token_authority 0.2.1 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1b6b1981cf717ab9e179f87aaea998642ad74315333c25ea3ea1e8e267d3a293
-  data.tar.gz: 25b6bb154158120808d02ab4f8c939c1d7f731f57db9e380167fe414ecaba7e0
+  metadata.gz: 8989a407b702176b74b3e121e4463dfc28e858097716c4cf6752f2ab54c78871
+  data.tar.gz: 1ecdecd8785d3f214e64359b4ab7e43ecb8630eb2af9237bb5a4d8a604d5227d
 SHA512:
-  metadata.gz: 9ce50536b44c5ef5063160808e7c93bc757f01b01f81f62c1ed0d3ba86da56d675c0d97e6fb3d944da4ac822925e5a7efc81dfef2c1adbc2094f9a43a4801af7
-  data.tar.gz: 476f43e644e3bf3b10aa57c3cff10e0bf2d1a73712b9cc0f2b9c89d306ec187e8663e3efd58582f5032f8f81f0ef8b5f46343daeb415b8e17a32ad047e2a38ee
+  metadata.gz: b3b4bbc0e464d6781255efe9b523d753abbe78843c5bec77c5057861eef157b112e099c4afbd8a073ef0f1d1f69fff1946f27dddb6d0ce95a9a91bb3e0bc6c34
+  data.tar.gz: 0615a3d781b577ebb433bc5e01cae57827a8fe5bad6a6866092ea44438526e81090c28a39b708120150610c34a544fb4a405f8d9331f16e18f7943a27e55df3a

data/CHANGELOG.md

@@ -1,5 +1,45 @@
 ## [Unreleased]
 
+## [0.3.0] - 2025-01-24
+
+### Added
+
+- Added support for multiple protected resources; applications can now define multiple protected resources under different subdomain constraints.
+- Added `issuer_url` method that returns either `token_issuer_url` or derives from `authorization_servers`
+- Added validation requiring either `token_issuer_url` or `:authorization_servers` on at least one resource
+
+### Breaking
+
+- Replaced `rfc_9728_*` config options with `config.resources` hash (keyed by symbol)
+- Replaced `token_authority_routes` with `token_authority_auth_server_routes` and `token_authority_protected_resource_route`
+- Removed `rfc_8707_resources` config option; resource allowlist is now derived from `config.resources`
+- Renamed `rfc_8707_require_resource` to `require_resource`
+- Renamed `rfc_8707_enabled?` method to `resources_enabled?`
+- Changed default for `require_scope` from `false` to `true`
+- Changed default for `require_resource` from `false` to `true`
+- Changed default for `token_audience_url` from application URL to `nil`
+- Changed default for `dcr_enabled` from `false` to `true`
+- Changed default for `token_issuer_url` from required to `nil`
+- When `token_audience_url` is nil, the `:resource` URL is used as the audience claim
+- When `token_issuer_url` is nil, it's derived from the first resource's `:authorization_servers`
+- Renamed configuration options to remove RFC number prefixes:
+  - `rfc_9068_audience_url` → `token_audience_url`
+  - `rfc_9068_issuer_url` → `token_issuer_url`
+  - `rfc_9068_default_access_token_duration` → `default_access_token_duration`
+  - `rfc_9068_default_refresh_token_duration` → `default_refresh_token_duration`
+  - `rfc_8414_service_documentation` → `authorization_server_documentation`
+  - `rfc_7591_enabled` → `dcr_enabled`
+  - `rfc_7591_require_initial_access_token` → `dcr_require_initial_access_token`
+  - `rfc_7591_initial_access_token_validator` → `dcr_initial_access_token_validator`
+  - `rfc_7591_allowed_grant_types` → `dcr_allowed_grant_types`
+  - `rfc_7591_allowed_response_types` → `dcr_allowed_response_types`
+  - `rfc_7591_allowed_scopes` → `dcr_allowed_scopes`
+  - `rfc_7591_allowed_token_endpoint_auth_methods` → `dcr_allowed_token_endpoint_auth_methods`
+  - `rfc_7591_client_secret_expiration` → `dcr_client_secret_expiration`
+  - `rfc_7591_software_statement_jwks` → `dcr_software_statement_jwks`
+  - `rfc_7591_software_statement_required` → `dcr_software_statement_required`
+  - `rfc_7591_jwks_cache_ttl` → `dcr_jwks_cache_ttl`
+
 ## [0.2.1] - 2025-01-24
 
