Skip to content

Allow opting out of audience validation#535

Merged
DaleSeo merged 5 commits intomainfrom
AMS-151
Jan 6, 2026
Merged

Allow opting out of audience validation#535
DaleSeo merged 5 commits intomainfrom
AMS-151

Conversation

@DaleSeo
Copy link
Copy Markdown
Member

@DaleSeo DaleSeo commented Jan 5, 2026
edited
Loading

Fixes #438

Problem

Previously, passing an empty audiences array in the auth config would cause JWT validation to fail. Users expected that an empty array would skip audience validation entirely, but the jsonwebtoken library's default behavior (validate_aud = true) caused tokens to be rejected.

Solution

Added an explicit allow_any_audience configuration option that follows the same pattern as CORS's allow_any_origin. When set to true, audience validation is skipped entirely.

auth:
  servers:
    - https://auth.example.com
    
  # Validate specific audiences (default)
  audiences: ["my-api"]
  allow_any_audience: false

  # Or skip audience validation entirely
  audiences: []
  allow_any_audience: true## Changes

@apollo-librarian
Copy link
Copy Markdown
Contributor

apollo-librarian Bot commented Jan 5, 2026
edited
Loading

✅ Docs preview ready

The preview is ready to be viewed. View the preview

File Changes

0 new, 2 changed, 0 removed 
* (developer-tools)/apollo-mcp-server/(latest)/auth.mdx
* (developer-tools)/apollo-mcp-server/(latest)/config-file.mdx

Build ID: 85abac688091158dfcd28234
Build Logs: View logs

URL: https://www.apollographql.com/docs/deploy-preview/85abac688091158dfcd28234

@DaleSeo DaleSeo marked this pull request as ready for review January 5, 2026 17:21
@DaleSeo DaleSeo requested a review from a team as a code owner January 5, 2026 17:21
@DaleSeo DaleSeo self-assigned this Jan 5, 2026
gocamille
gocamille reviewed Jan 5, 2026
View reviewed changes
Comment thread crates/apollo-mcp-server/src/auth/networked_token_validator.rs
gocamille
gocamille reviewed Jan 5, 2026
View reviewed changes
Comment thread crates/apollo-mcp-server/src/auth/valid_token.rs
gocamille
gocamille reviewed Jan 5, 2026
View reviewed changes
Comment thread crates/apollo-mcp-server/src/auth/valid_token.rs
gocamille
gocamille reviewed Jan 5, 2026
View reviewed changes
Comment thread crates/apollo-mcp-server/src/auth.rs
DaleSeo
DaleSeo commented Jan 6, 2026
View reviewed changes
Copy link
Copy Markdown
Member Author

@DaleSeo DaleSeo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks so much @gocamille for taking the time to dig into the code and think through the edge cases. 🙏 Looking forward to more reviews from you!

Comment thread crates/apollo-mcp-server/src/auth/networked_token_validator.rs
Comment thread crates/apollo-mcp-server/src/auth/valid_token.rs
Comment thread crates/apollo-mcp-server/src/auth/valid_token.rs
Comment thread crates/apollo-mcp-server/src/auth.rs
@DaleSeo DaleSeo requested a review from gocamille January 6, 2026 15:03
gocamille
gocamille approved these changes Jan 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gocamille gocamille left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you very much for this PR @DaleSeo !

@DaleSeo DaleSeo merged commit 3f59ebb into main Jan 6, 2026
10 of 11 checks passed
@DaleSeo DaleSeo deleted the AMS-151 branch January 6, 2026 17:13
@DaleSeo DaleSeo mentioned this pull request Jan 9, 2026
Merged
@github-actions github-actions Bot mentioned this pull request Jan 14, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gocamille gocamille gocamille approved these changes

@andrewmcgivery andrewmcgivery Awaiting requested review from andrewmcgivery

Assignees

@DaleSeo DaleSeo

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Allow empty audiences

2 participants

@DaleSeo @gocamille