Address code review feedback: fix scheme detection and improve test safety

Co-authored-by: hsluoyz <3787410+hsluoyz@users.noreply.github.com>

authz/authz.go

@@ -59,7 +59,6 @@ p, *, *, GET, /api/get-qrcode, *, *
 p, *, *, GET, /api/get-webhook-event, *, *
 p, *, *, GET, /api/get-captcha-status, *, *
 p, *, *, *, /api/login/oauth, *, *
-p, *, *, POST, /api/oauth/register, *, *
 p, *, *, GET, /api/get-application, *, *
 p, *, *, GET, /api/get-organization-applications, *, *
 p, *, *, GET, /api/get-user, *, *

controllers/account.go

@@ -323,7 +323,7 @@ func (c *ApiController) Signup() {
 
 	// If OAuth parameters are present, generate OAuth code and return it
 	if clientId != "" && responseType == ResponseTypeCode {
-		code, err := object.GetOAuthCode(userId, clientId, "", "password", responseType, redirectUri, scope, state, nonce, codeChallenge, "", c.Ctx.Request.Host, c.GetAcceptLanguage())
+		code, err := object.GetOAuthCode(userId, clientId, "", "password", responseType, redirectUri, scope, state, nonce, codeChallenge, c.Ctx.Request.Host, c.GetAcceptLanguage())
 		if err != nil {
 			c.ResponseError(err.Error(), nil)
 			return

controllers/auth.go

@@ -161,13 +161,12 @@ func (c *ApiController) HandleLoggedIn(application *object.Application, user *ob
 		nonce := c.Ctx.Input.Query("nonce")
 		challengeMethod := c.Ctx.Input.Query("code_challenge_method")
 		codeChallenge := c.Ctx.Input.Query("code_challenge")
-		resource := c.Ctx.Input.Query("resource")
 
 		if challengeMethod != "S256" && challengeMethod != "null" && challengeMethod != "" {
 			c.ResponseError(c.T("auth:Challenge method should be S256"))
 			return
 		}
-		code, err := object.GetOAuthCode(userId, clientId, form.Provider, form.SigninMethod, responseType, redirectUri, scope, state, nonce, codeChallenge, resource, c.Ctx.Request.Host, c.GetAcceptLanguage())
+		code, err := object.GetOAuthCode(userId, clientId, form.Provider, form.SigninMethod, responseType, redirectUri, scope, state, nonce, codeChallenge, c.Ctx.Request.Host, c.GetAcceptLanguage())
 		if err != nil {
 			c.ResponseError(err.Error(), nil)
 			return

controllers/oauth_dcr.go

@@ -1,74 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package controllers
-
-import (
-	"encoding/json"
-	"net/http"
-
-	"github.com/casdoor/casdoor/object"
-)
-
-// DynamicClientRegister
-// @Title DynamicClientRegister
-// @Tag OAuth API
-// @Description Register a new OAuth 2.0 client dynamically (RFC 7591)
-// @Param   organization     query    string  false        "The organization name (defaults to built-in)"
-// @Param   body    body   object.DynamicClientRegistrationRequest  true        "Client registration request"
-// @Success 201 {object} object.DynamicClientRegistrationResponse
-// @Failure 400 {object} object.DcrError
-// @router /api/oauth/register [post]
-func (c *ApiController) DynamicClientRegister() {
-	var req object.DynamicClientRegistrationRequest
-	err := json.Unmarshal(c.Ctx.Input.RequestBody, &req)
-	if err != nil {
-		c.Ctx.Output.Status = http.StatusBadRequest
-		c.Data["json"] = object.DcrError{
-			Error:            "invalid_client_metadata",
-			ErrorDescription: "invalid request body: " + err.Error(),
-		}
-		c.ServeJSON()
-		return
-	}
-
-	// Get organization from query parameter or default to built-in
-	organization := c.Ctx.Input.Query("organization")
-	if organization == "" {
-		organization = "built-in"
-	}
-
-	// Register the client
-	response, dcrErr, err := object.RegisterDynamicClient(&req, organization)
-	if err != nil {
-		c.Ctx.Output.Status = http.StatusInternalServerError
-		c.Data["json"] = object.DcrError{
-			Error:            "server_error",
-			ErrorDescription: err.Error(),
-		}
-		c.ServeJSON()
-		return
-	}
-	if dcrErr != nil {
-		c.Ctx.Output.Status = http.StatusBadRequest
-		c.Data["json"] = dcrErr
-		c.ServeJSON()
-		return
-	}
-
-	// Return 201 Created
-	c.Ctx.Output.Status = http.StatusCreated
-	c.Data["json"] = response
-	c.ServeJSON()
-}

controllers/oauth_prm.go

@@ -1,4 +1,4 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.

