fix: thread resource indicator through OAuth consent flow

The consent page extracted client_id, redirect_uri, scope, state, code_challenge from URL params but silently dropped `resource`. Without it the auth code had no resource binding, tokens were issued with audience=null, and the MCP handler's RFC 8707 audience check rejected every token — "There was a problem connecting TREK." Fix: extract `resource` from URLSearchParams and forward it through oauthApi.validate() and oauthApi.authorize(). Add the field to both API type signatures.
2026-06-21 14:21:46 +00:00 · 2026-05-05 13:48:43 +02:00
parent fb6eaaf06d
commit 8e14434a1b
2 changed files with 5 additions and 0 deletions
@@ -143,6 +143,7 @@ export const oauthApi = {
    state?: string
    code_challenge: string
    code_challenge_method: string
+    resource?: string
  }) => apiClient.get('/oauth/authorize/validate', { params }).then(r => r.data),

  /** Submit user consent (approve or deny) */
@@ -154,6 +155,7 @@ export const oauthApi = {
    code_challenge: string
    code_challenge_method: string
    approved: boolean
+    resource?: string
  }) => apiClient.post('/oauth/authorize', body).then(r => r.data),

  clients: {