 ### Fixes
@@ -29,7 +69,8 @@
 
 - Initial release
 
-[Unreleased]: https://github.com/dickdavis/token_authority/compare/v0.2.1...HEAD
+[Unreleased]: https://github.com/dickdavis/token_authority/compare/v0.3.0...HEAD
+[0.2.1]: https://github.com/dickdavis/token_authority/compare/v0.2.1...v0.3.0
 [0.2.1]: https://github.com/dickdavis/token_authority/compare/v0.2.0...v0.2.1
 [0.2.0]: https://github.com/dickdavis/token_authority/compare/v0.1.0...v0.2.0
 [0.1.0]: https://github.com/dickdavis/token_authority/releases/tag/v0.1.0

data/README.md

@@ -1,8 +1,6 @@
 # TokenAuthority
 
-Rails engine allowing apps to act as their own OAuth 2.1 provider. The goal of this project is to make authorization dead simple for MCP server developers.
-
-This project aims to implement the OAuth standards specified in the [MCP Authorization Specification](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#standards-compliance).
+Rails engine allowing apps to act as their own OAuth 2.1 provider. The goal of this project is to make standards-based authorization as simple as possible.
 
 | Status | Standard |
 |--------|----------|
@@ -38,22 +36,35 @@ See the [Installation Guide](https://github.com/dickdavis/token_authority/wiki/I
 
 ### Configuration
 
-Configure TokenAuthority in the generated initializer. The following represents a minimal configuration:
+Configure TokenAuthority in the generated initializer. TokenAuthority is configured with dynamic client registration, client metadata documents, and resource indicators enabled by default. The following represents a minimal configuration:
 
 ```ruby
 # config/initializers/token_authority.rb
 TokenAuthority.configure do |config|
-  # The secret key used for encryption/decryption
+  # The secret key used for signing JWT tokens
   config.secret_key = Rails.application.credentials.secret_key_base
-  # The URI for the protected resource (to be included in tokens and metadata)
-  config.rfc_9068_audience_url = "https://example.com/api/"
-  # The URI for the authorization server (to be included in tokens and metadata)
-  config.rfc_9068_issuer_url = "https://example.com/"
-  # Define available scopes and their descriptions (shown on consent screen)
+
+  # Define available scopes (required by default)
   config.scopes = {
     "read" => "Read your data",
-    "write" => "Create and modify your data",
-    "delete" => "Delete your data"
+    "write" => "Create and modify your data"
+  }
+
+  # Define protected resources (required by default)
+  # :resource is used as the audience (aud) claim in tokens
+  # :authorization_servers provides the issuer (iss) claim
+  config.resources = {
+    api: {
+      resource: "https://example.com/api",
+      resource_name: "My API",
+      scopes_supported: %w[read write],
+      authorization_servers: ["https://example.com"],
+      bearer_methods_supported: ["header"],
+      jwks_uri: "https://example.com/.well-known/jwks.json",
+      resource_documentation: "https://example.com/docs/api",
+      resource_policy_uri: "https://example.com/privacy",
+      resource_tos_uri: "https://example.com/terms"
+    }
   }
 end
 ```
@@ -66,7 +77,8 @@ Add the engine routes to your `config/routes.rb`:
 
 ```ruby
 Rails.application.routes.draw do
-  token_authority_routes
+  token_authority_auth_server_routes
+  token_authority_protected_resource_route
 end
 ```
 
@@ -79,10 +91,36 @@ To mount the engine at a different path, use the `at` option:
 
 ```ruby
 Rails.application.routes.draw do
-  token_authority_routes(at: "/auth")
+  token_authority_auth_server_routes(at: "/auth")
+  token_authority_protected_resource_route
 end
 ```
 