controllers/oidc_discovery.go

@@ -137,29 +137,3 @@ func (c *RootController) GetWebFingerByApplication() {
 	c.Ctx.Output.ContentType("application/jrd+json")
 	c.ServeJSON()
 }
-
-// GetOAuthServerMetadata
-// @Title GetOAuthServerMetadata
-// @Tag OAuth API
-// @Description Get OAuth 2.0 Authorization Server Metadata (RFC 8414)
-// @Success 200 {object} object.OidcDiscovery
-// @router /.well-known/oauth-authorization-server [get]
-func (c *RootController) GetOAuthServerMetadata() {
-	host := c.Ctx.Request.Host
-	c.Data["json"] = object.GetOidcDiscovery(host, "")
-	c.ServeJSON()
-}
-
-// GetOAuthServerMetadataByApplication
-// @Title GetOAuthServerMetadataByApplication
-// @Tag OAuth API
-// @Description Get OAuth 2.0 Authorization Server Metadata for specific application (RFC 8414)
-// @Param application path string true "application name"
-// @Success 200 {object} object.OidcDiscovery
-// @router /.well-known/:application/oauth-authorization-server [get]
-func (c *RootController) GetOAuthServerMetadataByApplication() {
-	application := c.Ctx.Input.Param(":application")
-	host := c.Ctx.Request.Host
-	c.Data["json"] = object.GetOidcDiscovery(host, application)
-	c.ServeJSON()
-}

controllers/token.go

@@ -176,7 +176,6 @@ func (c *ApiController) GetOAuthToken() {
 	subjectToken := c.Ctx.Input.Query("subject_token")
 	subjectTokenType := c.Ctx.Input.Query("subject_token_type")
 	audience := c.Ctx.Input.Query("audience")
-	resource := c.Ctx.Input.Query("resource")
 
 	if clientId == "" && clientSecret == "" {
 		clientId, clientSecret, _ = c.Ctx.Request.BasicAuth()
@@ -232,9 +231,6 @@ func (c *ApiController) GetOAuthToken() {
 			if audience == "" {
 				audience = tokenRequest.Audience
 			}
-			if resource == "" {
-				resource = tokenRequest.Resource
-			}
 		}
 	}
 
@@ -279,7 +275,7 @@ func (c *ApiController) GetOAuthToken() {
 	}
 
 	host := c.Ctx.Request.Host
-	token, err := object.GetOAuthToken(grantType, clientId, clientSecret, code, verifier, scope, nonce, username, password, host, refreshToken, tag, avatar, c.GetAcceptLanguage(), subjectToken, subjectTokenType, audience, resource)
+	token, err := object.GetOAuthToken(grantType, clientId, clientSecret, code, verifier, scope, nonce, username, password, host, refreshToken, tag, avatar, c.GetAcceptLanguage(), subjectToken, subjectTokenType, audience)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return

controllers/types.go

@@ -30,5 +30,4 @@ type TokenRequest struct {
 	SubjectToken     string `json:"subject_token"`
 	SubjectTokenType string `json:"subject_token_type"`
 	Audience         string `json:"audience"`
-	Resource         string `json:"resource"` // RFC 8707 Resource Indicator
 }

mcp/auth.go

@@ -15,7 +15,6 @@
 package mcp
 
 import (
-	"strings"
 	"time"
 
 	"github.com/casdoor/casdoor/object"
@@ -121,58 +120,3 @@ func (c *McpController) GetAcceptLanguage() string {
 	}
 	return language
 }
-
-// GetTokenFromRequest extracts the Bearer token from the Authorization header
-func (c *McpController) GetTokenFromRequest() string {
-	authHeader := c.Ctx.Request.Header.Get("Authorization")
-	if authHeader == "" {
-		return ""
-	}
-
-	// Extract Bearer token
-	parts := strings.SplitN(authHeader, " ", 2)
-	if len(parts) != 2 || !strings.EqualFold(parts[0], "Bearer") {
-		return ""
-	}
-
-	return parts[1]
-}
-
-// GetClaimsFromToken parses and validates the JWT token and returns the claims
-// Returns nil if no token is present or if token is invalid
-func (c *McpController) GetClaimsFromToken() *object.Claims {
-	tokenString := c.GetTokenFromRequest()
-	if tokenString == "" {
-		return nil
-	}
-
-	// Try to find the application for this token
-	// For MCP, we'll try to parse using the first available application's certificate
-	// In a production scenario, you might want to use a specific MCP application
-	token, err := object.GetTokenByAccessToken(tokenString)
-	if err != nil || token == nil {
-		return nil
-	}
-
-	application, err := object.GetApplication(token.Application)
-	if err != nil || application == nil {
-		return nil
-	}
-
-	claims, err := object.ParseJwtTokenByApplication(tokenString, application)
-	if err != nil {
-		return nil
-	}
-
-	return claims
-}
-
-// GetScopesFromClaims extracts the scopes from JWT claims and returns them as a slice
-func GetScopesFromClaims(claims *object.Claims) []string {
-	if claims == nil || claims.Scope == "" {
-		return []string{}
-	}
-
-	// Scopes are space-separated in OAuth 2.0
-	return strings.Split(claims.Scope, " ")
-}

mcp/base.go

@@ -268,160 +268,7 @@ func (c *McpController) handlePing(req McpRequest) {
 }
 
 func (c *McpController) handleToolsList(req McpRequest) {
-	allTools := c.getAllTools()
-
-	// Get JWT claims from the request
-	claims := c.GetClaimsFromToken()
-
-	// If no token is present, check session authentication
-	if claims == nil {
-		username := c.GetSessionUsername()
-		// If user is authenticated via session, return all tools (backward compatibility)
-		if username != "" {
-			result := McpListToolsResult{
-				Tools: allTools,
-			}
-			c.McpResponseOk(req.ID, result)
-			return
-		}
-
-		// Unauthenticated request - return all tools for discovery
-		// This allows clients to see what tools are available before authenticating
-		result := McpListToolsResult{
-			Tools: allTools,
-		}
-		c.McpResponseOk(req.ID, result)
-		return
-	}
-
-	// Token-based authentication - filter tools by scopes
-	grantedScopes := GetScopesFromClaims(claims)
-	allowedTools := GetToolsForScopes(grantedScopes, BuiltinScopes)
-
-	// Filter tools based on allowed scopes
-	var filteredTools []McpTool
-	for _, tool := range allTools {
-		if allowedTools[tool.Name] {
-			filteredTools = append(filteredTools, tool)
-		}
-	}
-
-	result := McpListToolsResult{
-		Tools: filteredTools,
-	}
-
-	c.McpResponseOk(req.ID, result)
-}
-
-func (c *McpController) handleToolsCall(req McpRequest) {
-	var params McpCallToolParams
-	err := json.Unmarshal(req.Params, &params)
-	if err != nil {
-		c.sendInvalidParamsError(req.ID, err.Error())
-		return
-	}
-
-	// Check scope-tool permission
-	if !c.checkToolPermission(req.ID, params.Name) {
-		return // Error already sent by checkToolPermission
-	}
-
-	// Route to the appropriate tool handler
-	switch params.Name {
-	case "get_applications":
-		var args GetApplicationsArgs
-		if err := json.Unmarshal(params.Arguments, &args); err != nil {
-			c.sendInvalidParamsError(req.ID, err.Error())
-			return
-		}
-		c.handleGetApplicationsTool(req.ID, args)
-	case "get_application":
-		var args GetApplicationArgs
-		if err := json.Unmarshal(params.Arguments, &args); err != nil {
-			c.sendInvalidParamsError(req.ID, err.Error())
-			return
-		}
-		c.handleGetApplicationTool(req.ID, args)
-	case "add_application":
-		var args AddApplicationArgs
-		if err := json.Unmarshal(params.Arguments, &args); err != nil {
-			c.sendInvalidParamsError(req.ID, err.Error())
-			return
-		}
-		c.handleAddApplicationTool(req.ID, args)
-	case "update_application":
-		var args UpdateApplicationArgs
-		if err := json.Unmarshal(params.Arguments, &args); err != nil {
-			c.sendInvalidParamsError(req.ID, err.Error())
-			return
-		}
-		c.handleUpdateApplicationTool(req.ID, args)
-	case "delete_application":
-		var args DeleteApplicationArgs
-		if err := json.Unmarshal(params.Arguments, &args); err != nil {
-			c.sendInvalidParamsError(req.ID, err.Error())
-			return
-		}
-		c.handleDeleteApplicationTool(req.ID, args)
-	default:
-		c.McpResponseError(req.ID, -32602, "Invalid tool name", fmt.Sprintf("Tool '%s' not found", params.Name))
-	}
-}
-
-// checkToolPermission validates that the current token has the required scope for the tool
-// Returns false and sends an error response if permission is denied
-func (c *McpController) checkToolPermission(id interface{}, toolName string) bool {
-	// Get JWT claims from the request
-	claims := c.GetClaimsFromToken()
-
-	// If no token is present, check if the user is authenticated via session
-	if claims == nil {
-		username := c.GetSessionUsername()
-		// If user is authenticated via session (e.g., session cookie), allow access
-		// This maintains backward compatibility with existing session-based auth
-		if username != "" {
-			return true
-		}
-
-		// No authentication present - deny access
-		c.sendInsufficientScopeError(id, toolName, []string{})
-		return false
-	}
-
-	// Extract scopes from claims
-	grantedScopes := GetScopesFromClaims(claims)
-
-	// Get allowed tools for the granted scopes
-	allowedTools := GetToolsForScopes(grantedScopes, BuiltinScopes)
-
-	// Check if the requested tool is allowed
-	if !allowedTools[toolName] {
-		c.sendInsufficientScopeError(id, toolName, grantedScopes)
-		return false
-	}
-
-	return true
-}
-
-// sendInsufficientScopeError sends an error response for insufficient scope
-func (c *McpController) sendInsufficientScopeError(id interface{}, toolName string, grantedScopes []string) {
-	// Find required scope for this tool
-	requiredScope := GetRequiredScopeForTool(toolName, BuiltinScopes)
-
-	errorData := map[string]interface{}{
-		"tool":           toolName,
-		"granted_scopes": grantedScopes,
-	}
-	if requiredScope != "" {
-		errorData["required_scope"] = requiredScope
-	}
-
-	c.McpResponseError(id, -32001, "insufficient_scope", errorData)
-}
-
-// getAllTools returns all available MCP tools
-func (c *McpController) getAllTools() []McpTool {
-	return []McpTool{
+	tools := []McpTool{
 		{
 			Name:        "get_applications",
 			Description: "Get all applications for a specific owner",
@@ -497,4 +344,60 @@ func (c *McpController) getAllTools() []McpTool {
 			},
 		},
 	}
+
+	result := McpListToolsResult{
+		Tools: tools,
+	}
+
+	c.McpResponseOk(req.ID, result)
+}
+
+func (c *McpController) handleToolsCall(req McpRequest) {
+	var params McpCallToolParams
+	err := json.Unmarshal(req.Params, &params)
+	if err != nil {
+		c.sendInvalidParamsError(req.ID, err.Error())
+		return
+	}
+
+	// Route to the appropriate tool handler
+	switch params.Name {
+	case "get_applications":
+		var args GetApplicationsArgs
+		if err := json.Unmarshal(params.Arguments, &args); err != nil {
+			c.sendInvalidParamsError(req.ID, err.Error())
+			return
+		}
+		c.handleGetApplicationsTool(req.ID, args)
+	case "get_application":
+		var args GetApplicationArgs
+		if err := json.Unmarshal(params.Arguments, &args); err != nil {
+			c.sendInvalidParamsError(req.ID, err.Error())
+			return
+		}
+		c.handleGetApplicationTool(req.ID, args)
+	case "add_application":
+		var args AddApplicationArgs
+		if err := json.Unmarshal(params.Arguments, &args); err != nil {
+			c.sendInvalidParamsError(req.ID, err.Error())
+			return
+		}
+		c.handleAddApplicationTool(req.ID, args)
+	case "update_application":
+		var args UpdateApplicationArgs
+		if err := json.Unmarshal(params.Arguments, &args); err != nil {
+			c.sendInvalidParamsError(req.ID, err.Error())
+			return
+		}
+		c.handleUpdateApplicationTool(req.ID, args)
+	case "delete_application":
+		var args DeleteApplicationArgs
+		if err := json.Unmarshal(params.Arguments, &args); err != nil {
+			c.sendInvalidParamsError(req.ID, err.Error())
+			return
+		}
+		c.handleDeleteApplicationTool(req.ID, args)
+	default:
+		c.McpResponseError(req.ID, -32602, "Invalid tool name", fmt.Sprintf("Tool '%s' not found", params.Name))
+	}
 }

