[Feature]: Remove /userinfo as a Token Validation Fallback #99
Description
Problem statement
XMCP’s ProxyOAuthServerProvider currently uses the OIDC userinfo endpoint as a fallback to validate access tokens when:
- A custom
verifyAccessTokenhandler is not provided - No stored token is found in memory or other storage
- JWT validation is not configured
This fallback incorrectly treats a successful 200 OK from /userinfo as proof that the token is valid. This approach is problematic because:
/userinfois intended for OIDC clients to retrieve user profile claims — not for resource servers to validate tokens- The fallback does not verify critical claims such as
aud,exp, orscope - The constructed
AccessTokenobject omits important metadata (e.g., client ID and scopes)
Proposed solution
Deprecate and remove /userinfo as a fallback mechanism in verifyTokenWithProvider.
Instead, prioritize:
- JWT validation using
jose+ JWKS (createRemoteJWKSet) for self-contained tokens - RFC 7662 introspection for opaque tokens, using the already-defined
introspectionUrl
If neither is configured, return an appropriate OAuth error.
Benefits
- Correctness: Aligns with OAuth 2.0 and OIDC specs by separating identity endpoints from access token validation
- Security: Prevents accidental acceptance of tokens intended for different audiences or scopes
- Clarity: Makes it easier to reason about token validation behavior and avoids ambiguous fallback behavior
- Improved Authorization: Allows
scopes,client_id, andexpto be properly enforced in all cases
Implementation Notes
- This change would affect
verifyTokenWithProvider()inproxy-provider.ts - If backward compatibility is desired, support for
/userinfocould be gated behind a deprecation warning or an explicit opt-in flag (e.g.,allowUserInfoFallback: true) - Developers relying on the fallback should be guided to implement
verifyAccessTokenthemselves or migrate to JWT/introspection
Package
xmcp (core framework)