+For applications with multiple protected resources, each resource must be on its own subdomain. This is because RFC 9728 defines a fixed well-known path (`/.well-known/oauth-protected-resource`) that can only exist once per host:
+
+```ruby
+Rails.application.routes.draw do
+  token_authority_auth_server_routes
+
+  constraints subdomain: "api" do
+    token_authority_protected_resource_route
+  end
+
+  constraints subdomain: "mcp" do
+    token_authority_protected_resource_route
+  end
+end
+```
+
+> **Development Note:** Rails subdomain constraints require a real domain with proper DNS resolution. Use `lvh.me` (which resolves to `127.0.0.1`) for local development: `mcp.lvh.me:3000`, `api.lvh.me:3000`, etc. You'll also need to allow these hosts in your development config:
+>
+> ```ruby
+> # config/environments/development.rb
+> config.hosts << /.*\.lvh\.me/
+> ```
+>
+> See the [Installation Guide](https://github.com/dickdavis/token_authority/wiki/Installation-Guide#subdomain-development-setup) for details.
+
 ### User Consent
 
 Before issuing authorization codes, TokenAuthority displays a consent screen where users can approve or deny access to OAuth clients. The consent views are fully customizable and the layout is configurable—see [Customizing Views](https://github.com/dickdavis/token_authority/wiki/Customizing-Views) for details.

data/app/controllers/concerns/token_authority/initial_access_token_authentication.rb

@@ -13,14 +13,14 @@ module TokenAuthority
     private
 
     def initial_access_token_required?
-      TokenAuthority.config.rfc_7591_require_initial_access_token
+      TokenAuthority.config.dcr_require_initial_access_token
     end
 
     def authenticate_initial_access_token
       token = extract_bearer_token
       raise TokenAuthority::InvalidInitialAccessTokenError if token.blank?
 
-      validator = TokenAuthority.config.rfc_7591_initial_access_token_validator
+      validator = TokenAuthority.config.dcr_initial_access_token_validator
       raise TokenAuthority::InvalidInitialAccessTokenError unless validator&.call(token)
     end
 

data/app/controllers/token_authority/protected_resource_metadata_controller.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module TokenAuthority
+  ##
+  # Serves RFC 9728 Protected Resource Metadata at /.well-known/oauth-protected-resource
+  #
+  # This controller enables OAuth clients to discover metadata about protected resources
+  # without requiring manual configuration. Clients can query this endpoint to learn:
+  # - Which authorization servers issue tokens for this resource
+  # - What scopes are supported
+  # - How to present bearer tokens (header vs body)
+  # - Where to find public keys for token verification
+  #
+  # The subdomain extraction strategy supports multi-tenant deployments where different
+  # subdomains represent different protected resources (e.g., api.example.com vs
+  # mcp.example.com). Returns 404 if no configuration exists for the subdomain.
+  #
+  # @see https://www.rfc-editor.org/rfc/rfc9728.html RFC 9728
+  # @since 0.3.0
+  class ProtectedResourceMetadataController < ActionController::API
+    # Returns metadata for the protected resource identified by request subdomain.
+    #
+    # The subdomain is extracted from the request and used to look up configuration.
+    # For requests without a subdomain (bare domain), uses the default protected_resource
+    # configuration if present. This allows both single-resource and multi-resource
+    # deployments with the same code.
+    #
+    # @return [JSON] RFC 9728 compliant metadata response
+    # @return [HTTP 404] if no configuration exists for this subdomain
+    def show
+      metadata = ProtectedResourceMetadata.new(resource: request.subdomain)
+      render json: metadata.to_h
+    rescue ResourceNotConfiguredError
+      # Return 404 rather than 500 because this is a client error: they're querying
+      # a subdomain that hasn't been configured as a protected resource
+      head :not_found
+    end
+  end
+end

data/app/helpers/token_authority/authorization_grants_helper.rb

@@ -3,14 +3,13 @@
 module TokenAuthority
   module AuthorizationGrantsHelper
     # Returns a human-friendly display name for a resource URI.
-    # Looks up the URI in the configured rfc_8707_resources mapping.
+    # Looks up the URI in the resource registry derived from protected resources.
     # Falls back to the URI itself if no mapping is configured.
     #
     # @param resource_uri [String] The resource URI
     # @return [String] The display name or the URI if no mapping exists
     def resource_display_name(resource_uri)
-      resources = TokenAuthority.config.rfc_8707_resources || {}
-      resources[resource_uri] || resource_uri
+      TokenAuthority.config.resource_registry[resource_uri] || resource_uri
     end
 