mcp/permission.go

@@ -1,158 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package mcp
-
-import (
-	"github.com/casdoor/casdoor/object"
-)
-
-// BuiltinScopes defines the default scope-to-tool mappings for Casdoor's MCP server
-var BuiltinScopes = []*object.ScopeItem{
-	{
-		Name:        "application:read",
-		DisplayName: "Read Applications",
-		Description: "View application list and details",
-		Tools:       []string{"get_applications", "get_application"},
-	},
-	{
-		Name:        "application:write",
-		DisplayName: "Manage Applications",
-		Description: "Create, update, and delete applications",
-		Tools:       []string{"add_application", "update_application", "delete_application"},
-	},
-	{
-		Name:        "user:read",
-		DisplayName: "Read Users",
-		Description: "View user list and details",
-		Tools:       []string{"get_users", "get_user"},
-	},
-	{
-		Name:        "user:write",
-		DisplayName: "Manage Users",
-		Description: "Create, update, and delete users",
-		Tools:       []string{"add_user", "update_user", "delete_user"},
-	},
-	{
-		Name:        "organization:read",
-		DisplayName: "Read Organizations",
-		Description: "View organization list and details",
-		Tools:       []string{"get_organizations", "get_organization"},
-	},
-	{
-		Name:        "organization:write",
-		DisplayName: "Manage Organizations",
-		Description: "Create, update, and delete organizations",
-		Tools:       []string{"add_organization", "update_organization", "delete_organization"},
-	},
-	{
-		Name:        "permission:read",
-		DisplayName: "Read Permissions",
-		Description: "View permission list and details",
-		Tools:       []string{"get_permissions", "get_permission"},
-	},
-	{
-		Name:        "permission:write",
-		DisplayName: "Manage Permissions",
-		Description: "Create, update, and delete permissions",
-		Tools:       []string{"add_permission", "update_permission", "delete_permission"},
-	},
-	{
-		Name:        "role:read",
-		DisplayName: "Read Roles",
-		Description: "View role list and details",
-		Tools:       []string{"get_roles", "get_role"},
-	},
-	{
-		Name:        "role:write",
-		DisplayName: "Manage Roles",
-		Description: "Create, update, and delete roles",
-		Tools:       []string{"add_role", "update_role", "delete_role"},
-	},
-	{
-		Name:        "provider:read",
-		DisplayName: "Read Providers",
-		Description: "View provider list and details",
-		Tools:       []string{"get_providers", "get_provider"},
-	},
-	{
-		Name:        "provider:write",
-		DisplayName: "Manage Providers",
-		Description: "Create, update, and delete providers",
-		Tools:       []string{"add_provider", "update_provider", "delete_provider"},
-	},
-	{
-		Name:        "token:read",
-		DisplayName: "Read Tokens",
-		Description: "View token list and details",
-		Tools:       []string{"get_tokens", "get_token"},
-	},
-	{
-		Name:        "token:write",
-		DisplayName: "Manage Tokens",
-		Description: "Delete tokens",
-		Tools:       []string{"delete_token"},
-	},
-}
-
-// ConvenienceScopes defines alias scopes that expand to multiple resource scopes
-var ConvenienceScopes = map[string][]string{
-	"read":  {"application:read", "user:read", "organization:read", "permission:read", "role:read", "provider:read", "token:read"},
-	"write": {"application:write", "user:write", "organization:write", "permission:write", "role:write", "provider:write", "token:write"},
-	"admin": {"application:read", "application:write", "user:read", "user:write", "organization:read", "organization:write", "permission:read", "permission:write", "role:read", "role:write", "provider:read", "provider:write", "token:read", "token:write"},
-}
-
-// GetToolsForScopes returns a map of tools allowed by the given scopes
-// The grantedScopes are the scopes present in the token
-// The registry contains the scope-to-tool mappings (either BuiltinScopes or Application.Scopes)
-func GetToolsForScopes(grantedScopes []string, registry []*object.ScopeItem) map[string]bool {
-	allowed := make(map[string]bool)
-
-	// Expand convenience scopes first
-	expandedScopes := make([]string, 0)
-	for _, scopeName := range grantedScopes {
-		if expansion, isConvenience := ConvenienceScopes[scopeName]; isConvenience {
-			expandedScopes = append(expandedScopes, expansion...)
-		} else {
-			expandedScopes = append(expandedScopes, scopeName)
-		}
-	}
-
-	// Map scopes to tools
-	for _, scopeName := range expandedScopes {
-		for _, item := range registry {
-			if item.Name == scopeName {
-				for _, tool := range item.Tools {
-					allowed[tool] = true
-				}
-				break
-			}
-		}
-	}
-
-	return allowed
-}
-
-// GetRequiredScopeForTool returns the first scope that provides access to the given tool
-// Returns an empty string if no scope is found for the tool
-func GetRequiredScopeForTool(toolName string, registry []*object.ScopeItem) string {
-	for _, scopeItem := range registry {
-		for _, tool := range scopeItem.Tools {
-			if tool == toolName {
-				return scopeItem.Name
-			}
-		}
-	}
-	return ""
-}

object/application.go

@@ -67,22 +67,12 @@ type JwtItem struct {
 	Type     string `json:"type"`
 }
 
-type ScopeItem struct {
-	Name        string   `json:"name"`
-	DisplayName string   `json:"displayName"`
-	Description string   `json:"description"`
-	Tools       []string `json:"tools"` // MCP tools allowed by this scope
-}
-
 type Application struct {
 	Owner       string `xorm:"varchar(100) notnull pk" json:"owner"`
 	Name        string `xorm:"varchar(100) notnull pk" json:"name"`
 	CreatedTime string `xorm:"varchar(100)" json:"createdTime"`
 
 	DisplayName                  string          `xorm:"varchar(100)" json:"displayName"`
-	Category                     string          `xorm:"varchar(20)" json:"category"`
-	Type                         string          `xorm:"varchar(20)" json:"type"`
-	Scopes                       []*ScopeItem    `xorm:"mediumtext" json:"scopes"`
 	Logo                         string          `xorm:"varchar(200)" json:"logo"`
 	Title                        string          `xorm:"varchar(100)" json:"title"`
 	Favicon                      string          `xorm:"varchar(200)" json:"favicon"`

object/init.go

@@ -132,7 +132,6 @@ func initBuiltInOrganization() bool {
 		IsProfilePublic:    false,
 		UseEmailAsUsername: false,
 		EnableTour:         true,
-		DcrPolicy:          "open",
 	}
 	_, err = AddOrganization(organization)
 	if err != nil {
@@ -198,9 +197,6 @@ func initBuiltInApplication() {
 		Name:           "app-built-in",
 		CreatedTime:    util.GetCurrentTime(),
 		DisplayName:    "Casdoor",
-		Category:       "Default",
-		Type:           "All",
-		Scopes:         []*ScopeItem{},
 		Logo:           fmt.Sprintf("%s/img/casdoor-logo_1185x256.png", conf.GetConfigString("staticBaseUrl")),
 		HomepageUrl:    "https://casdoor.org",
 		Organization:   "built-in",

