tuannvm · WhammyLeaf · Nov 24, 2025
diff --git a/config.go b/config.go
@@ -2,6 +2,7 @@ package oauth
 
 import (
 	"fmt"
+	"strconv"
 
 	"github.com/tuannvm/oauth-mcp-proxy/provider"
 )
@@ -31,6 +32,11 @@ type Config struct {
 	// Implement the Logger interface (Debug, Info, Warn, Error methods) to
 	// integrate with your application's logging system (e.g., zap, logrus).
 	Logger Logger
+
+	// Validation skip configuration
+	SkipIssuerCheck   bool
+	SkipAudienceCheck bool
+	SkipExpiryCheck   bool
 }
 
 // Validate validates the configuration
@@ -119,11 +125,14 @@ func SetupOAuth(cfg *Config) (provider.TokenValidator, error) {
 func createValidator(cfg *Config, logger Logger) (provider.TokenValidator, error) {
 	// Convert root Config to provider.Config
 	providerCfg := &provider.Config{
-		Provider:  cfg.Provider,
-		Issuer:    cfg.Issuer,
-		Audience:  cfg.Audience,
-		JWTSecret: cfg.JWTSecret,
-		Logger:    logger,
+		Provider:          cfg.Provider,
+		Issuer:            cfg.Issuer,
+		Audience:          cfg.Audience,
+		JWTSecret:         cfg.JWTSecret,
+		Logger:            logger,
+		SkipIssuerCheck:   cfg.SkipIssuerCheck,
+		SkipAudienceCheck: cfg.SkipAudienceCheck,
+		SkipExpiryCheck:   cfg.SkipExpiryCheck,
 	}
 
 	var validator provider.TokenValidator
@@ -223,6 +232,24 @@ func (b *ConfigBuilder) WithLogger(logger Logger) *ConfigBuilder {
 	return b
 }
 
+// WithSkipIssuerCheck sets issuer check toggle
+func (b *ConfigBuilder) WithSkipIssuerCheck(skipIssuerCheck bool) *ConfigBuilder {
+	b.config.SkipIssuerCheck = skipIssuerCheck
+	return b
+}
+
+// WithSkipAudienceCheck sets audience check toggle
+func (b *ConfigBuilder) WithSkipAudienceCheck(skipAudienceCheck bool) *ConfigBuilder {
+	b.config.SkipAudienceCheck = skipAudienceCheck
+	return b
+}
+
+// WithSkipExpiryCheck sets expiry check toggle
+func (b *ConfigBuilder) WithSkipExpiryCheck(skipExpiryCheck bool) *ConfigBuilder {
+	b.config.SkipExpiryCheck = skipExpiryCheck
+	return b
+}
+
 // WithServerURL sets the full server URL directly
 func (b *ConfigBuilder) WithServerURL(url string) *ConfigBuilder {
 	b.config.ServerURL = url
@@ -289,7 +316,23 @@ func FromEnv() (*Config, error) {
 		WithAudience(getEnv("OIDC_AUDIENCE", "")).
 		WithClientID(getEnv("OIDC_CLIENT_ID", "")).
 		WithClientSecret(getEnv("OIDC_CLIENT_SECRET", "")).
+		WithSkipAudienceCheck(parseBoolEnv("OIDC_SKIP_AUDIENCE_CHECK", false)).
+		WithSkipIssuerCheck(parseBoolEnv("OIDC_SKIP_ISSUER_CHECK", false)).
+		WithSkipExpiryCheck(parseBoolEnv("OIDC_SKIP_EXPIRY_CHECK", false)).
 		WithServerURL(serverURL).
 		WithJWTSecret([]byte(jwtSecret)).
 		Build()
 }
+
+// parseBoolEnv parses a boolean environment variable
+func parseBoolEnv(key string, defaultVal bool) bool {
+	val := getEnv(key, "")
+	if val == "" {
+		return defaultVal
+	}
+	parsed, err := strconv.ParseBool(val)
+	if err != nil {
+		return defaultVal
+	}
+	return parsed
+}
diff --git a/provider/provider.go b/provider/provider.go
@@ -30,11 +30,14 @@ type Logger interface {
 
 // Config holds OAuth configuration (subset needed by provider)
 type Config struct {
-	Provider  string
-	Issuer    string
-	Audience  string
-	JWTSecret []byte
-	Logger    Logger
+	Provider          string
+	Issuer            string
+	Audience          string
+	JWTSecret         []byte
+	Logger            Logger
+	SkipIssuerCheck   bool
+	SkipAudienceCheck bool
+	SkipExpiryCheck   bool
 }
 
 // TokenValidator interface for OAuth token validation
@@ -90,7 +93,6 @@ func (v *HMACValidator) ValidateToken(ctx context.Context, tokenString string) (
 		}
 		return []byte(v.secret), nil
 	})
-
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse and validate token: %w", err)
 	}
@@ -204,9 +206,9 @@ func (v *OIDCValidator) Initialize(cfg *Config) error {
 	verifier := provider.Verifier(&oidc.Config{
 		ClientID:             cfg.Audience, // Note: go-oidc uses ClientID field for audience validation - see https://github.com/coreos/go-oidc/blob/v3/oidc/verify.go#L85
 		SupportedSigningAlgs: []string{oidc.RS256, oidc.ES256},
-		SkipClientIDCheck:    false, // Always validate if ClientID is provided
-		SkipExpiryCheck:      false, // Verify expiration
-		SkipIssuerCheck:      false, // Verify issuer
+		SkipClientIDCheck:    cfg.SkipAudienceCheck,
+		SkipExpiryCheck:      cfg.SkipExpiryCheck,
+		SkipIssuerCheck:      cfg.SkipIssuerCheck,
 	})
 
 	v.logger.Info("OAuth: OIDC validator initialized with audience validation: %s", cfg.Audience)