Skip to content

chore(web): Validate OAuth scopes for MCP access#1396

Merged
brendan-kellam merged 11 commits into
mainfrom
brendan/sou-948-access-token-scope-validation-in-resource-server
Jul 1, 2026
Merged

chore(web): Validate OAuth scopes for MCP access#1396
brendan-kellam merged 11 commits into
mainfrom
brendan/sou-948-access-token-scope-validation-in-resource-server

Conversation

@brendan-kellam

@brendan-kellam brendan-kellam commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Add the groundwork for validating OAuth scopes per endpoint.

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

Walkthrough

Adds mcp OAuth scope support across OAuth discovery, authorization, token issuance, auth middleware, and the MCP route. It also stores scope on authorization codes and updates tests, mocks, and changelog entries.

Changes

MCP OAuth Scope Enforcement

Layer / File(s) Summary
Scope constants and utilities
packages/web/src/ee/features/oauth/constants.ts, packages/web/src/ee/features/oauth/utils.ts, packages/web/src/lib/errorCodes.ts, packages/web/src/lib/serviceError.ts, packages/web/src/ee/features/oauth/utils.test.ts
Adds the Sourcebot OAuth scope constants and type, plus scope parsing, formatting, validation, redirect checks, the insufficient-scope error code, and the matching service error helper.
Authorization code scope storage
packages/db/prisma/schema.prisma, packages/db/prisma/migrations/20260630005335_add_oauth_scope_to_authorization_code/migration.sql
Adds a scope field to OAuthAuthorizationCode in Prisma and the matching migration.
Token issuance: scope persistence and return
packages/web/src/ee/features/oauth/server.ts, packages/web/src/app/api/(server)/ee/oauth/token/route.ts, packages/web/src/ee/features/oauth/server.test.ts
generateAndStoreAuthCode now stores scope, token exchange/rotation return and persist scope, and the token endpoint returns helper-provided scope and expiry values.
Auth middleware: scope parsing and enforcement
packages/web/src/middleware/withAuth.ts, packages/web/src/middleware/withAuth.test.ts
withAuth, withOptionalAuth, and getAuthContext accept requiredOAuthScopes; bearer tokens expose parsed oauthScopes, and missing scopes return insufficientOAuthScope.
Consent and authorization flow: scope propagation
packages/web/src/app/oauth/authorize/page.tsx, packages/web/src/app/oauth/authorize/components/consentScreen.tsx, packages/web/src/ee/features/oauth/actions.ts
The authorize page reads and validates the scope query parameter, passes it into consent, and approveAuthorization validates it before continuing.
MCP route: scope enforcement and WWW-Authenticate challenges
packages/web/src/app/api/(server)/ee/mcp/route.ts
The MCP POST and DELETE routes require the mcp scope, and error responses add scope-aware Bearer and DPoP WWW-Authenticate challenges.
Discovery metadata, mocks, and changelog
packages/web/src/app/api/(server)/ee/.well-known/oauth-authorization-server/route.ts, packages/web/src/app/api/(server)/ee/.well-known/oauth-protected-resource/[...path]/route.ts, packages/web/src/__mocks__/prisma.ts, packages/web/src/lib/apiHandler.test.ts, CHANGELOG.md
OAuth discovery routes advertise scopes_supported, Prisma mocks use mcp scope values, an API handler test callback signature is adjusted, and the changelog records the validation change.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

  • sourcebot-dev/sourcebot#977: Extends the OAuth token exchange and MCP authorization-server flow that this PR updates for scope persistence and enforcement.
  • sourcebot-dev/sourcebot#985: Also changes the OAuth discovery and protected-resource metadata routes that now publish supported scopes here.
  • sourcebot-dev/sourcebot#1395: Modifies the MCP WWW-Authenticate response path that this PR extends for insufficient-scope handling.

Suggested reviewers

  • jsourcebot
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 35.29% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: validating OAuth scopes for MCP access.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch brendan/sou-948-access-token-scope-validation-in-resource-server

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

…s-token-scope-validation-in-resource-server

# Conflicts:
#	packages/web/src/app/api/(server)/ee/.well-known/oauth-protected-resource/[...path]/route.ts
#	packages/web/src/app/api/(server)/ee/mcp/route.ts
#	packages/web/src/app/api/(server)/ee/oauth/token/route.ts
#	packages/web/src/app/oauth/authorize/components/consentScreen.tsx
#	packages/web/src/app/oauth/authorize/page.tsx
#	packages/web/src/ee/features/oauth/actions.ts
#	packages/web/src/ee/features/oauth/server.ts
#	packages/web/src/middleware/withAuth.test.ts
#	packages/web/src/middleware/withAuth.ts
@brendan-kellam brendan-kellam marked this pull request as ready for review June 30, 2026 00:04

