@@ -348,8 +348,8 @@ func CreateOAuthConfigWithExtraParams(serverConfig *config.ServerConfig, storage
348348 }
349349 }
350350
351- // Create the base OAuth config using existing function
352- oauthConfig := CreateOAuthConfig (serverConfig , storage )
351+ // Create the base OAuth config, passing extraParams for transport wrapper injection
352+ oauthConfig := createOAuthConfigInternal (serverConfig , storage , extraParams )
353353
354354 return oauthConfig , extraParams
355355}
@@ -417,7 +417,22 @@ func autoDetectResource(serverConfig *config.ServerConfig, logger *zap.Logger) s
417417
418418// CreateOAuthConfig creates an OAuth configuration for dynamic client registration
419419// This implements proper callback server coordination required for Cloudflare OAuth
420+ //
421+ // Note: For zero-config OAuth with auto-detected resource parameter, use
422+ // CreateOAuthConfigWithExtraParams() instead, which returns both config and extraParams.
420423func CreateOAuthConfig (serverConfig * config.ServerConfig , storage * storage.BoltDB ) * client.OAuthConfig {
424+ // Extract manual extra_params from config for backward compatibility
425+ var extraParams map [string ]string
426+ if serverConfig .OAuth != nil && len (serverConfig .OAuth .ExtraParams ) > 0 {
427+ extraParams = serverConfig .OAuth .ExtraParams
428+ }
429+ return createOAuthConfigInternal (serverConfig , storage , extraParams )
430+ }
431+
432+ // createOAuthConfigInternal is the internal implementation that accepts extraParams
433+ // for transport wrapper injection. This enables both manual and auto-detected params
434+ // to be injected into token exchange and refresh requests.
435+ func createOAuthConfigInternal (serverConfig * config.ServerConfig , storage * storage.BoltDB , extraParams map [string ]string ) * client.OAuthConfig {
421436 startTime := time .Now ()
422437 logger := zap .L ().Named ("oauth" )
423438
@@ -605,27 +620,25 @@ func CreateOAuthConfig(serverConfig *config.ServerConfig, storage *storage.BoltD
605620 zap .String ("storage" , "memory" ))
606621 }
607622
608- // Extract extra OAuth parameters (e.g., RFC 8707 resource parameter)
609- var extraParams map [ string ] string
623+ // Create HTTP client with transport wrapper to inject extra params into token requests
624+ // extraParams may contain auto-detected resource (RFC 8707) or manual config params
610625 var httpClient * http.Client
611626
612- if serverConfig .OAuth != nil && len (serverConfig .OAuth .ExtraParams ) > 0 {
613- extraParams = serverConfig .OAuth .ExtraParams
614-
627+ if len (extraParams ) > 0 {
615628 // Log extra params with selective masking for security
616629 masked := maskExtraParams (extraParams )
617- logger .Debug ("OAuth extra parameters configured " ,
630+ logger .Debug ("OAuth extra parameters will be injected into token requests " ,
618631 zap .String ("server" , serverConfig .Name ),
619632 zap .Any ("extra_params" , masked ))
620633
621- // Create HTTP client with wrapper to inject extra params
634+ // Create HTTP client with wrapper to inject extra params into token exchange/refresh
622635 wrapper := NewOAuthTransportWrapper (http .DefaultTransport , extraParams , logger )
623636 httpClient = & http.Client {
624637 Transport : wrapper ,
625638 Timeout : 30 * time .Second ,
626639 }
627640
628- logger .Info ("✅ Created OAuth HTTP client with extra params wrapper" ,
641+ logger .Info ("✅ Created OAuth HTTP client with extra params wrapper for token requests " ,
629642 zap .String ("server" , serverConfig .Name ),
630643 zap .Int ("extra_params_count" , len (extraParams )))
631644 }
0 commit comments