token_authority 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c0e6a0810b0a8015aea5ada0e1bbb87596875c7641042281dac811fb3fc8bf0c
-  data.tar.gz: 76eda2d8230aca93850b6e025c0be79cfac68da48159bbcb7f34e9f102229649
+  metadata.gz: 8989a407b702176b74b3e121e4463dfc28e858097716c4cf6752f2ab54c78871
+  data.tar.gz: 1ecdecd8785d3f214e64359b4ab7e43ecb8630eb2af9237bb5a4d8a604d5227d
 SHA512:
-  metadata.gz: '069ecd5dc4b50ca9929192ea6d22084db1e5019fa4df90ebcacbc900f4385d88452f3abc108deaa3ce29a88a7c212095dbfc4f056968409983189c0f97292130'
-  data.tar.gz: 45ae89f8b90abffacc828544b9c910c40801cf93b65ce5a362faa28b01a242a565233d771f1a56b64e82765a89452ec4a45aacab42ce7883d98b120dbc11c3aa
+  metadata.gz: b3b4bbc0e464d6781255efe9b523d753abbe78843c5bec77c5057861eef157b112e099c4afbd8a073ef0f1d1f69fff1946f27dddb6d0ce95a9a91bb3e0bc6c34
+  data.tar.gz: 0615a3d781b577ebb433bc5e01cae57827a8fe5bad6a6866092ea44438526e81090c28a39b708120150610c34a544fb4a405f8d9331f16e18f7943a27e55df3a

data/CHANGELOG.md

@@ -1,5 +1,56 @@
 ## [Unreleased]
 
+## [0.3.0] - 2025-01-24
+
+### Added
+
+- Added support for multiple protected resources; applications can now define multiple protected resources under different subdomain constraints.
+- Added `issuer_url` method that returns either `token_issuer_url` or derives from `authorization_servers`
+- Added validation requiring either `token_issuer_url` or `:authorization_servers` on at least one resource
+
+### Breaking
+
+- Replaced `rfc_9728_*` config options with `config.resources` hash (keyed by symbol)
+- Replaced `token_authority_routes` with `token_authority_auth_server_routes` and `token_authority_protected_resource_route`
+- Removed `rfc_8707_resources` config option; resource allowlist is now derived from `config.resources`
+- Renamed `rfc_8707_require_resource` to `require_resource`
+- Renamed `rfc_8707_enabled?` method to `resources_enabled?`
+- Changed default for `require_scope` from `false` to `true`
+- Changed default for `require_resource` from `false` to `true`
+- Changed default for `token_audience_url` from application URL to `nil`
+- Changed default for `dcr_enabled` from `false` to `true`
+- Changed default for `token_issuer_url` from required to `nil`
+- When `token_audience_url` is nil, the `:resource` URL is used as the audience claim
+- When `token_issuer_url` is nil, it's derived from the first resource's `:authorization_servers`
+- Renamed configuration options to remove RFC number prefixes:
+  - `rfc_9068_audience_url` → `token_audience_url`
+  - `rfc_9068_issuer_url` → `token_issuer_url`
+  - `rfc_9068_default_access_token_duration` → `default_access_token_duration`
+  - `rfc_9068_default_refresh_token_duration` → `default_refresh_token_duration`
+  - `rfc_8414_service_documentation` → `authorization_server_documentation`
+  - `rfc_7591_enabled` → `dcr_enabled`
+  - `rfc_7591_require_initial_access_token` → `dcr_require_initial_access_token`
+  - `rfc_7591_initial_access_token_validator` → `dcr_initial_access_token_validator`
+  - `rfc_7591_allowed_grant_types` → `dcr_allowed_grant_types`
+  - `rfc_7591_allowed_response_types` → `dcr_allowed_response_types`
+  - `rfc_7591_allowed_scopes` → `dcr_allowed_scopes`
+  - `rfc_7591_allowed_token_endpoint_auth_methods` → `dcr_allowed_token_endpoint_auth_methods`
+  - `rfc_7591_client_secret_expiration` → `dcr_client_secret_expiration`
+  - `rfc_7591_software_statement_jwks` → `dcr_software_statement_jwks`
+  - `rfc_7591_software_statement_required` → `dcr_software_statement_required`
+  - `rfc_7591_jwks_cache_ttl` → `dcr_jwks_cache_ttl`
+
+## [0.2.1] - 2025-01-24
+
+### Fixes
+
+- Implemented support for all mandatory access token JWT claims
+- Disable turbo on consent screen to allow redirects
+
+### Documentation
+
+- Update README to include link to MCP Quickstart guide.
+
 ## [0.2.0] - 2025-01-23
 