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/web/src/app/oauth/authorize/page.tsx`:
- Line 20: Normalize the OAuth `scope` query param in `authorize/page.tsx`
before passing it to `resolveGrantedOAuthScopes()`, since Next.js 16 may provide
repeated values as `string[]` and that helper will fail on arrays. Update the
page’s query-param handling to treat `scope` the same way as `resource` and
`dpop_jkt`, and replace the unsafe `new URLSearchParams(params as Record<string,
string>)` usage for the callback URL with explicit string-safe construction so
array values are handled correctly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6369ba85-ed38-430b-9192-af298b6e071d

📥 Commits

Reviewing files that changed from the base of the PR and between 5d5a063 and 91d5959.

📒 Files selected for processing (20)
  • CHANGELOG.md
  • packages/db/prisma/migrations/20260629190000_backfill_sourcebot_mcp_oauth_scope/migration.sql
  • packages/db/prisma/schema.prisma
  • packages/web/src/__mocks__/prisma.ts
  • packages/web/src/app/api/(server)/ee/.well-known/oauth-authorization-server/route.ts
  • packages/web/src/app/api/(server)/ee/.well-known/oauth-protected-resource/[...path]/route.ts
  • packages/web/src/app/api/(server)/ee/mcp/route.ts
  • packages/web/src/app/api/(server)/ee/oauth/token/route.ts
  • packages/web/src/app/oauth/authorize/components/consentScreen.tsx
  • packages/web/src/app/oauth/authorize/page.tsx
  • packages/web/src/ee/features/oauth/actions.ts
  • packages/web/src/ee/features/oauth/constants.test.ts
  • packages/web/src/ee/features/oauth/constants.ts
  • packages/web/src/ee/features/oauth/server.test.ts
  • packages/web/src/ee/features/oauth/server.ts
  • packages/web/src/lib/apiHandler.test.ts
  • packages/web/src/lib/errorCodes.ts
  • packages/web/src/lib/serviceError.ts
  • packages/web/src/middleware/withAuth.test.ts
  • packages/web/src/middleware/withAuth.ts

Comment thread packages/web/src/app/oauth/authorize/page.tsx

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@packages/db/prisma/migrations/20260630005335_add_oauth_scope_to_authorization_code/migration.sql`:
- Line 2: The new scope field for OAuth authorization codes is defaulting to an
empty string, which will propagate the wrong scope into tokens; update the
authorization-code migration to backfill with the canonical MCP scope instead,
and make the same default change in the Prisma schema so
`OAuthAuthorizationCode` consistently uses `mcp` for existing and future rows.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0c8407ea-82ef-47b6-a4be-2bea5dd475d4

📥 Commits

Reviewing files that changed from the base of the PR and between 6e14b50 and 17f79b3.

📒 Files selected for processing (11)
  • packages/db/prisma/migrations/20260630005335_add_oauth_scope_to_authorization_code/migration.sql
  • packages/db/prisma/schema.prisma
  • packages/web/src/app/oauth/authorize/components/consentScreen.tsx
  • packages/web/src/app/oauth/authorize/page.tsx
  • packages/web/src/ee/features/oauth/actions.ts
  • packages/web/src/ee/features/oauth/constants.ts
  • packages/web/src/ee/features/oauth/server.test.ts
  • packages/web/src/ee/features/oauth/server.ts
  • packages/web/src/ee/features/oauth/utils.test.ts
  • packages/web/src/ee/features/oauth/utils.ts
  • packages/web/src/middleware/withAuth.ts
✅ Files skipped from review due to trivial changes (1)
  • packages/web/src/ee/features/oauth/constants.ts
🚧 Files skipped from review as they are similar to previous changes (4)
  • packages/web/src/ee/features/oauth/actions.ts
  • packages/web/src/app/oauth/authorize/page.tsx
  • packages/web/src/app/oauth/authorize/components/consentScreen.tsx
  • packages/web/src/middleware/withAuth.ts

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
packages/web/src/app/api/(server)/ee/mcp/route.ts (1)

34-45: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Escape quoted WWW-Authenticate parameter values.

Line 44 injects error.message inside a quoted auth-param without escaping quotes or backslashes, which can produce a malformed OAuth challenge.

Proposed fix
+function quoteAuthParam(value: string): string {
+    return `"${value.replace(/\\/g, '\\\\').replace(/"/g, '\\"')}"`;
+}
+
 function mcpOAuthChallenge(scheme: 'Bearer' | 'DPoP', error: ServiceError): string {
     const issuer = env.AUTH_URL.replace(/\/$/, '');
     const params = [
-        'realm="Sourcebot"',
-        `resource_metadata_uri="${issuer}/.well-known/oauth-protected-resource/api/mcp"`,
-        `scope="${SOURCEBOT_MCP_OAUTH_SCOPE}"`,
+        `realm=${quoteAuthParam('Sourcebot')}`,
+        `resource_metadata_uri=${quoteAuthParam(`${issuer}/.well-known/oauth-protected-resource/api/mcp`)}`,
+        `scope=${quoteAuthParam(SOURCEBOT_MCP_OAUTH_SCOPE)}`,
     ];
 
     if (error.errorCode === ErrorCode.OAUTH_INSUFFICIENT_SCOPE) {
         params.push('error="insufficient_scope"');
-        params.push(`error_description="${error.message}"`);
+        params.push(`error_description=${quoteAuthParam(error.message)}`);
     }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/web/src/app/api/`(server)/ee/mcp/route.ts around lines 34 - 45, The
mcpOAuthChallenge helper is building a quoted WWW-Authenticate challenge value
with raw error.message, which can break the header when the message contains
quotes or backslashes. Update mcpOAuthChallenge to escape auth-param values
before pushing error_description (and any other quoted params) into the params
array, using a small helper or inline escaping in the same function. Keep the
fix localized to mcpOAuthChallenge and ensure the resulting header string
remains valid for OAuth errors.
🧹 Nitpick comments (1)
packages/web/src/app/api/(server)/ee/mcp/route.ts (1)

115-115: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Use the canonical MCP OAuth scope constant for enforcement.

The challenge advertises SOURCEBOT_MCP_OAUTH_SCOPE, but the route enforces a separate 'mcp' literal. Use the same constant to avoid contract drift.

Proposed fix
-        }, { requiredOAuthScopes: ['mcp'] })
+        }, { requiredOAuthScopes: [SOURCEBOT_MCP_OAUTH_SCOPE] })
...
-        }, { requiredOAuthScopes: ['mcp'] })
+        }, { requiredOAuthScopes: [SOURCEBOT_MCP_OAUTH_SCOPE] })

Also applies to: 159-159

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/web/src/app/api/`(server)/ee/mcp/route.ts at line 115, The MCP route
is enforcing a hardcoded 'mcp' OAuth scope instead of the canonical
SOURCEBOT_MCP_OAUTH_SCOPE constant, which can drift from the advertised
challenge scope. Update the requiredOAuthScopes configuration in the MCP route
handler to use SOURCEBOT_MCP_OAUTH_SCOPE everywhere the scope is enforced,
including the other matching location in this file, so the challenge and route
stay aligned.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@packages/web/src/app/api/`(server)/ee/mcp/route.ts:
- Around line 34-45: The mcpOAuthChallenge helper is building a quoted
WWW-Authenticate challenge value with raw error.message, which can break the
header when the message contains quotes or backslashes. Update mcpOAuthChallenge
to escape auth-param values before pushing error_description (and any other
quoted params) into the params array, using a small helper or inline escaping in
the same function. Keep the fix localized to mcpOAuthChallenge and ensure the
resulting header string remains valid for OAuth errors.

---

Nitpick comments:
In `@packages/web/src/app/api/`(server)/ee/mcp/route.ts:
- Line 115: The MCP route is enforcing a hardcoded 'mcp' OAuth scope instead of
the canonical SOURCEBOT_MCP_OAUTH_SCOPE constant, which can drift from the
advertised challenge scope. Update the requiredOAuthScopes configuration in the
MCP route handler to use SOURCEBOT_MCP_OAUTH_SCOPE everywhere the scope is
enforced, including the other matching location in this file, so the challenge
and route stay aligned.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6cd0d0ab-85c8-4807-b647-11fec66e2cb5

📥 Commits

Reviewing files that changed from the base of the PR and between 17f79b3 and 090a2ae.

📒 Files selected for processing (4)
  • packages/web/src/app/api/(server)/ee/mcp/route.ts
  • packages/web/src/ee/features/oauth/constants.ts
  • packages/web/src/ee/features/oauth/server.ts
  • packages/web/src/middleware/withAuth.ts
🚧 Files skipped from review as they are similar to previous changes (2)
  • packages/web/src/ee/features/oauth/constants.ts
  • packages/web/src/middleware/withAuth.ts

@brendan-kellam brendan-kellam changed the title SOU-948: Validate OAuth scopes for MCP access chore(web): Validate OAuth scopes for MCP access Jun 30, 2026
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

License Audit

Status: FAIL

Metric Count
Total packages 2224
Resolved (non-standard) 17
Unresolved 4
Strong copyleft 0
Weak copyleft 39

Fail Reasons

  • 4 packages have unresolvable licenses: @react-grab/cli@0.1.23, @react-grab/cli@0.1.29, @react-grab/mcp@0.1.29, element-source@0.0.3

Unresolved Packages

Package Version License Reason
@react-grab/cli 0.1.23 UNKNOWN No license field on npm registry, no repository or homepage URL, and no LICENSE file could be located.
@react-grab/cli 0.1.29 UNKNOWN No license field on npm registry, no repository or homepage URL, and no LICENSE file could be located.
@react-grab/mcp 0.1.29 UNKNOWN No license field on npm registry, no repository or homepage URL, and no LICENSE file could be located.
element-source 0.0.3 UNKNOWN No license field on npm registry, no repository or homepage URL, and no LICENSE file could be located.

Weak Copyleft Packages (informational)

Package Version License
@img/sharp-libvips-darwin-arm64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm 1.0.5 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-x64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-x64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64 1.2.4 LGPL-3.0-or-later
@img/sharp-wasm32 0.33.5 Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32 0.34.5 Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64 0.34.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32 0.33.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32 0.34.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64 0.33.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64 0.34.5 Apache-2.0 AND LGPL-3.0-or-later
axe-core 4.10.3 MPL-2.0
dompurify 3.4.11 (MPL-2.0 OR Apache-2.0)
lightningcss 1.32.0 MPL-2.0
lightningcss-android-arm64 1.32.0 MPL-2.0
lightningcss-darwin-arm64 1.32.0 MPL-2.0
lightningcss-darwin-x64 1.32.0 MPL-2.0
lightningcss-freebsd-x64 1.32.0 MPL-2.0
lightningcss-linux-arm-gnueabihf 1.32.0 MPL-2.0
lightningcss-linux-arm64-gnu 1.32.0 MPL-2.0
lightningcss-linux-arm64-musl 1.32.0 MPL-2.0
lightningcss-linux-x64-gnu 1.32.0 MPL-2.0
lightningcss-linux-x64-musl 1.32.0 MPL-2.0
lightningcss-win32-arm64-msvc 1.32.0 MPL-2.0
lightningcss-win32-x64-msvc 1.32.0 MPL-2.0
Resolved Packages (17)
Package Version Original Resolved Source
khroma 2.1.0 UNKNOWN MIT GitHub repo (fabiospampinato/khroma LICENSE)
valid-url 1.0.9 UNKNOWN MIT GitHub repo (ogt/valid-url LICENSE file states MIT)
map-stream 0.1.0 UNKNOWN MIT GitHub repo (dominictarr/map-stream LICENSE)
codemirror-lang-elixir 4.0.0 UNKNOWN Apache-2.0 GitHub repo (livebook-dev/codemirror-lang-elixir LICENSE)
lezer-elixir 1.1.2 UNKNOWN Apache-2.0 GitHub repo (livebook-dev/lezer-elixir LICENSE)
memorystream 0.3.1 UNKNOWN MIT extracted from object (npm 'licenses' field: [{type:'MIT',...}])
pause-stream 0.0.11 ["MIT","Apache2"] MIT OR Apache-2.0 extracted from object (npm 'license' array ["MIT","Apache2"])
posthog-js 1.369.0 SEE LICENSE IN LICENSE Apache-2.0 GitHub repo (PostHog/posthog-js LICENSE; primary Apache-2.0 with MIT for vendored code)
@sentry/cli 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm registry (confirmed FSL-1.1-MIT, Functional Source License)
@sentry/cli-darwin 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm registry (confirmed FSL-1.1-MIT)
@sentry/cli-linux-arm 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm registry (confirmed FSL-1.1-MIT)
@sentry/cli-linux-arm64 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm registry (confirmed FSL-1.1-MIT)
@sentry/cli-linux-i686 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm registry (confirmed FSL-1.1-MIT)
@sentry/cli-linux-x64 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm registry (confirmed FSL-1.1-MIT)
@sentry/cli-win32-arm64 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm registry (confirmed FSL-1.1-MIT)
@sentry/cli-win32-i686 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm registry (confirmed FSL-1.1-MIT)
@sentry/cli-win32-x64 2.58.5 FSL-1.1-MIT FSL-1.1-MIT npm registry (confirmed FSL-1.1-MIT)

@brendan-kellam brendan-kellam merged commit ff4b389 into main Jul 1, 2026
10 of 11 checks passed
@brendan-kellam brendan-kellam deleted the brendan/sou-948-access-token-scope-validation-in-resource-server branch July 1, 2026 03:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant