What
modelcontextprotocol/go-sdk#970 (merged 2026-06-16) adds an exported helper:
oauthex.MatchesResource(claims []string, resource string) bool
It does the canonical RFC 9728 / RFC 8707 audience comparison — trailing-slash + whitespace tolerance across an aud slice — which is exactly the logic we currently hand-roll in go-mcp-oauth-sdk (the OAuth verifier/validator's audience check, added for the v1.6.0 "canonical trailing-slash resource URL; tolerant inbound aud" work).
Why this is a note, not a task yet
- #970 is only on go-sdk
main — the latest released go-sdk is still v1.6.1, which we already pin. There's nothing to bump to right now.
- It's an additive convenience helper, not a bug/security fix. Our hand-rolled comparison works (verified live on otel: claude.ai connects with
aud = https://otel-mcp.demo.altinity.cloud/, trailing-slash tolerated). We are not blocked.
When / what to do
Trigger: when dependabot opens the PR bumping github.com/modelcontextprotocol/go-sdk to a tagged release that includes #970.
Then: in go-mcp-oauth-sdk, replace the hand-rolled trailing-slash/whitespace audience comparison with oauthex.MatchesResource(...), drop the duplicated helper + its now-redundant tests, and re-pin altinity-mcp's go.mod to the new go-sdk + go-mcp-oauth-sdk versions. Same behavior, less code. Verify with the existing audience-tolerance tests + an otel e2e.
Filed from a maintainer note so the cleanup rides along with the dependabot bump instead of being forgotten.
What
modelcontextprotocol/go-sdk#970 (merged 2026-06-16) adds an exported helper:
It does the canonical RFC 9728 / RFC 8707 audience comparison — trailing-slash + whitespace tolerance across an
audslice — which is exactly the logic we currently hand-roll ingo-mcp-oauth-sdk(the OAuth verifier/validator's audience check, added for the v1.6.0 "canonical trailing-slash resource URL; tolerant inbound aud" work).Why this is a note, not a task yet
main— the latest released go-sdk is stillv1.6.1, which we already pin. There's nothing to bump to right now.aud = https://otel-mcp.demo.altinity.cloud/, trailing-slash tolerated). We are not blocked.When / what to do
Trigger: when dependabot opens the PR bumping
github.com/modelcontextprotocol/go-sdkto a tagged release that includes #970.Then: in
go-mcp-oauth-sdk, replace the hand-rolled trailing-slash/whitespace audience comparison withoauthex.MatchesResource(...), drop the duplicated helper + its now-redundant tests, and re-pin altinity-mcp'sgo.modto the new go-sdk + go-mcp-oauth-sdk versions. Same behavior, less code. Verify with the existing audience-tolerance tests + an otel e2e.Filed from a maintainer note so the cleanup rides along with the dependabot bump instead of being forgotten.