object/oauth_dcr.go

@@ -1,193 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package object
-
-import (
-	"fmt"
-	"time"
-
-	"github.com/casdoor/casdoor/util"
-)
-
-// DynamicClientRegistrationRequest represents an RFC 7591 client registration request
-type DynamicClientRegistrationRequest struct {
-	ClientName              string   `json:"client_name,omitempty"`
-	RedirectUris            []string `json:"redirect_uris,omitempty"`
-	GrantTypes              []string `json:"grant_types,omitempty"`
-	ResponseTypes           []string `json:"response_types,omitempty"`
-	TokenEndpointAuthMethod string   `json:"token_endpoint_auth_method,omitempty"`
-	ApplicationType         string   `json:"application_type,omitempty"`
-	Contacts                []string `json:"contacts,omitempty"`
-	LogoUri                 string   `json:"logo_uri,omitempty"`
-	ClientUri               string   `json:"client_uri,omitempty"`
-	PolicyUri               string   `json:"policy_uri,omitempty"`
-	TosUri                  string   `json:"tos_uri,omitempty"`
-	Scope                   string   `json:"scope,omitempty"`
-}
-
-// DynamicClientRegistrationResponse represents an RFC 7591 client registration response
-type DynamicClientRegistrationResponse struct {
-	ClientId                string   `json:"client_id"`
-	ClientSecret            string   `json:"client_secret,omitempty"`
-	ClientIdIssuedAt        int64    `json:"client_id_issued_at,omitempty"`
-	ClientSecretExpiresAt   int64    `json:"client_secret_expires_at,omitempty"`
-	ClientName              string   `json:"client_name,omitempty"`
-	RedirectUris            []string `json:"redirect_uris,omitempty"`
-	GrantTypes              []string `json:"grant_types,omitempty"`
-	ResponseTypes           []string `json:"response_types,omitempty"`
-	TokenEndpointAuthMethod string   `json:"token_endpoint_auth_method,omitempty"`
-	ApplicationType         string   `json:"application_type,omitempty"`
-	Contacts                []string `json:"contacts,omitempty"`
-	LogoUri                 string   `json:"logo_uri,omitempty"`
-	ClientUri               string   `json:"client_uri,omitempty"`
-	PolicyUri               string   `json:"policy_uri,omitempty"`
-	TosUri                  string   `json:"tos_uri,omitempty"`
-	Scope                   string   `json:"scope,omitempty"`
-	RegistrationClientUri   string   `json:"registration_client_uri,omitempty"`
-	RegistrationAccessToken string   `json:"registration_access_token,omitempty"`
-}
-
-// DcrError represents an RFC 7591 error response
-type DcrError struct {
-	Error            string `json:"error"`
-	ErrorDescription string `json:"error_description,omitempty"`
-}
-
-// RegisterDynamicClient creates a new application based on DCR request
-func RegisterDynamicClient(req *DynamicClientRegistrationRequest, organization string) (*DynamicClientRegistrationResponse, *DcrError, error) {
-	// Validate organization exists and has DCR enabled
-	org, err := GetOrganization(util.GetId("admin", organization))
-	if err != nil {
-		return nil, nil, err
-	}
-	if org == nil {
-		return nil, &DcrError{
-			Error:            "invalid_client_metadata",
-			ErrorDescription: "organization not found",
-		}, nil
-	}
-
-	// Check if DCR is enabled for this organization
-	if org.DcrPolicy == "" || org.DcrPolicy == "disabled" {
-		return nil, &DcrError{
-			Error:            "invalid_client_metadata",
-			ErrorDescription: "dynamic client registration is disabled for this organization",
-		}, nil
-	}
-
-	// Validate required fields
-	if len(req.RedirectUris) == 0 {
-		return nil, &DcrError{
-			Error:            "invalid_redirect_uri",
-			ErrorDescription: "redirect_uris is required and must contain at least one URI",
-		}, nil
-	}
-
-	// Set defaults
-	if req.ClientName == "" {
-		clientIdPrefix := util.GenerateClientId()
-		if len(clientIdPrefix) > 8 {
-			clientIdPrefix = clientIdPrefix[:8]
-		}
-		req.ClientName = fmt.Sprintf("DCR Client %s", clientIdPrefix)
-	}
-	if len(req.GrantTypes) == 0 {
-		req.GrantTypes = []string{"authorization_code"}
-	}
-	if len(req.ResponseTypes) == 0 {
-		req.ResponseTypes = []string{"code"}
-	}
-	if req.TokenEndpointAuthMethod == "" {
-		req.TokenEndpointAuthMethod = "client_secret_basic"
-	}
-	if req.ApplicationType == "" {
-		req.ApplicationType = "web"
-	}
-
-	// Generate unique application name
-	randomName := util.GetRandomName()
-	appName := fmt.Sprintf("dcr_%s", randomName)
-
-	// Create Application object
-	// Note: DCR applications are created under "admin" owner by default
-	// This can be made configurable in future versions
-	clientId := util.GenerateClientId()
-	clientSecret := util.GenerateClientSecret()
-	createdTime := util.GetCurrentTime()
-
-	application := &Application{
-		Owner:                "admin",
-		Name:                 appName,
-		Organization:         organization,
-		CreatedTime:          createdTime,
-		DisplayName:          req.ClientName,
-		Category:             "Agent",
-		Type:                 "MCP",
-		Scopes:               []*ScopeItem{},
-		Logo:                 req.LogoUri,
-		HomepageUrl:          req.ClientUri,
-		ClientId:             clientId,
-		ClientSecret:         clientSecret,
-		RedirectUris:         req.RedirectUris,
-		GrantTypes:           req.GrantTypes,
-		EnablePassword:       false,
-		EnableSignUp:         false,
-		DisableSignin:        false,
-		EnableSigninSession:  false,
-		EnableCodeSignin:     true,
-		EnableAutoSignin:     false,
-		TokenFormat:          "JWT",
-		ExpireInHours:        168,
-		RefreshExpireInHours: 168,
-		CookieExpireInHours:  720,
-		FormOffset:           2,
-		Tags:                 []string{"dcr"},
-		TermsOfUse:           req.TosUri,
-	}
-
-	// Add the application
-	affected, err := AddApplication(application)
-	if err != nil {
-		return nil, nil, err
-	}
-	if !affected {
-		return nil, &DcrError{
-			Error:            "invalid_client_metadata",
-			ErrorDescription: "failed to create client application",
-		}, nil
-	}
-
-	// Build response
-	response := &DynamicClientRegistrationResponse{
-		ClientId:                clientId,
-		ClientSecret:            clientSecret,
-		ClientIdIssuedAt:        time.Now().Unix(),
-		ClientSecretExpiresAt:   0, // Never expires
-		ClientName:              req.ClientName,
-		RedirectUris:            req.RedirectUris,
-		GrantTypes:              req.GrantTypes,
-		ResponseTypes:           req.ResponseTypes,
-		TokenEndpointAuthMethod: req.TokenEndpointAuthMethod,
-		ApplicationType:         req.ApplicationType,
-		Contacts:                req.Contacts,
-		LogoUri:                 req.LogoUri,
-		ClientUri:               req.ClientUri,
-		PolicyUri:               req.PolicyUri,
-		TosUri:                  req.TosUri,
-		Scope:                   req.Scope,
-	}
-
-	return response, nil, nil
-}

