Skip to content

OAuth 2.1 server: support RFC 8707 Resource Indicators (resource parameter → aud claim) #2610

Description

@emiel-os

Feature request

Support RFC 8707 Resource Indicators in the OAuth 2.1 authorization server: accept the resource parameter at the authorization and token endpoints, validate it, and bind the issued access token's aud claim to that resource URI.

Why

The MCP authorization spec requires resource-bound tokens: MCP clients send resource per RFC 8707, and strict native connectors (Claude Desktop and web, ChatGPT) reject or mis-scope tokens whose audience is not the MCP resource URL. Today the Supabase OAuth server ignores the resource parameter and stamps aud: "authenticated", so a Supabase-backed MCP resource server cannot satisfy the spec's audience-binding requirement with Supabase-issued tokens — the resource server has no way to influence the audience since only the token issuer can set it.

Current behavior

  • /oauth/authorize + token endpoint: resource parameter accepted-but-ignored.
  • Issued access tokens: aud: "authenticated" regardless of the requested resource.
  • RFC 9728 protected-resource metadata on the resource-server side points clients at Supabase as the authorization server, but the tokens that come back are not audience-bound to the resource.

Desired behavior

  • Accept resource at both the authorization and token endpoints (RFC 8707 semantics, including the multiple-resources / downscoping rules).
  • Validate the requested resource (e.g., against a per-client allowlist of registered resource URIs, or a project-level configuration).
  • Issue the access token with aud set to the granted resource URI (keeping "authenticated" as an additional audience would preserve backward compatibility with PostgREST/RLS consumers: aud: [resource, "authenticated"]).
  • Advertise support in the authorization-server metadata.

Impact

This unblocks the growing class of MCP servers that use Supabase Auth as their identity provider from having to stand up their own authorization server in front of Supabase purely to control the aud claim. With resource indicators supported, a Supabase-backed MCP server works with zero-config native connectors out of the box.

Happy to provide more detail on the MCP flow or test against a preview build — we run a production MCP resource server on Supabase Auth today and currently have to plan a wrapper AS solely for this gap.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions