Validate audience matches resourceUrl for embedded auth server (#4904)

* Validate audience matches resourceUrl when embedded auth server is active (#4860)

The embedded auth server mints tokens with aud set to the ResourceURL
(the RFC 8707 resource parameter), but the token validator checks aud
against the user-specified OIDCConfigRef.Audience. When these diverge,
every authenticated request fails silently.

Add reconciler-time validation requiring audience == resourceUrl when an
embedded auth server is configured, with a clear error message guiding
operators to fix the mismatch. This mirrors the existing validation in
the vMCP inline config path (ValidateAuthServerIntegration).

Fixes #4860

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Extract audience validation into shared helper and improve error messages

Consolidate the duplicated audience/resourceUrl validation from
AddEmbeddedAuthServerConfigOptions and AddAuthServerRefOptions into
validateOIDCConfigForEmbeddedAuthServer. Add a distinct error for
empty audience (missing field) vs mismatched audience (wrong value)
to help operators identify the root cause faster.

Document the rationale for validation-based enforcement (Option D)
over silent override (Option A): operators see exactly what values
are in play and control both sides explicitly, consistent with the
existing vMCP inline config validation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix integration tests to set matching audience and resourceUrl

Integration test fixtures set OIDCConfigRef.Audience but not
ResourceURL, so the resolver auto-computed a different ResourceURL
from the proxy/server name. The new audience validation correctly
rejects this mismatch.

Set ResourceURL to match Audience in all embedded auth server
integration test fixtures so the audience consistency check passes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: tgrunnagle

cmd/thv-operator/controllers/mcpserver_externalauth_runconfig_test.go

@@ -250,6 +250,7 @@ func TestAddExternalAuthConfigOptions(t *testing.T) {
 				},
 			},
 			oidcConfig: &oidc.OIDCConfig{
+				Audience:    "http://test-server.default.svc.cluster.local:8080",
 				ResourceURL: "http://test-server.default.svc.cluster.local:8080",
 				Scopes:      []string{"openid", "offline_access"},
 			},
@@ -754,7 +755,7 @@ func TestCreateRunConfigFromMCPServer_WithExternalAuth(t *testing.T) {
 					},
 					OIDCConfigRef: &mcpv1alpha1.MCPOIDCConfigReference{
 						Name:     "embedded-oidc",
-						Audience: "toolhive",
+						Audience: "http://embedded-auth-server.default.svc.cluster.local:8080",
 						Scopes:   []string{"openid", "offline_access", "mcp:tools"},
 					},
 				},

cmd/thv-operator/pkg/controllerutil/authserver.go

@@ -395,12 +395,8 @@ func AddEmbeddedAuthServerConfigOptions(
 		return fmt.Errorf("embedded auth server configuration is nil for type embeddedAuthServer")
 	}
 
-	// Validate OIDC config is provided with ResourceURL (required for embedded auth server)
-	if oidcConfig == nil {
-		return fmt.Errorf("OIDC config is required for embedded auth server: OIDCConfigRef must be set on the MCPServer")
-	}
-	if oidcConfig.ResourceURL == "" {
-		return fmt.Errorf("OIDC config resourceUrl is required for embedded auth server: set resourceUrl in OIDCConfigRef")
+	if err := validateOIDCConfigForEmbeddedAuthServer(oidcConfig); err != nil {
+		return err
 	}
 
 	// Build the embedded auth server config for runner
@@ -418,6 +414,42 @@ func AddEmbeddedAuthServerConfigOptions(
 	return nil
 }
 
+// validateOIDCConfigForEmbeddedAuthServer validates OIDC configuration
+// requirements when an embedded auth server is active.
+//
+// The embedded auth server mints tokens with aud = ResourceURL (the value
+// clients send as the RFC 8707 resource parameter via discovery). The token
+// validator checks aud against Audience. If these differ, every authenticated
+// request fails with an audience mismatch.
+//
+// We validate consistency at reconciliation time (rather than silently
+// overriding Audience with ResourceURL) so that operators see exactly what
+// values are in play and control both sides explicitly. This mirrors the
+// existing vMCP inline config validation (ValidateAuthServerIntegration).
+func validateOIDCConfigForEmbeddedAuthServer(oidcConfig *oidc.OIDCConfig) error {
+	if oidcConfig == nil {
+		return fmt.Errorf("OIDC config is required for embedded auth server: OIDCConfigRef must be set on the MCPServer")
+	}
+	if oidcConfig.ResourceURL == "" {
+		return fmt.Errorf("OIDC config resourceUrl is required for embedded auth server: set resourceUrl in OIDCConfigRef")
+	}
+	if oidcConfig.Audience == "" {
+		return fmt.Errorf(
+			"oidcConfigRef.audience is required when an embedded auth server is active; "+
+				"set audience to %q to match resourceUrl",
+			oidcConfig.ResourceURL,
+		)
+	}
+	if oidcConfig.Audience != oidcConfig.ResourceURL {
+		return fmt.Errorf(
+			"oidcConfigRef.audience %q must match resourceUrl %q when an embedded auth server is active; "+
+				"set audience to %q or set resourceUrl to match audience",
+			oidcConfig.Audience, oidcConfig.ResourceURL, oidcConfig.ResourceURL,
+		)
+	}
+	return nil
+}
+
 // BuildAuthServerRunConfig converts CRD EmbeddedAuthServerConfig to authserver.RunConfig.
 // The RunConfig is serializable and contains file paths for secrets (not the secrets themselves).
 //
@@ -759,12 +791,8 @@ func AddAuthServerRefOptions(
 		return fmt.Errorf("embedded auth server configuration is nil for type embeddedAuthServer")
 	}
 
-	// Validate OIDC config is provided with ResourceURL (required for embedded auth server)
-	if oidcConfig == nil {
-		return fmt.Errorf("OIDC config is required for embedded auth server: OIDCConfigRef must be set on the MCPServer")
-	}
-	if oidcConfig.ResourceURL == "" {
-		return fmt.Errorf("OIDC config resourceUrl is required for embedded auth server: set resourceUrl in OIDCConfigRef")
+	if err := validateOIDCConfigForEmbeddedAuthServer(oidcConfig); err != nil {
+		return err
 	}
 
 	// Build the embedded auth server config for runner

cmd/thv-operator/pkg/controllerutil/authserver_test.go

@@ -1110,6 +1110,7 @@ func TestAddEmbeddedAuthServerConfigOptions_Validation(t *testing.T) {
 		{
 			name: "valid OIDC config succeeds",
 			oidcConfig: &oidc.OIDCConfig{
+				Audience:    "http://test-server.default.svc.cluster.local:8080",
 				ResourceURL: "http://test-server.default.svc.cluster.local:8080",
 				Scopes:      []string{"openid", "offline_access"},
 			},
@@ -1118,11 +1119,32 @@ func TestAddEmbeddedAuthServerConfigOptions_Validation(t *testing.T) {
 		{
 			name: "valid OIDC config with nil scopes succeeds",
 			oidcConfig: &oidc.OIDCConfig{
+				Audience:    "http://test-server.default.svc.cluster.local:8080",
 				ResourceURL: "http://test-server.default.svc.cluster.local:8080",
 				Scopes:      nil,
 			},
 			expectError: false,
 		},
+		{
+			name: "audience mismatch with resourceUrl returns error",
+			oidcConfig: &oidc.OIDCConfig{
+				Audience:    "https://different-audience.example.com",
+				ResourceURL: "http://test-server.default.svc.cluster.local:8080",
+				Scopes:      []string{"openid"},
+			},
+			expectError: true,
+			errContains: "must match resourceUrl",
+		},
+		{
+			name: "empty audience returns specific error",
+			oidcConfig: &oidc.OIDCConfig{
+				Audience:    "",
+				ResourceURL: "http://test-server.default.svc.cluster.local:8080",
+				Scopes:      []string{"openid"},
+			},
+			expectError: true,
+			errContains: "audience is required when an embedded auth server is active",
+		},
 	}
 
 	for _, tt := range tests {
@@ -1665,6 +1687,7 @@ func TestAddAuthServerRefOptions(t *testing.T) {
 	}
 