object/oidc_discovery.go

@@ -32,7 +32,6 @@ type OidcDiscovery struct {
 	TokenEndpoint                          string   `json:"token_endpoint"`
 	UserinfoEndpoint                       string   `json:"userinfo_endpoint"`
 	DeviceAuthorizationEndpoint            string   `json:"device_authorization_endpoint"`
-	RegistrationEndpoint                   string   `json:"registration_endpoint,omitempty"`
 	JwksUri                                string   `json:"jwks_uri"`
 	IntrospectionEndpoint                  string   `json:"introspection_endpoint"`
 	ResponseTypesSupported                 []string `json:"response_types_supported"`
@@ -41,7 +40,6 @@ type OidcDiscovery struct {
 	SubjectTypesSupported                  []string `json:"subject_types_supported"`
 	IdTokenSigningAlgValuesSupported       []string `json:"id_token_signing_alg_values_supported"`
 	ScopesSupported                        []string `json:"scopes_supported"`
-	CodeChallengeMethodsSupported          []string `json:"code_challenge_methods_supported"`
 	ClaimsSupported                        []string `json:"claims_supported"`
 	RequestParameterSupported              bool     `json:"request_parameter_supported"`
 	RequestObjectSigningAlgValuesSupported []string `json:"request_object_signing_alg_values_supported"`
@@ -125,23 +123,6 @@ func GetOidcDiscovery(host string, applicationName string) OidcDiscovery {
 		jwksUri = fmt.Sprintf("%s/.well-known/jwks", originBackend)
 	}
 