     # Returns a human-friendly display name for a scope.

data/app/models/concerns/token_authority/claim_validatable.rb

@@ -37,7 +37,7 @@ module TokenAuthority
 
       validates :jti, presence: true
 
-      validates :aud, presence: true, format: {with: /\A#{TokenAuthority.config.rfc_9068_audience_url}*/}
+      validates :aud, presence: true, format: {with: /\A#{TokenAuthority.config.audience_url}*/}
 
       validates :exp, presence: true
       validate do
@@ -46,7 +46,7 @@ module TokenAuthority
         errors.add(:exp, :expired) if Time.zone.now > Time.zone.at(exp)
       end
 
-      validates :iss, presence: true, format: {with: /\A#{TokenAuthority.config.rfc_9068_issuer_url}\z/}
+      validates :iss, presence: true, format: {with: /\A#{TokenAuthority.config.issuer_url}\z/}
 
       after_validation :expire_token_authority_session, if: :errors_for_expirable_claims?
       after_validation :revoke_token_authority_session, if: :errors_for_revocable_claims?

data/app/models/concerns/token_authority/resourceable.rb

@@ -88,9 +88,9 @@ module TokenAuthority
     # @return [Boolean] true if all resources are allowed
     # @api private
     def allowed_resources?
-      return true unless TokenAuthority.config.rfc_8707_enabled?
+      return true unless TokenAuthority.config.resources_enabled?
 
-      resources.all? { |uri| TokenAuthority.config.rfc_8707_resources.key?(uri) }
+      resources.all? { |uri| TokenAuthority.config.resource_registry.key?(uri) }
     end
 
     # Checks if the current resources are a subset of the granted resources.

data/app/models/token_authority/access_token.rb

@@ -74,7 +74,7 @@ module TokenAuthority
       aud = if resources.any?
         (resources.size == 1) ? resources.first : resources
       else
-        TokenAuthority.config.rfc_9068_audience_url
+        TokenAuthority.config.audience_url
       end
 
       scope_claim = scopes.any? ? scopes.join(" ") : nil
@@ -83,7 +83,7 @@ module TokenAuthority
         aud:,
         exp:,
         iat: Time.zone.now.to_i,
-        iss: TokenAuthority.config.rfc_9068_issuer_url,
+        iss: TokenAuthority.config.issuer_url,
         jti: SecureRandom.uuid,
         sub: user_id.to_s,
         client_id:,

data/app/models/token_authority/access_token_request.rb

@@ -141,7 +141,7 @@ module TokenAuthority
       return if resources.empty?
 
       # If resources are provided but feature is disabled, reject them
-      unless TokenAuthority.config.rfc_8707_enabled?
+      unless TokenAuthority.config.resources_enabled?
         errors.add(:resources, :not_allowed)
         return
       end

data/app/models/token_authority/authorization_request.rb

@@ -225,7 +225,7 @@ module TokenAuthority
 
     def resources_must_be_valid
       # Check if resource is required
-      if TokenAuthority.config.rfc_8707_require_resource && resources.empty?
+      if TokenAuthority.config.require_resource && resources.empty?
         errors.add(:resources, :required)
         return
       end
@@ -233,7 +233,7 @@ module TokenAuthority
       return if resources.empty?
 
       # If resources are provided but feature is disabled, reject them
-      unless TokenAuthority.config.rfc_8707_enabled?
+      unless TokenAuthority.config.resources_enabled?
         errors.add(:resources, :not_allowed)
         return
       end

data/app/models/token_authority/authorization_server_metadata.rb

@@ -61,7 +61,7 @@ module TokenAuthority
       metadata[:service_documentation] = service_documentation if service_documentation.present?
 
