oauthex: add MatchesResource helper (RFC 9728/8707 audience comparison)#970
Open
BorisTyshkevich wants to merge 2 commits into
Open
oauthex: add MatchesResource helper (RFC 9728/8707 audience comparison)#970BorisTyshkevich wants to merge 2 commits into
BorisTyshkevich wants to merge 2 commits into
Conversation
Real-world OAuth identity providers emit the protected-resource identifier in both canonical (trailing slash, per RFC 9728 §3.3) and trimmed (no slash, per common RFC 8707 setups) forms across `aud` claims. Strict byte equality fails routinely on legitimate setups — claude.ai/ChatGPT round-trip the form the upstream IdP sent them, which may differ from the operator's configured form. Adds an exported MatchesResource helper that accepts either form while preserving exact-equality semantics for the rest of the URL (scheme, host, path). Tests cover the four common shape combinations plus negative cases where scheme/path mismatches must still fail. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
5 tasks
Review feedback from a re-read of RFC 9728 / RFC 3986: - RFC 9728 §3.3 normatively cites RFC 3986 §6.2.1 "simple string comparison" (byte-equal), not the trailing-slash form. The spec basis for slash tolerance is RFC 3986 §6.2.3 (scheme-based normalization), which lists empty-path → "/" among the normalizations permitted *but not required*. Reframe the doc accordingly so reviewers don't have to re-derive the citation. - Drop strings.TrimSpace. No RFC permits whitespace around a JWT aud URI; tolerating it silently accepts a malformed claim instead of surfacing it. If a real IdP ever emits whitespace, that's a bug in the IdP, not something a generic helper should paper over. - Document the §6.2.3 features deliberately NOT applied (host case fold, default-port elision) so callers know two distinct registered resources cannot collide via these normalizations. Added negative tests pinning each boundary. - Point byte-equal-strict callers at the direct == comparison so they know they don't need a separate helper. Behavior change: claims with surrounding whitespace now return false (previously returned true). The only realistic caller — token validation — already gets malformed-aud rejection elsewhere via jose/oidc parsers, so this surfaces upstream bugs rather than hiding them. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Motivation
RFC 9728 §3.3 canonicalises the protected-resource identifier with a trailing slash, but RFC 8707 resource indicators frequently omit it. Upstream IdPs vary in which form they emit in the `aud` claim (Google trims, Auth0 retains, some clients round-trip whatever the IdP sent). Strict byte equality therefore fails routinely on legitimate setups.
Resource servers writing this comparison by hand all converge on the same trim-trailing-slash + whitespace logic; exporting a canonical helper saves every consumer from re-deriving it.
Test plan