 - Implemented support for OAuth 2.1 authorization flows and JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens (RFC 9068).
@@ -18,6 +69,8 @@
 
 - Initial release
 
-[Unreleased]: https://github.com/dickdavis/token_authority/compare/v0.2.0...HEAD
+[Unreleased]: https://github.com/dickdavis/token_authority/compare/v0.3.0...HEAD
+[0.2.1]: https://github.com/dickdavis/token_authority/compare/v0.2.1...v0.3.0
+[0.2.1]: https://github.com/dickdavis/token_authority/compare/v0.2.0...v0.2.1
 [0.2.0]: https://github.com/dickdavis/token_authority/compare/v0.1.0...v0.2.0
 [0.1.0]: https://github.com/dickdavis/token_authority/releases/tag/v0.1.0

data/README.md

@@ -1,8 +1,6 @@
 # TokenAuthority
 
-Rails engine allowing apps to act as their own OAuth 2.1 provider. The goal of this project is to make authorization dead simple for MCP server developers.
-
-This project aims to implement the OAuth standards specified in the [MCP Authorization Specification](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#standards-compliance).
+Rails engine allowing apps to act as their own OAuth 2.1 provider. The goal of this project is to make standards-based authorization as simple as possible.
 
 | Status | Standard |
 |--------|----------|
@@ -16,7 +14,7 @@ This project aims to implement the OAuth standards specified in the [MCP Authori
 
 ## Usage
 
-TokenAuthority is simple to install and configure.
+TokenAuthority is simple to install and configure. For MCP server developers, see the [MCP Quickstart](https://github.com/dickdavis/token_authority/wiki/MCP-Quickstart) guide for a complete working example.
 
 ### Installation
 
@@ -38,22 +36,35 @@ See the [Installation Guide](https://github.com/dickdavis/token_authority/wiki/I
 
 ### Configuration
 
-Configure TokenAuthority in the generated initializer. The following represents a minimal configuration:
+Configure TokenAuthority in the generated initializer. TokenAuthority is configured with dynamic client registration, client metadata documents, and resource indicators enabled by default. The following represents a minimal configuration:
 
 ```ruby
 # config/initializers/token_authority.rb
 TokenAuthority.configure do |config|
-  # The secret key used for encryption/decryption
+  # The secret key used for signing JWT tokens
   config.secret_key = Rails.application.credentials.secret_key_base
-  # The URI for the protected resource (to be included in tokens and metadata)
-  config.rfc_9068_audience_url = "https://example.com/api/"
-  # The URI for the authorization server (to be included in tokens and metadata)
-  config.rfc_9068_issuer_url = "https://example.com/"
-  # Define available scopes and their descriptions (shown on consent screen)
+
+  # Define available scopes (required by default)
   config.scopes = {
     "read" => "Read your data",
-    "write" => "Create and modify your data",
-    "delete" => "Delete your data"
+    "write" => "Create and modify your data"
+  }
+
+  # Define protected resources (required by default)
+  # :resource is used as the audience (aud) claim in tokens
+  # :authorization_servers provides the issuer (iss) claim
+  config.resources = {
+    api: {
+      resource: "https://example.com/api",
+      resource_name: "My API",
+      scopes_supported: %w[read write],
+      authorization_servers: ["https://example.com"],
+      bearer_methods_supported: ["header"],
+      jwks_uri: "https://example.com/.well-known/jwks.json",
+      resource_documentation: "https://example.com/docs/api",
+      resource_policy_uri: "https://example.com/privacy",
+      resource_tos_uri: "https://example.com/terms"
+    }
   }
 end
 ```
@@ -66,7 +77,8 @@ Add the engine routes to your `config/routes.rb`:
 
 ```ruby
 Rails.application.routes.draw do
-  token_authority_routes
+  token_authority_auth_server_routes
+  token_authority_protected_resource_route
 end
 ```
 
@@ -79,10 +91,36 @@ To mount the engine at a different path, use the `at` option:
 
 ```ruby
 Rails.application.routes.draw do
-  token_authority_routes(at: "/auth")
+  token_authority_auth_server_routes(at: "/auth")
+  token_authority_protected_resource_route
 end
 ```
 
+For applications with multiple protected resources, each resource must be on its own subdomain. This is because RFC 9728 defines a fixed well-known path (`/.well-known/oauth-protected-resource`) that can only exist once per host:
+
+```ruby
+Rails.application.routes.draw do
+  token_authority_auth_server_routes
+
+  constraints subdomain: "api" do
+    token_authority_protected_resource_route
+  end
+
+  constraints subdomain: "mcp" do
+    token_authority_protected_resource_route
+  end
+end
+```
+
+> **Development Note:** Rails subdomain constraints require a real domain with proper DNS resolution. Use `lvh.me` (which resolves to `127.0.0.1`) for local development: `mcp.lvh.me:3000`, `api.lvh.me:3000`, etc. You'll also need to allow these hosts in your development config:
+>
+> ```ruby
+> # config/environments/development.rb
+> config.hosts << /.*\.lvh\.me/
+> ```
+>
+> See the [Installation Guide](https://github.com/dickdavis/token_authority/wiki/Installation-Guide#subdomain-development-setup) for details.
+
 ### User Consent
 
 Before issuing authorization codes, TokenAuthority displays a consent screen where users can approve or deny access to OAuth clients. The consent views are fully customizable and the layout is configurable—see [Customizing Views](https://github.com/dickdavis/token_authority/wiki/Customizing-Views) for details.

data/app/controllers/concerns/token_authority/initial_access_token_authentication.rb

@@ -13,14 +13,14 @@ module TokenAuthority
     private
 
     def initial_access_token_required?
-      TokenAuthority.config.rfc_7591_require_initial_access_token
+      TokenAuthority.config.dcr_require_initial_access_token
     end
 
     def authenticate_initial_access_token
       token = extract_bearer_token
       raise TokenAuthority::InvalidInitialAccessTokenError if token.blank?
 
-      validator = TokenAuthority.config.rfc_7591_initial_access_token_validator
+      validator = TokenAuthority.config.dcr_initial_access_token_validator
       raise TokenAuthority::InvalidInitialAccessTokenError unless validator&.call(token)
     end
 

data/app/controllers/concerns/token_authority/token_authentication.rb

@@ -84,7 +84,7 @@ module TokenAuthority
     # @return [User] the user from the configured user_class
     # @api private
     def token_user
-      @token_user ||= TokenAuthority.config.user_class.constantize.find(@decoded_token.user_id)
+      @token_user ||= TokenAuthority.config.user_class.constantize.find(@decoded_token.sub)
     end
 