       # RFC 7591 Dynamic Client Registration
-      if TokenAuthority.config.rfc_7591_enabled
+      if TokenAuthority.config.dcr_enabled
         metadata[:registration_endpoint] = "#{issuer}#{@mount_path}/register"
       end
 
@@ -74,7 +74,7 @@ module TokenAuthority
     # @return [String]
     # @api private
     def issuer
-      TokenAuthority.config.rfc_9068_issuer_url.to_s.chomp("/")
+      TokenAuthority.config.issuer_url.to_s.chomp("/")
     end
 
     # Returns the list of supported scopes from configuration.
@@ -88,14 +88,14 @@ module TokenAuthority
     # @return [String, nil]
     # @api private
     def service_documentation
-      TokenAuthority.config.rfc_8414_service_documentation
+      TokenAuthority.config.authorization_server_documentation
     end
 
     # Returns the supported token endpoint authentication methods.
     # @return [Array<String>]
     # @api private
     def token_endpoint_auth_methods_supported
-      TokenAuthority.config.rfc_7591_allowed_token_endpoint_auth_methods
+      TokenAuthority.config.dcr_allowed_token_endpoint_auth_methods
     end
   end
 end

data/app/models/token_authority/client.rb

@@ -241,8 +241,8 @@ module TokenAuthority
     end
 
     def set_default_durations
-      self.access_token_duration ||= TokenAuthority.config.rfc_9068_default_access_token_duration
-      self.refresh_token_duration ||= TokenAuthority.config.rfc_9068_default_refresh_token_duration
+      self.access_token_duration ||= TokenAuthority.config.default_access_token_duration
+      self.refresh_token_duration ||= TokenAuthority.config.default_refresh_token_duration
     end
 
     def set_client_id_issued_at
@@ -251,9 +251,9 @@ module TokenAuthority
 
     def set_client_secret_expiration
       return if client_type == "public"
-      return unless TokenAuthority.config.rfc_7591_client_secret_expiration
+      return unless TokenAuthority.config.dcr_client_secret_expiration
 
-      self.client_secret_expires_at = Time.current + TokenAuthority.config.rfc_7591_client_secret_expiration
+      self.client_secret_expires_at = Time.current + TokenAuthority.config.dcr_client_secret_expiration
     end
 
     def generate_client_secret_for(secret_id)

data/app/models/token_authority/client_metadata_document.rb

@@ -47,11 +47,11 @@ module TokenAuthority
 
     # URL-based clients use default token durations from config
     def access_token_duration
-      TokenAuthority.config.rfc_9068_default_access_token_duration
+      TokenAuthority.config.default_access_token_duration
     end
 
     def refresh_token_duration
-      TokenAuthority.config.rfc_9068_default_refresh_token_duration
+      TokenAuthority.config.default_refresh_token_duration
     end
 
     # URL-based clients cannot have secrets

data/app/models/token_authority/client_registration_request.rb

@@ -72,7 +72,7 @@ module TokenAuthority
     def token_endpoint_auth_method_is_allowed
       return if token_endpoint_auth_method.blank?
 
-      allowed = TokenAuthority.config.rfc_7591_allowed_token_endpoint_auth_methods
+      allowed = TokenAuthority.config.dcr_allowed_token_endpoint_auth_methods
       unless allowed.include?(token_endpoint_auth_method)
         errors.add(:token_endpoint_auth_method, "is not allowed: #{token_endpoint_auth_method}")
       end
@@ -82,7 +82,7 @@ module TokenAuthority
       return if grant_types.blank?
       return unless grant_types.is_a?(Array)
 
-      allowed = TokenAuthority.config.rfc_7591_allowed_grant_types
+      allowed = TokenAuthority.config.dcr_allowed_grant_types
       disallowed = grant_types - allowed
       errors.add(:grant_types, "contains disallowed types: #{disallowed.join(", ")}") if disallowed.any?
     end
@@ -98,7 +98,7 @@ module TokenAuthority
     def scopes_are_allowed
       return if scope.blank?
 
