check resource parameter

pcarleton · pcarleton · commit e0a11f8d0db7 · 2025-08-11T19:47:22.000+01:00
diff --git a/auth-compat/src/__tests__/basic-compliance.test.ts b/auth-compat/src/__tests__/basic-compliance.test.ts
@@ -63,8 +63,8 @@ describe('Basic Compliance', () => {
       // Verify resource parameter matches PRM exactly
       // The PRM always returns http://localhost:{port} as the resource
       const expectedResource = `http://localhost:${serverPort}/`;
-      expect(behavior.resourceParameterUsed).toBe(true);
-      expect(behavior.resourceParameterValue).toBe(expectedResource);
+      expect(behavior.authResourceParameter).toBe(expectedResource);
+      expect(behavior.tokenResourceParameter).toBe(expectedResource);
     });
   });
 });
diff --git a/auth-compat/src/server/auth/index.ts b/auth-compat/src/server/auth/index.ts
@@ -31,8 +31,9 @@ export class MockAuthServer implements HttpTraceCollector {
   public httpTrace: HttpTrace[] = [];
   private verbose: boolean;
   public issuerPath: string;
-  public resourceParameterReceived: boolean = false;
-  public resourceParameterValue: string | null = null;
+  public authResourceParameter: string | null = null;
+  public tokenResourceParameter: string | null = null;
+
 
   // Store authorization requests for PKCE validation
   private authorizationRequests: Map<string, AuthorizationRequest> = new Map();
@@ -43,16 +44,16 @@ export class MockAuthServer implements HttpTraceCollector {
     this.app = express();
     this.app.use(express.json());
     this.app.use(express.urlencoded({ extended: true }));
-    
+
     // Extract issuer path from metadata location
     // For /.well-known/oauth-authorization-server/tenant1 -> /tenant1
     // For /.well-known/openid-configuration -> ''
     // For /tenant1/.well-known/openid-configuration -> /tenant1
     this.issuerPath = this.extractIssuerPath(metadataLocation);
-    
+
     this.setupRoutes();
   }
-  
+
   private extractIssuerPath(metadataLocation: string): string {
     // Handle different metadata location patterns
     if (metadataLocation.includes('/.well-known/oauth-authorization-server/')) {
@@ -87,7 +88,7 @@ export class MockAuthServer implements HttpTraceCollector {
     this.app.get(this.metadataLocation, (req: Request, res: Response) => {
       const baseUrl = this.getUrl();
       const issuer = baseUrl + this.issuerPath;
-      
+
       // Base metadata for both OAuth 2.0 and OIDC
       const metadata: any = {
         issuer: issuer,
@@ -99,7 +100,7 @@ export class MockAuthServer implements HttpTraceCollector {
         code_challenge_methods_supported: ['S256'],
         token_endpoint_auth_methods_supported: ['none', 'client_secret_post']
       };
-      
+
       // Add OIDC-specific fields if this is an OpenID Connect metadata endpoint
       if (this.metadataLocation.includes('openid-configuration')) {
         metadata.jwks_uri = `${baseUrl}/jwks`;
@@ -109,7 +110,7 @@ export class MockAuthServer implements HttpTraceCollector {
         metadata.scopes_supported = ['openid', 'profile', 'email'];
         metadata.claims_supported = ['sub', 'name', 'email', 'email_verified'];
       }
-      
+
       res.json(metadata);
     });
 
@@ -127,9 +128,7 @@ export class MockAuthServer implements HttpTraceCollector {
 
       // Track resource parameter
       if (resource) {
-        this.resourceParameterReceived = true;
-        this.resourceParameterValue = resource;
-        this.log('Received resource parameter:', resource);
+        this.authResourceParameter = resource;
       }
 
       // Basic validation
@@ -178,15 +177,10 @@ export class MockAuthServer implements HttpTraceCollector {
         refresh_token,
         resource
       } = req.body;
-      
+
       // Track resource parameter in token request
       if (resource) {
-        this.resourceParameterReceived = true;
-        // Update value if not already set or if different
-        if (!this.resourceParameterValue) {
-          this.resourceParameterValue = resource;
-        }
-        this.log('Received resource parameter in token request:', resource);
+        this.tokenResourceParameter = resource;
       }
 
       if (grant_type === 'authorization_code') {
diff --git a/auth-compat/src/server/validation/index.ts b/auth-compat/src/server/validation/index.ts
@@ -105,7 +105,7 @@ export class ValidationServer {
         // Get the actual port at request time
         const serverPort = this.getPort();
         const authServerUrl = this.authServer ? this.authServer.getUrl() : '';
-        
+
         // Add issuer path if needed
         const issuerPath = this.authServer ? this.authServer.issuerPath : '';
         const fullAuthServerUrl = authServerUrl + issuerPath;
@@ -302,27 +302,6 @@ export class ValidationServer {
         },
         errors: this.clientBehavior.authMetadataRequested ? undefined : ['Client did not request auth metadata']
       });
-      
-      // Test: Resource parameter (RFC 8707)
-      const serverPort = this.getPort();
-      const expectedResource = `http://localhost:${serverPort}`;
-      const resourceCorrect = this.authServer?.resourceParameterValue === expectedResource;
-      
-      results.push({
-        name: 'resource_parameter_rfc8707',
-        result: (this.authServer?.resourceParameterReceived && resourceCorrect) ? 'PASS' : 'FAIL',
-        details: {
-          resource_parameter_sent: this.authServer?.resourceParameterReceived || false,
-          resource_parameter_value: this.authServer?.resourceParameterValue || null,
-          expected_resource: expectedResource,
-          matches_prm: resourceCorrect
-        },
-        errors: !this.authServer?.resourceParameterReceived 
-          ? ['Client did not send resource parameter (required by RFC 8707)']
-          : !resourceCorrect 
-          ? [`Resource parameter '${this.authServer?.resourceParameterValue}' does not match PRM value '${expectedResource}'`]
-          : undefined
-      });
     }
 
     // Test: Basic functionality
@@ -342,20 +321,10 @@ export class ValidationServer {
   getClientBehavior(): ClientBehavior {
     // Add auth server tracking if available
     if (this.authServer) {
-      this.clientBehavior.resourceParameterUsed = this.authServer.resourceParameterReceived;
-      this.clientBehavior.resourceParameterValue = this.authServer.resourceParameterValue || undefined;
-      
-      // Check if the resource parameter EXACTLY matches what's in the PRM
-      const serverPort = this.getPort();
-      const expectedResource = `http://localhost:${serverPort}`; // This is what we return in PRM
-      if (this.authServer.resourceParameterValue) {
-        const receivedResource = this.authServer.resourceParameterValue;
-        if (receivedResource !== expectedResource) {
-          this.clientBehavior.errors.push(`Incorrect resource parameter: expected exactly '${expectedResource}' (from PRM), got '${receivedResource}'`);
-        }
-      }
+      this.clientBehavior.authResourceParameter = this.authServer.authResourceParameter || undefined;
+      this.clientBehavior.tokenResourceParameter = this.authServer.tokenResourceParameter || undefined;
     }
-    
+
     return this.clientBehavior;
   }
 }
diff --git a/auth-compat/src/types.ts b/auth-compat/src/types.ts
@@ -36,8 +36,8 @@ export interface ClientBehavior {
   requestsMade: string[];
   authMetadataRequested: boolean;
   authFlowCompleted?: boolean;
-  resourceParameterUsed?: boolean;
-  resourceParameterValue?: string;
+  authResourceParameter?: string;
+  tokenResourceParameter?: string;
   errors: string[];
   httpTrace: HttpTrace[];
 }