     # Returns the scopes granted in the authenticated token.

data/app/controllers/token_authority/protected_resource_metadata_controller.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module TokenAuthority
+  ##
+  # Serves RFC 9728 Protected Resource Metadata at /.well-known/oauth-protected-resource
+  #
+  # This controller enables OAuth clients to discover metadata about protected resources
+  # without requiring manual configuration. Clients can query this endpoint to learn:
+  # - Which authorization servers issue tokens for this resource
+  # - What scopes are supported
+  # - How to present bearer tokens (header vs body)
+  # - Where to find public keys for token verification
+  #
+  # The subdomain extraction strategy supports multi-tenant deployments where different
+  # subdomains represent different protected resources (e.g., api.example.com vs
+  # mcp.example.com). Returns 404 if no configuration exists for the subdomain.
+  #
+  # @see https://www.rfc-editor.org/rfc/rfc9728.html RFC 9728
+  # @since 0.3.0
+  class ProtectedResourceMetadataController < ActionController::API
+    # Returns metadata for the protected resource identified by request subdomain.
+    #
+    # The subdomain is extracted from the request and used to look up configuration.
+    # For requests without a subdomain (bare domain), uses the default protected_resource
+    # configuration if present. This allows both single-resource and multi-resource
+    # deployments with the same code.
+    #
+    # @return [JSON] RFC 9728 compliant metadata response
+    # @return [HTTP 404] if no configuration exists for this subdomain
+    def show
+      metadata = ProtectedResourceMetadata.new(resource: request.subdomain)
+      render json: metadata.to_h
+    rescue ResourceNotConfiguredError
+      # Return 404 rather than 500 because this is a client error: they're querying
+      # a subdomain that hasn't been configured as a protected resource
+      head :not_found
+    end
+  end
+end

data/app/helpers/token_authority/authorization_grants_helper.rb

@@ -3,14 +3,13 @@
 module TokenAuthority
   module AuthorizationGrantsHelper
     # Returns a human-friendly display name for a resource URI.
-    # Looks up the URI in the configured rfc_8707_resources mapping.
+    # Looks up the URI in the resource registry derived from protected resources.
     # Falls back to the URI itself if no mapping is configured.
     #
     # @param resource_uri [String] The resource URI
     # @return [String] The display name or the URI if no mapping exists
     def resource_display_name(resource_uri)
-      resources = TokenAuthority.config.rfc_8707_resources || {}
-      resources[resource_uri] || resource_uri
+      TokenAuthority.config.resource_registry[resource_uri] || resource_uri
     end
 
     # Returns a human-friendly display name for a scope.

data/app/models/concerns/token_authority/claim_validatable.rb

@@ -21,8 +21,8 @@ module TokenAuthority
     extend ActiveSupport::Concern
 
     # JWT claims that should trigger session revocation when invalid.
-    # These represent security violations like wrong audience or issuer.
-    REVOCABLE_CLAIMS = %i[aud iss user_id].freeze
+    # These represent security violations like wrong audience, issuer, or subject.
+    REVOCABLE_CLAIMS = %i[aud iss sub].freeze
 
     # JWT claims that should trigger session expiration when invalid.
     # Currently only includes the exp (expiration time) claim.
@@ -37,7 +37,7 @@ module TokenAuthority
 
       validates :jti, presence: true
 
-      validates :aud, presence: true, format: {with: /\A#{TokenAuthority.config.rfc_9068_audience_url}*/}
+      validates :aud, presence: true, format: {with: /\A#{TokenAuthority.config.audience_url}*/}
 
       validates :exp, presence: true
       validate do
@@ -46,7 +46,7 @@ module TokenAuthority
         errors.add(:exp, :expired) if Time.zone.now > Time.zone.at(exp)
       end
 
-      validates :iss, presence: true, format: {with: /\A#{TokenAuthority.config.rfc_9068_issuer_url}\z/}
+      validates :iss, presence: true, format: {with: /\A#{TokenAuthority.config.issuer_url}\z/}
 
       after_validation :expire_token_authority_session, if: :errors_for_expirable_claims?
       after_validation :revoke_token_authority_session, if: :errors_for_revocable_claims?

data/app/models/concerns/token_authority/resourceable.rb

@@ -88,9 +88,9 @@ module TokenAuthority
     # @return [Boolean] true if all resources are allowed
     # @api private
     def allowed_resources?
-      return true unless TokenAuthority.config.rfc_8707_enabled?
+      return true unless TokenAuthority.config.resources_enabled?
 
