:8080/callback"))
+
+	callbackURL := testAuthFlowWithURL(t, server.URL, authURL)
+
+	// Server should have generated a state and echoed it back
+	require.NotEmpty(t, callbackURL.Query().Get("state"), "server should generate a state when client sends empty state")
+
+	// Exchange authorization code for tokens
+	code := callbackURL.Query().Get("code")
+	tokenReq := url.Values{}
+	tokenReq.Set("grant_type", "authorization_code")
+	tokenReq.Set("code", code)
+	tokenReq.Set("redirect_uri", "http://localhost:8080/callback")
+	tokenReq.Set("client_id", regResp.ClientID)
+	tokenReq.Set("client_secret", regResp.ClientSecret)
+
+	tokenResp, err := http.PostForm(server.URL+TokenEndpoint, tokenReq)
+	require.NoError(t, err)
+	defer tokenResp.Body.Close()
+
+	require.Equal(t, http.StatusOK, tokenResp.StatusCode)
+
+	var tokenResult map[string]any
+	err = json.NewDecoder(tokenResp.Body).Decode(&tokenResult)
+	require.NoError(t, err)
+	require.NotEmpty(t, tokenResult["access_token"])
+}
+
+func TestAccessTokenAudienceClaim(t *testing.T) {
+	server, _, _ := setupTestServer(t)
+	regResp := registerTestClient(t, server.URL)
+
+	config := &oauth2.Config{
+		ClientID:     regResp.ClientID,
+		ClientSecret: regResp.ClientSecret,
+		RedirectURL:  "http://localhost:8080/callback",
+		Scopes:       []string{},
+		Endpoint: oauth2.Endpoint{
+			AuthURL:  server.URL + AuthorizationEndpoint,
+			TokenURL: server.URL + TokenEndpoint,
+		},
+	}
+
+	callbackURL := testAuthFlowWithURL(t, server.URL, config.AuthCodeURL("test-state"))
+	code := callbackURL.Query().Get("code")
+
+	tokenReq := url.Values{}
+	tokenReq.Set("grant_type", "authorization_code")
+	tokenReq.Set("code", code)
+	tokenReq.Set("redirect_uri", "http://localhost:8080/callback")
+	tokenReq.Set("client_id", regResp.ClientID)
+	tokenReq.Set("client_secret", regResp.ClientSecret)
+
+	tokenResp, err := http.PostForm(server.URL+TokenEndpoint, tokenReq)
+	require.NoError(t, err)
+	defer tokenResp.Body.Close()
+	require.Equal(t, http.StatusOK, tokenResp.StatusCode)
+
+	var tokenResult map[string]any
+	err = json.NewDecoder(tokenResp.Body).Decode(&tokenResult)
+	require.NoError(t, err)
+
+	accessToken := tokenResult["access_token"].(string)
+
+	// Decode JWT payload and verify aud claim contains the external URL
+	parts := strings.Split(accessToken, ".")
+	require.Len(t, parts, 3, "access token should be a JWT with 3 parts")
+
+	payload, err := base64.RawURLEncoding.DecodeString(parts[1])
+	require.NoError(t, err)
+
+	var claims map[string]any
+	err = json.Unmarshal(payload, &claims)
+	require.NoError(t, err)
+
+	aud, ok := claims["aud"].([]any)
+	require.True(t, ok, "aud claim should be present as an array")
+	require.Contains(t, aud, "http://localhost:8080", "aud should contain the external URL")
+}

pkg/mcp-proxy/main.go

@@ -85,9 +85,11 @@ func Run(
 	if err != nil {
 		return fmt.Errorf("failed to parse external URL: %w", err)
 	}
-	if parsedExternalURL.Path != "" {
+	if parsedExternalURL.Path != "" && parsedExternalURL.Path != "/" {
 		return fmt.Errorf("external URL must not have a path, got: %s", parsedExternalURL.Path)
 	}
+	parsedExternalURL.Path = "/"
+	externalURL = parsedExternalURL.String()
 
 	if (tlsCertFile == "") != (tlsKeyFile == "") {
 		return fmt.Errorf("both TLS certificate and key files must be provided together")
@@ -299,8 +301,18 @@ func Run(
 	router := gin.New()
 	router.SetTrustedProxies(trustedProxy)
 
+	router.GET("/healthz", func(c *gin.Context) {
+		c.JSON(http.StatusOK, gin.H{"status": "ok"})
+	})
+
 	router.Use(ginzap.Ginzap(logger, time.RFC3339, true))
-	router.Use(ginzap.RecoveryWithZap(logger, true))
+	router.Use(ginzap.CustomRecoveryWithZap(logger, true, func(c *gin.Context, err any) {
+		if err == http.ErrAbortHandler {
+			c.Abort()
+			return
+		}
+		c.AbortWithStatus(http.StatusInternalServerError)
+	}))
 	store := cookie.NewStore(secret)
 	store.Options(sessions.Options{
 		Path:     "/",