-      allowed = TokenAuthority.config.rfc_7591_allowed_scopes
+      allowed = TokenAuthority.config.dcr_allowed_scopes
       return if allowed.blank? # If no restrictions configured, allow all
 
       requested_scopes = scope.to_s.split(/\s+/).reject(&:blank?)
@@ -146,10 +146,10 @@ module TokenAuthority
     end
 
     def parse_software_statement
-      jwks = TokenAuthority.config.rfc_7591_software_statement_jwks
+      jwks = TokenAuthority.config.dcr_software_statement_jwks
       if jwks.present?
         SoftwareStatement.decode_and_verify(software_statement, jwks: jwks)
-      elsif TokenAuthority.config.rfc_7591_software_statement_required
+      elsif TokenAuthority.config.dcr_software_statement_required
         raise TokenAuthority::UnapprovedSoftwareStatementError
       else
         SoftwareStatement.decode(software_statement)

data/app/models/token_authority/jwks_fetcher.rb

@@ -55,7 +55,7 @@ module TokenAuthority
       end
 
       def store_in_cache(uri, jwks_data)
-        ttl = TokenAuthority.config.rfc_7591_jwks_cache_ttl
+        ttl = TokenAuthority.config.dcr_jwks_cache_ttl
         uri_hash = JwksCache.hash_uri(uri)
 
         JwksCache.find_or_initialize_by(uri_hash: uri_hash).tap do |cache|

data/app/models/token_authority/protected_resource_metadata.rb

@@ -2,73 +2,152 @@
 
 module TokenAuthority
   ##
-  # Builds the RFC 9728 OAuth 2.0 Protected Resource Metadata response
+  # Assembles RFC 9728 Protected Resource Metadata responses for OAuth clients.
+  #
+  # This class transforms configured resource metadata into standardized JSON responses
+  # that clients use to discover how to interact with protected resources. The metadata
+  # includes supported scopes, bearer token methods, and links to authorization servers.
+  #
+  # The lookup strategy supports multi-tenant deployments: the resource_key parameter
+  # (typically extracted from the request subdomain) is converted to a symbol and used
+  # to look up the configuration in config.resources. If no match is found, the first
+  # resource in the hash is used as the fallback.
+  #
+  # @example Single resource deployment
+  #   metadata = ProtectedResourceMetadata.new(resource: nil)
+  #   metadata.to_h
+  #   # => Returns first entry from config.resources
+  #
+  # @example Multi-tenant with subdomain-specific config
+  #   metadata = ProtectedResourceMetadata.new(resource: "api")
+  #   metadata.to_h
+  #   # => Returns config.resources[:api]
+  #
+  # @see https://www.rfc-editor.org/rfc/rfc9728.html RFC 9728 OAuth 2.0 Protected Resource Metadata
+  # @since 0.3.0
   class ProtectedResourceMetadata
-    def initialize(mount_path:)
-      @mount_path = mount_path
+    # RFC 9728 defines these standard metadata fields for protected resources.
+    # This constant serves as documentation of the complete metadata schema and
+    # ensures field ordering matches the RFC for consistency.
+    ATTRIBUTES = %i[
+      resource
+      authorization_servers
+      scopes_supported
+      bearer_methods_supported
+      resource_name
+      resource_documentation
+      resource_policy_uri
+      resource_tos_uri
+      jwks_uri
+    ].freeze
+
+    # @return [String, nil] the lookup key used to find configuration (typically subdomain)
+    attr_reader :resource_key
+
+    # Initializes metadata builder for a specific resource.
+    #
+    # The resource parameter acts as a lookup key into the configuration system.
+    # In typical deployments, this is the request subdomain (e.g., "api", "mcp").
+    # When nil or blank, uses the default protected_resource configuration.
+    #
+    # @param resource [String, nil] the configuration key to look up
+    def initialize(resource:)
+      @resource_key = resource
     end
 
+    # Generates the RFC 9728 metadata response as a hash.
+    #
+    # Returns only the fields that are configured; optional fields with nil or blank
+    # values are omitted to reduce response size and comply with RFC requirements.
+    # The authorization_servers field defaults to the OAuth issuer URL if not explicitly
+    # configured, ensuring clients always know where to obtain tokens.
+    #
+    # @return [Hash{Symbol => Object}] metadata hash with snake_case keys
+    # @raise [ResourceNotConfiguredError] if no configuration exists for the resource_key
     def to_h
-      metadata = {
+      {
         resource: resource,
-        authorization_servers: authorization_servers
-      }
-
-      metadata[:scopes_supported] = scopes_supported if scopes_supported.any?
-      metadata[:bearer_methods_supported] = bearer_methods_supported if bearer_methods_supported.present?
-      metadata[:jwks_uri] = jwks_uri if jwks_uri.present?
-      metadata[:resource_name] = resource_name if resource_name.present?
-      metadata[:resource_documentation] = resource_documentation if resource_documentation.present?
-      metadata[:resource_policy_uri] = resource_policy_uri if resource_policy_uri.present?
-      metadata[:resource_tos_uri] = resource_tos_uri if resource_tos_uri.present?
-
-      metadata
+        authorization_servers: authorization_servers,
+        scopes_supported: scopes_supported,
+        bearer_methods_supported: bearer_methods_supported,
+        jwks_uri: jwks_uri,
+        resource_name: resource_name,
+        resource_documentation: resource_documentation,
+        resource_policy_uri: resource_policy_uri,
+        resource_tos_uri: resource_tos_uri
+      }.compact_blank
     end
 