-      resources.all? { |uri| TokenAuthority.config.rfc_8707_resources.key?(uri) }
+      resources.all? { |uri| TokenAuthority.config.resource_registry.key?(uri) }
     end
 
     # Checks if the current resources are a subset of the granted resources.

data/app/models/concerns/token_authority/session_creatable.rb

@@ -78,7 +78,7 @@ module TokenAuthority
 
       instrument("session.create") do
         access_token_expiration = client.access_token_duration.seconds.from_now.to_i
-        access_token = TokenAuthority::AccessToken.default(user_id:, exp: access_token_expiration, resources:, scopes:)
+        access_token = TokenAuthority::AccessToken.default(user_id:, client_id: client.public_id, exp: access_token_expiration, resources:, scopes:)
 
         refresh_token_expiration = client.refresh_token_duration.seconds.from_now.to_i
         refresh_token = TokenAuthority::RefreshToken.default(exp: refresh_token_expiration, resources:, scopes:)

data/app/models/token_authority/access_token.rb

@@ -8,8 +8,7 @@ module TokenAuthority
   # (JWT ID) is stored in the Session model for revocation lookups.
   #
   # The tokens follow RFC 9068 JWT Profile for OAuth Access Tokens, including
-  # standard claims (iss, aud, exp, iat, jti) plus custom claims like user_id
-  # and scope.
+  # standard claims (iss, sub, aud, exp, iat, jti, client_id) plus the scope claim.
   #
   # This is an ActiveModel object (not ActiveRecord) that provides validation
   # and serialization of JWT claims without database persistence.
@@ -18,6 +17,7 @@ module TokenAuthority
   #   token = TokenAuthority::AccessToken.default(
   #     exp: 5.minutes.from_now,
   #     user_id: 42,
+  #     client_id: "550e8400-e29b-41d4-a716-446655440000",
   #     resources: ["https://api.example.com"],
   #     scopes: ["read", "write"]
   #   )
@@ -31,17 +31,22 @@ module TokenAuthority
   class AccessToken
     include TokenAuthority::ClaimValidatable
 
-    # @!attribute [rw] user_id
-    #   The ID of the user this token grants access for.
-    #   @return [Integer]
-    attr_accessor :user_id
+    # @!attribute [rw] sub
+    #   The subject identifier (resource owner) per RFC 9068.
+    #   @return [String]
+    attr_accessor :sub
+
+    # @!attribute [rw] client_id
+    #   The OAuth client identifier per RFC 9068/RFC 8693.
+    #   @return [String]
+    attr_accessor :client_id
 
     # @!attribute [rw] scope
     #   Space-separated list of OAuth scopes granted to this token.
     #   @return [String, nil]
     attr_accessor :scope
 
-    validates :user_id, presence: true, comparison: {equal_to: :user_id_from_token_authority_session}
+    validates :sub, presence: true, comparison: {equal_to: :sub_from_token_authority_session}
 
     # Creates a new access token with default claims per RFC 9068.
     #
@@ -49,7 +54,8 @@ module TokenAuthority
     # otherwise falls back to the configured default audience URL.
     #
     # @param exp [Time, Integer] token expiration time
-    # @param user_id [Integer] the user ID
+    # @param user_id [Integer] the user ID (converted to string for sub claim)
+    # @param client_id [String] the OAuth client identifier
     # @param resources [Array<String>] resource indicators (RFC 8707)
     # @param scopes [Array<String>] OAuth scopes to include
     #
@@ -59,15 +65,16 @@ module TokenAuthority
     #   token = AccessToken.default(
     #     exp: 5.minutes.from_now,
     #     user_id: 123,
+    #     client_id: "550e8400-e29b-41d4-a716-446655440000",
     #     resources: ["https://api.example.com"],
     #     scopes: ["read", "write"]
     #   )
-    def self.default(exp:, user_id:, resources: [], scopes: [])
+    def self.default(exp:, user_id:, client_id:, resources: [], scopes: [])
       # Use resources for aud claim if provided, otherwise fall back to config
       aud = if resources.any?
         (resources.size == 1) ? resources.first : resources
       else
-        TokenAuthority.config.rfc_9068_audience_url
+        TokenAuthority.config.audience_url
       end
 
       scope_claim = scopes.any? ? scopes.join(" ") : nil
@@ -76,9 +83,10 @@ module TokenAuthority
         aud:,
         exp:,
         iat: Time.zone.now.to_i,
-        iss: TokenAuthority.config.rfc_9068_issuer_url,
+        iss: TokenAuthority.config.issuer_url,
         jti: SecureRandom.uuid,
-        user_id:,
+        sub: user_id.to_s,
+        client_id:,
         scope: scope_claim
       )
     end
@@ -93,7 +101,7 @@ module TokenAuthority
     #
     # @example
     #   token = AccessToken.from_token(jwt_string)
-    #   user_id = token.user_id
+    #   subject = token.sub
     def self.from_token(token)
       new(TokenAuthority::JsonWebToken.decode(token))
     end
@@ -104,7 +112,7 @@ module TokenAuthority
     #
     # @return [Hash] the JWT claims
     def to_h
-      {aud:, exp:, iat:, iss:, jti:, user_id:, scope:}.compact
+      {aud:, exp:, iat:, iss:, jti:, sub:, client_id:, scope:}.compact
     end
 
     # Encodes the token as a signed JWT string.
@@ -116,12 +124,12 @@ module TokenAuthority
 
     private
 
-    # Returns the user_id from the associated session for validation.
+    # Returns the subject (user_id as string) from the associated session for validation.
     #
-    # @return [Integer, nil]
+    # @return [String, nil]
     # @api private
-    def user_id_from_token_authority_session
-      token_authority_session&.user_id
+    def sub_from_token_authority_session
+      token_authority_session&.user_id&.to_s
     end
   end
 end

data/app/models/token_authority/access_token_request.rb

@@ -141,7 +141,7 @@ module TokenAuthority
       return if resources.empty?
 
       # If resources are provided but feature is disabled, reject them
-      unless TokenAuthority.config.rfc_8707_enabled?
+      unless TokenAuthority.config.resources_enabled?
         errors.add(:resources, :not_allowed)
         return
       end

data/app/models/token_authority/authorization_request.rb

@@ -225,7 +225,7 @@ module TokenAuthority
 
     def resources_must_be_valid
       # Check if resource is required
-      if TokenAuthority.config.rfc_8707_require_resource && resources.empty?
+      if TokenAuthority.config.require_resource && resources.empty?
         errors.add(:resources, :required)
         return
       end
@@ -233,7 +233,7 @@ module TokenAuthority
       return if resources.empty?
 
       # If resources are provided but feature is disabled, reject them
-      unless TokenAuthority.config.rfc_8707_enabled?
+      unless TokenAuthority.config.resources_enabled?
         errors.add(:resources, :not_allowed)
         return
       end

data/app/models/token_authority/authorization_server_metadata.rb

@@ -61,7 +61,7 @@ module TokenAuthority
       metadata[:service_documentation] = service_documentation if service_documentation.present?
 
       # RFC 7591 Dynamic Client Registration
-      if TokenAuthority.config.rfc_7591_enabled
+      if TokenAuthority.config.dcr_enabled
         metadata[:registration_endpoint] = "#{issuer}#{@mount_path}/register"
       end
 
@@ -74,7 +74,7 @@ module TokenAuthority
     # @return [String]
     # @api private
     def issuer
-      TokenAuthority.config.rfc_9068_issuer_url.to_s.chomp("/")
+      TokenAuthority.config.issuer_url.to_s.chomp("/")
     end
 
     # Returns the list of supported scopes from configuration.
@@ -88,14 +88,14 @@ module TokenAuthority
     # @return [String, nil]
     # @api private
     def service_documentation
-      TokenAuthority.config.rfc_8414_service_documentation
+      TokenAuthority.config.authorization_server_documentation
     end
 
     # Returns the supported token endpoint authentication methods.
     # @return [Array<String>]
     # @api private
     def token_endpoint_auth_methods_supported
-      TokenAuthority.config.rfc_7591_allowed_token_endpoint_auth_methods
+      TokenAuthority.config.dcr_allowed_token_endpoint_auth_methods
     end
   end
 end

data/app/models/token_authority/client.rb

@@ -241,8 +241,8 @@ module TokenAuthority
     end
 
     def set_default_durations
-      self.access_token_duration ||= TokenAuthority.config.rfc_9068_default_access_token_duration
-      self.refresh_token_duration ||= TokenAuthority.config.rfc_9068_default_refresh_token_duration
+      self.access_token_duration ||= TokenAuthority.config.default_access_token_duration
+      self.refresh_token_duration ||= TokenAuthority.config.default_refresh_token_duration
     end
 
     def set_client_id_issued_at
@@ -251,9 +251,9 @@ module TokenAuthority
 
     def set_client_secret_expiration
       return if client_type == "public"
-      return unless TokenAuthority.config.rfc_7591_client_secret_expiration
+      return unless TokenAuthority.config.dcr_client_secret_expiration
 
-      self.client_secret_expires_at = Time.current + TokenAuthority.config.rfc_7591_client_secret_expiration
+      self.client_secret_expires_at = Time.current + TokenAuthority.config.dcr_client_secret_expiration
     end
 
     def generate_client_secret_for(secret_id)

data/app/models/token_authority/client_metadata_document.rb

@@ -47,11 +47,11 @@ module TokenAuthority
 
     # URL-based clients use default token durations from config
     def access_token_duration
-      TokenAuthority.config.rfc_9068_default_access_token_duration
+      TokenAuthority.config.default_access_token_duration
     end
 
     def refresh_token_duration
-      TokenAuthority.config.rfc_9068_default_refresh_token_duration
+      TokenAuthority.config.default_refresh_token_duration
     end
 
     # URL-based clients cannot have secrets

data/app/models/token_authority/client_registration_request.rb

@@ -72,7 +72,7 @@ module TokenAuthority
     def token_endpoint_auth_method_is_allowed
       return if token_endpoint_auth_method.blank?
 
-      allowed = TokenAuthority.config.rfc_7591_allowed_token_endpoint_auth_methods
+      allowed = TokenAuthority.config.dcr_allowed_token_endpoint_auth_methods
       unless allowed.include?(token_endpoint_auth_method)
         errors.add(:token_endpoint_auth_method, "is not allowed: #{token_endpoint_auth_method}")
       end
@@ -82,7 +82,7 @@ module TokenAuthority
       return if grant_types.blank?
       return unless grant_types.is_a?(Array)
 
-      allowed = TokenAuthority.config.rfc_7591_allowed_grant_types
+      allowed = TokenAuthority.config.dcr_allowed_grant_types
       disallowed = grant_types - allowed
       errors.add(:grant_types, "contains disallowed types: #{disallowed.join(", ")}") if disallowed.any?
     end
@@ -98,7 +98,7 @@ module TokenAuthority
     def scopes_are_allowed
       return if scope.blank?
 
-      allowed = TokenAuthority.config.rfc_7591_allowed_scopes
+      allowed = TokenAuthority.config.dcr_allowed_scopes
       return if allowed.blank? # If no restrictions configured, allow all
 
       requested_scopes = scope.to_s.split(/\s+/).reject(&:blank?)
@@ -146,10 +146,10 @@ module TokenAuthority
     end
 
     def parse_software_statement
-      jwks = TokenAuthority.config.rfc_7591_software_statement_jwks
+      jwks = TokenAuthority.config.dcr_software_statement_jwks
       if jwks.present?
         SoftwareStatement.decode_and_verify(software_statement, jwks: jwks)
-      elsif TokenAuthority.config.rfc_7591_software_statement_required
+      elsif TokenAuthority.config.dcr_software_statement_required
         raise TokenAuthority::UnapprovedSoftwareStatementError
       else
         SoftwareStatement.decode(software_statement)

data/app/models/token_authority/jwks_fetcher.rb

@@ -55,7 +55,7 @@ module TokenAuthority
       end
 
       def store_in_cache(uri, jwks_data)
-        ttl = TokenAuthority.config.rfc_7591_jwks_cache_ttl
+        ttl = TokenAuthority.config.dcr_jwks_cache_ttl
         uri_hash = JwksCache.hash_uri(uri)
 
         JwksCache.find_or_initialize_by(uri_hash: uri_hash).tap do |cache|