fix(api,cli): stop auto-deriving RFC 8707 resource indicator from URL (#5204)

peppescg · claude · web-flow · commit ec284b0ee016 · 2026-05-06T15:59:31.000+02:00
* fix(api): stop auto-deriving RFC 8707 resource indicator from URL The API path unconditionally derived the RFC 8707 resource parameter from the server URL, while the CLI only did so when --resource-url was explicitly passed. This broke OAuth for servers like Common Room that don't support RFC 8707. Remove the automatic URL-to-resource fallback in both buildRemoteAuthConfigFromMetadata and createRequestToRemoteAuthConfig, keeping only user-provided and metadata-provided resource values. Fixes: #5203 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * test(api): add resource indicator tests for createRequestToRemoteAuthConfig Verify that resource is NOT auto-derived from URL when not explicitly set, and that an explicitly provided resource is preserved verbatim. These tests guard against re-introducing the removed fallback derivation. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(api,cli): remove auto-derivation of RFC 8707 resource from all paths Also fix the CLI registry path (getRemoteAuthFromRemoteServerMetadata) which had the same unconditional fallback to DefaultResourceIndicator. Inline orphaned variable in createRequestToRemoteAuthConfig. The resource parameter is now only set when explicitly provided by the user or registry metadata, matching the behavior of the direct CLI path which gates on --resource-url. Refs: #5203 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: address review nits — clarify comments Add explanatory comment on registry path resource assignment explaining why --resource-url derivation is intentionally skipped. Reword test comment to be reader-facing rather than author-local. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/cmd/thv/app/run_flags.go b/cmd/thv/app/run_flags.go
@@ -948,12 +948,11 @@ func getRemoteAuthFromRemoteServerMetadata(
 	authCfg.AuthorizeURL = firstNonEmpty(f.RemoteAuthAuthorizeURL, oc.AuthorizeURL)
 	authCfg.TokenURL = firstNonEmpty(f.RemoteAuthTokenURL, oc.TokenURL)
 
-	resourceIndicator := firstNonEmpty(f.RemoteAuthResource, oc.Resource)
-	if resourceIndicator != "" {
-		authCfg.Resource = resourceIndicator
-	} else {
-		authCfg.Resource = remote.DefaultResourceIndicator(remoteServerMetadata.URL)
-	}
+	// Resource is only set from explicit user flag or registry metadata.
+	// Unlike the direct-URL path (getRemoteAuthFromRunFlags), --resource-url
+	// derivation is intentionally not applied here: registry metadata is the
+	// authoritative source for the resource indicator in this path.
+	authCfg.Resource = firstNonEmpty(f.RemoteAuthResource, oc.Resource)
 
 	// OAuthParams: REPLACE metadata when CLI provides any key/value.
 	if len(runFlags.OAuthParams) > 0 {
diff --git a/pkg/api/v1/workload_service.go b/pkg/api/v1/workload_service.go
@@ -429,14 +429,11 @@ func buildRemoteAuthConfigFromMetadata(req *createRequest, md *regtypes.RemoteSe
 		return nil
 	}
 
-	// Default resource: user-provided > registry metadata > derived from remote URL
+	// Default resource: user-provided > registry metadata
 	resource := req.OAuthConfig.Resource
 	if resource == "" {
 		resource = md.OAuthConfig.Resource
 	}
-	if resource == "" && md.URL != "" {
-		resource = remote.DefaultResourceIndicator(md.URL)
-	}
 
 	cfg := &remote.Config{
 		ClientID:     req.OAuthConfig.ClientID,
@@ -466,12 +463,6 @@ func createRequestToRemoteAuthConfig(
 	req *createRequest,
 ) *remote.Config {
 
-	// Default resource: user-provided > derived from remote URL
-	resource := req.OAuthConfig.Resource
-	if resource == "" && req.URL != "" {
-		resource = remote.DefaultResourceIndicator(req.URL)
-	}
-
 	// Create RemoteAuthConfig
 	remoteAuthConfig := &remote.Config{
 		ClientID:     req.OAuthConfig.ClientID,
@@ -480,7 +471,7 @@ func createRequestToRemoteAuthConfig(
 		AuthorizeURL: req.OAuthConfig.AuthorizeURL,
 		TokenURL:     req.OAuthConfig.TokenURL,
 		UsePKCE:      req.OAuthConfig.UsePKCE,
-		Resource:     resource,
+		Resource:     req.OAuthConfig.Resource,
 		OAuthParams:  req.OAuthConfig.OAuthParams,
 		CallbackPort: req.OAuthConfig.CallbackPort,
 		SkipBrowser:  req.OAuthConfig.SkipBrowser,
diff --git a/pkg/api/v1/workload_service_test.go b/pkg/api/v1/workload_service_test.go
@@ -753,7 +753,7 @@ func TestBuildRemoteAuthConfigFromMetadata(t *testing.T) {
 		assert.Equal(t, "https://resource.example.com", cfg.Resource)
 	})
 
-	t.Run("resource derived from URL when both user and metadata unset", func(t *testing.T) {
+	t.Run("resource empty when both user and metadata unset", func(t *testing.T) {
 		t.Parallel()
 
 		md := baseMetadata()
@@ -762,7 +762,7 @@ func TestBuildRemoteAuthConfigFromMetadata(t *testing.T) {
 		cfg := buildRemoteAuthConfigFromMetadata(&createRequest{}, md)
 
 		require.NotNil(t, cfg)
-		assert.NotEmpty(t, cfg.Resource, "resource should be derived from md.URL")
+		assert.Empty(t, cfg.Resource, "resource should not be auto-derived from URL")
 	})
 
 	t.Run("user ClientSecret is applied in CLI string format", func(t *testing.T) {
diff --git a/pkg/api/v1/workloads_types_test.go b/pkg/api/v1/workloads_types_test.go
@@ -515,6 +515,44 @@ func TestCreateRequestToRemoteAuthConfig(t *testing.T) {
 			assert.Equal(t, tt.expectedBearerToken, result.BearerToken)
 		})
 	}
+
+	// Guard against reintroduction of RFC 8707 auto-derivation from URL.
+	// Resource must only be set when explicitly provided (see #5203).
+	t.Run("resource empty when URL set but resource not explicitly provided", func(t *testing.T) {
+		t.Parallel()
+
+		req := &createRequest{
+			updateRequest: updateRequest{
+				URL:         "https://mcp.example.com/mcp",
+				OAuthConfig: remoteOAuthConfig{ClientID: "some-client"},
+			},
+		}
+
+		cfg := createRequestToRemoteAuthConfig(context.Background(), req)
+
+		require.NotNil(t, cfg)
+		assert.Empty(t, cfg.Resource, "resource must not be auto-derived from URL when not explicitly set")
+	})
+
+	t.Run("resource preserved when user provides it explicitly", func(t *testing.T) {
+		t.Parallel()
+
+		req := &createRequest{
+			updateRequest: updateRequest{
+				URL: "https://mcp.example.com/mcp",
+				OAuthConfig: remoteOAuthConfig{
+					ClientID: "some-client",
+					Resource: "https://explicit-resource.example.com",
+				},
+			},
+		}
+
+		cfg := createRequestToRemoteAuthConfig(context.Background(), req)
+
+		require.NotNil(t, cfg)
+		assert.Equal(t, "https://explicit-resource.example.com", cfg.Resource,
+			"user-provided resource must be preserved verbatim")
+	})
 }
 
 func TestValidateHeaderForwardConfig(t *testing.T) {