 	validOIDCConfig := &oidc.OIDCConfig{
+		Audience:    "https://mcp.example.com",
 		ResourceURL: "https://mcp.example.com",
 		Scopes:      []string{"openid"},
 	}
@@ -1738,6 +1761,36 @@ func TestAddAuthServerRefOptions(t *testing.T) {
 			wantErr:     true,
 			errContains: "OIDC config is required",
 		},
+		{
+			name: "audience mismatch with resourceUrl returns error",
+			authServerRef: &mcpv1alpha1.AuthServerRef{
+				Kind: "MCPExternalAuthConfig",
+				Name: "auth-server-config",
+			},
+			oidcConfig: &oidc.OIDCConfig{
+				Audience:    "https://wrong-audience.example.com",
+				ResourceURL: "https://mcp.example.com",
+				Scopes:      []string{"openid"},
+			},
+			objects:     func() []runtime.Object { return []runtime.Object{newValidEmbeddedAuthConfig()} },
+			wantErr:     true,
+			errContains: "must match resourceUrl",
+		},
+		{
+			name: "audience matching resourceUrl succeeds",
+			authServerRef: &mcpv1alpha1.AuthServerRef{
+				Kind: "MCPExternalAuthConfig",
+				Name: "auth-server-config",
+			},
+			oidcConfig: &oidc.OIDCConfig{
+				Audience:    "https://mcp.example.com",
+				ResourceURL: "https://mcp.example.com",
+				Scopes:      []string{"openid"},
+			},
+			objects:     func() []runtime.Object { return []runtime.Object{newValidEmbeddedAuthConfig()} },
+			wantErr:     false,
+			wantOptions: 1,
+		},
 	}
 
 	for _, tt := range tests {
@@ -1813,6 +1866,7 @@ func TestValidateAndAddAuthServerRefOptions(t *testing.T) {
 	}
 
 	validOIDC := &oidc.OIDCConfig{
+		Audience:    "https://mcp.example.com",
 		ResourceURL: "https://mcp.example.com",
 		Scopes:      []string{"openid"},
 	}

cmd/thv-operator/test-integration/mcp-remote-proxy/remoteproxy_helpers.go

@@ -116,10 +116,13 @@ func (rb *RemoteProxyBuilder) WithAuthServerRef(name string) *RemoteProxyBuilder
 }
 
 // WithOIDCConfigRef sets the OIDCConfigRef for the proxy.
-func (rb *RemoteProxyBuilder) WithOIDCConfigRef(name, audience string) *RemoteProxyBuilder {
+// resourceURL sets both Audience and ResourceURL to the same value, which is
+// required when an embedded auth server is active (#4860).
+func (rb *RemoteProxyBuilder) WithOIDCConfigRef(name, resourceURL string) *RemoteProxyBuilder {
 	rb.proxy.Spec.OIDCConfigRef = &mcpv1alpha1.MCPOIDCConfigReference{
-		Name:     name,
-		Audience: audience,
+		Name:        name,
+		Audience:    resourceURL,
+		ResourceURL: resourceURL,
 	}
 	return rb
 }

cmd/thv-operator/test-integration/mcp-server/mcpserver_authserverref_integration_test.go

@@ -81,8 +81,9 @@ var _ = Describe("MCPServer AuthServerRef Integration Tests", func() {
 						Name: authConfigName,
 					},
 					OIDCConfigRef: &mcpv1alpha1.MCPOIDCConfigReference{
-						Name:     oidcConfigName,
-						Audience: "https://test-resource.example.com",
+						Name:        oidcConfigName,
+						Audience:    "https://test-resource.example.com",
+						ResourceURL: "https://test-resource.example.com",
 					},
 				},
 			}
@@ -197,8 +198,9 @@ var _ = Describe("MCPServer AuthServerRef Integration Tests", func() {
 						Name: authConfigConflict,
 					},
 					OIDCConfigRef: &mcpv1alpha1.MCPOIDCConfigReference{
-						Name:     oidcConfigName,
-						Audience: "https://test-resource.example.com",
+						Name:        oidcConfigName,
+						Audience:    "https://test-resource.example.com",
+						ResourceURL: "https://test-resource.example.com",
 					},
 				},
 			}
@@ -376,8 +378,9 @@ var _ = Describe("MCPServer AuthServerRef Integration Tests", func() {
 						Name: authConfigName,
 					},
 					OIDCConfigRef: &mcpv1alpha1.MCPOIDCConfigReference{
-						Name:     oidcConfigName,
-						Audience: "https://test-resource.example.com",
+						Name:        oidcConfigName,
+						Audience:    "https://test-resource.example.com",
+						ResourceURL: "https://test-resource.example.com",
 					},
 				},
 			}