fix(fastmcp): consolidate ApiClient instances in auth0.ts (#38)

btiernay · claude · web-flow · commit cca09ffebc4c · 2025-10-30T09:33:56.000-04:00
Previously created two separate ApiClient instances with different audiences: - apiClient with AUTH0_AUDIENCE (correct) - exchangeClient with API_AUTH0_AUDIENCE (incorrect) The audience parameter in ApiClient constructor is for validating incoming tokens, not for specifying target audience of exchanged tokens. Both token verification and exchange should use the same client configured with the MCP's own audience (AUTH0_AUDIENCE). Changes: - Removed exchangeClient instance - Added client credentials to single apiClient - Updated exchangeCustomToken to use apiClient - Added comments clarifying audience usage in token exchange - Target audience (API_AUTH0_AUDIENCE) correctly specified in getTokenByExchangeProfile() call Fixes: AIDX-314 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/auth-for-mcp/fastmcp-mcp-customtokenexchange-js/src/auth0.ts b/auth-for-mcp/fastmcp-mcp-customtokenexchange-js/src/auth0.ts
@@ -18,23 +18,21 @@ const MCP_AUTH0_SUBJECT_TOKEN_TYPE = process.env.MCP_AUTH0_SUBJECT_TOKEN_TYPE as
 const MCP_AUTH0_EXCHANGE_SCOPE = process.env.MCP_AUTH0_EXCHANGE_SCOPE as string;
 const API_AUTH0_AUDIENCE = process.env.API_AUTH0_AUDIENCE as string;
 
-
+// Resource server's OAuth 2.0 client for token verification and exchange
+// Configured with the MCP resource server's audience
 const apiClient = new ApiClient({
   domain: AUTH0_DOMAIN,
   audience: AUTH0_AUDIENCE,
-});
-
-const exchangeClient = new ApiClient({
-  domain: AUTH0_DOMAIN,
-  audience: API_AUTH0_AUDIENCE,
   clientId: MCP_AUTH0_CLIENT_ID,
   clientSecret: MCP_AUTH0_CLIENT_SECRET,
 });
 
 export async function exchangeCustomToken(subjectToken: string) {
-    return await exchangeClient.getTokenByExchangeProfile(subjectToken, {
+    // Use the resource server's OAuth 2.0 client to exchange tokens
+    // The 'audience' parameter specifies the target audience for the exchanged token
+    return await apiClient.getTokenByExchangeProfile(subjectToken, {
       subjectTokenType: MCP_AUTH0_SUBJECT_TOKEN_TYPE,
-      audience: API_AUTH0_AUDIENCE,
+      audience: API_AUTH0_AUDIENCE, // Target audience for the exchanged token
       ...(MCP_AUTH0_EXCHANGE_SCOPE && { scope: MCP_AUTH0_EXCHANGE_SCOPE }),
     });
 }