     private
 
-    def config
-      TokenAuthority.config
-    end
-
-    def issuer
-      config.rfc_9068_issuer_url.to_s.chomp("/")
+    # Retrieves the configuration hash for this resource.
+    #
+    # Delegates to Configuration#protected_resource_for which implements the
+    # fallback strategy (subdomain-specific -> default -> nil). Memoizes the
+    # result since configuration doesn't change during a request.
+    #
+    # @return [Hash] the resource configuration hash
+    # @raise [ResourceNotConfiguredError] if no config exists for the resource key
+    def resource_config
+      @resource_config ||= TokenAuthority.config.protected_resource_for(resource_key) ||
+        raise(ResourceNotConfiguredError)
     end
 
+    # The URI identifying this protected resource.
+    # This is the only required field in RFC 9728 metadata.
+    #
+    # @return [String] resource identifier URI
     def resource
-      config.rfc_9728_resource.presence || issuer
+      resource_config[:resource]
     end
 
+    # Array of authorization server URLs that can issue tokens for this resource.
+    #
+    # Defaults to the configured issuer URL if not explicitly set, which is correct
+    # for the common case where the authorization server and protected resource
+    # share the same deployment. Multi-AS scenarios can override this.
+    #
+    # @return [Array<String>] authorization server URLs
     def authorization_servers
-      config.rfc_9728_authorization_servers.presence || [issuer]
+      resource_config[:authorization_servers].presence || [issuer]
     end
 
     def scopes_supported
-      config.rfc_9728_scopes_supported.presence || config.scopes&.keys || []
+      resource_config[:scopes_supported]
     end
 
     def bearer_methods_supported
-      config.rfc_9728_bearer_methods_supported
+      resource_config[:bearer_methods_supported]
     end
 
     def jwks_uri
-      config.rfc_9728_jwks_uri
+      resource_config[:jwks_uri]
     end
 
     def resource_name
-      config.rfc_9728_resource_name
+      resource_config[:resource_name]
     end
 
     def resource_documentation
-      config.rfc_9728_resource_documentation
+      resource_config[:resource_documentation]
     end
 
     def resource_policy_uri
-      config.rfc_9728_resource_policy_uri
+      resource_config[:resource_policy_uri]
     end
 
     def resource_tos_uri
-      config.rfc_9728_resource_tos_uri
+      resource_config[:resource_tos_uri]
+    end
+
+    # The authorization server issuer URL, used as a default for authorization_servers.
+    #
+    # Strips trailing slash for consistency with OAuth discovery URL formats, which
+    # typically omit trailing slashes in issuer identifiers.
+    #
+    # @return [String] issuer URL without trailing slash
+    def issuer
+      TokenAuthority.config.issuer_url.to_s.chomp("/")
     end
   end
 end

data/app/models/token_authority/refresh_token.rb

@@ -60,7 +60,7 @@ module TokenAuthority
       aud = if resources.any?
         (resources.size == 1) ? resources.first : resources
       else
-        TokenAuthority.config.rfc_9068_audience_url
+        TokenAuthority.config.audience_url
       end
 
       # Only include scope if scopes are provided
@@ -70,7 +70,7 @@ module TokenAuthority
         aud:,
         exp:,
         iat: Time.zone.now.to_i,
-        iss: TokenAuthority.config.rfc_9068_issuer_url,
+        iss: TokenAuthority.config.issuer_url,
         jti: SecureRandom.uuid,
         scope: scope_claim
       )