Fix token audience validation in separate auth mode

The auth server's /introspect endpoint now correctly sets the 'aud' field
to the resource server URL (BASE_URI) instead of the client ID. This ensures
proper audience validation when the MCP server verifies tokens in separate mode.

- Import BASE_URI in auth server
- Set aud to BASE_URI in introspection response
- Fixes "Token was not issued for this resource server" error

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: bhosmer-ant

auth-server/index.ts

@@ -6,7 +6,7 @@ import { EverythingAuthProvider } from '../src/auth/provider.js';
 import { handleFakeAuthorize, handleFakeAuthorizeRedirect } from '../src/handlers/fakeauth.js';
 import { redisClient } from '../src/redis.js';
 import { logger } from '../src/utils/logger.js';
-import { AUTH_SERVER_PORT, AUTH_SERVER_URL } from '../src/config.js';
+import { AUTH_SERVER_PORT, AUTH_SERVER_URL, BASE_URI } from '../src/config.js';
 
 const app = express();
 
@@ -101,7 +101,7 @@ app.post('/introspect', introspectRateLimit, express.urlencoded({ extended: fals
       userId: authInfo.extra?.userId, // Custom field for our implementation
       username: authInfo.extra?.username,
       iss: AUTH_SERVER_URL,
-      aud: authInfo.clientId,
+      aud: BASE_URI, // The resource server URL this token is intended for
       token_type: 'Bearer'
     });
 

package.json

@@ -15,7 +15,7 @@
     "dev:with-separate-auth": "concurrently -n \"AUTH,MCP\" -c \"yellow,cyan\" \"npm run dev:auth-server\" \"npm run dev:separate\"",
     "build": "tsc && npm run copy-static",
     "copy-static": "mkdir -p dist/src/static && cp -r src/static/* dist/src/static/",
-    "lint": "eslint src/ auth-server/",
+    "lint": "eslint src/ auth-server/ shared/",
     "test": "NODE_OPTIONS=--experimental-vm-modules jest",
     "test:integrated": "AUTH_MODE=integrated npm test",
     "test:separate": "AUTH_MODE=separate npm test",