-	// Default OIDC scopes
-	scopes := []string{"openid", "email", "profile", "address", "phone", "offline_access"}
-
-	// Merge application-specific custom scopes if application is provided
-	if applicationName != "" {
-		applicationId := util.GetId("admin", applicationName)
-		application, err := GetApplication(applicationId)
-		if err == nil && application != nil && len(application.Scopes) > 0 {
-			for _, scope := range application.Scopes {
-				// Add custom scope names to the scopes list
-				if scope.Name != "" {
-					scopes = append(scopes, scope.Name)
-				}
-			}
-		}
-	}
-
 	// Examples:
 	// https://login.okta.com/.well-known/openid-configuration
 	// https://auth0.auth0.com/.well-known/openid-configuration
@@ -153,7 +134,6 @@ func GetOidcDiscovery(host string, applicationName string) OidcDiscovery {
 		TokenEndpoint:                          fmt.Sprintf("%s/api/login/oauth/access_token", originBackend),
 		UserinfoEndpoint:                       fmt.Sprintf("%s/api/userinfo", originBackend),
 		DeviceAuthorizationEndpoint:            fmt.Sprintf("%s/api/device-auth", originBackend),
-		RegistrationEndpoint:                   fmt.Sprintf("%s/api/oauth/register", originBackend),
 		JwksUri:                                jwksUri,
 		IntrospectionEndpoint:                  fmt.Sprintf("%s/api/login/oauth/introspect", originBackend),
 		ResponseTypesSupported:                 []string{"code", "token", "id_token", "code token", "code id_token", "token id_token", "code token id_token", "none"},
@@ -161,8 +141,7 @@ func GetOidcDiscovery(host string, applicationName string) OidcDiscovery {
 		GrantTypesSupported:                    []string{"authorization_code", "implicit", "password", "client_credentials", "refresh_token", "urn:ietf:params:oauth:grant-type:device_code", "urn:ietf:params:oauth:grant-type:token-exchange"},
 		SubjectTypesSupported:                  []string{"public"},
 		IdTokenSigningAlgValuesSupported:       []string{"RS256", "RS512", "ES256", "ES384", "ES512"},
-		ScopesSupported:                        scopes,
-		CodeChallengeMethodsSupported:          []string{"S256"},
+		ScopesSupported:                        []string{"openid", "email", "profile", "address", "phone", "offline_access"},
 		ClaimsSupported:                        []string{"iss", "ver", "sub", "aud", "iat", "exp", "id", "type", "displayName", "avatar", "permanentAvatar", "email", "phone", "location", "affiliation", "title", "homepage", "bio", "tag", "region", "language", "score", "ranking", "isOnline", "isAdmin", "isForbidden", "signupApplication", "ldap"},
 		RequestParameterSupported:              true,
 		RequestObjectSigningAlgValuesSupported: []string{"HS256", "HS384", "HS512"},

object/organization.go

@@ -92,8 +92,6 @@ type Organization struct {
 	AccountMenu        string         `xorm:"varchar(20)" json:"accountMenu"`
 	AccountItems       []*AccountItem `xorm:"mediumtext" json:"accountItems"`
 
-	DcrPolicy string `xorm:"varchar(100)" json:"dcrPolicy"`
-
 	OrgBalance      float64 `json:"orgBalance"`
 	UserBalance     float64 `json:"userBalance"`
 	BalanceCredit   float64 `json:"balanceCredit"`

object/token.go

@@ -43,7 +43,6 @@ type Token struct {
 	CodeChallenge    string `xorm:"varchar(100)" json:"codeChallenge"`
 	CodeIsUsed       bool   `json:"codeIsUsed"`
 	CodeExpireIn     int64  `json:"codeExpireIn"`
-	Resource         string `xorm:"varchar(255)" json:"resource"` // RFC 8707 Resource Indicator
 }
 
 func GetTokenCount(owner, organization, field, value string) (int64, error) {

object/token_jwt.go

@@ -509,7 +509,7 @@ func refineUser(user *User) *User {
 	return user
 }
 
-func generateJwtToken(application *Application, user *User, provider string, signinMethod string, nonce string, scope string, resource string, host string) (string, string, string, error) {
+func generateJwtToken(application *Application, user *User, provider string, signinMethod string, nonce string, scope string, host string) (string, string, string, error) {
 	nowTime := time.Now()
 	expireTime := nowTime.Add(time.Duration(application.ExpireInHours * float64(time.Hour)))
 	refreshExpireTime := nowTime.Add(time.Duration(application.RefreshExpireInHours * float64(time.Hour)))
@@ -553,10 +553,7 @@ func generateJwtToken(application *Application, user *User, provider string, sig
 		},
 	}
 
-	// RFC 8707: Use resource as audience when provided
-	if resource != "" {
-		claims.Audience = []string{resource}
-	} else if application.IsShared {
+	if application.IsShared {
 		claims.Audience = []string{application.ClientId + "-org-" + user.Owner}
 	}
 

object/token_oauth.go

@@ -18,7 +18,6 @@ import (
 	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
-	"net/url"
 	"strings"
 	"sync"
 	"time"
@@ -93,26 +92,6 @@ type DeviceAuthResponse struct {
 	Interval        int    `json:"interval"`
 }
 
-// validateResourceURI validates that the resource parameter is a valid absolute URI
-// according to RFC 8707 Section 2
-func validateResourceURI(resource string) error {
-	if resource == "" {
-		return nil // empty resource is allowed (backward compatibility)
-	}
-
-	parsedURL, err := url.Parse(resource)
-	if err != nil {
-		return fmt.Errorf("resource must be a valid URI")
-	}
-
-	// RFC 8707: The resource parameter must be an absolute URI
-	if !parsedURL.IsAbs() {
-		return fmt.Errorf("resource must be an absolute URI")
-	}
-
-	return nil
-}
-
 func ExpireTokenByAccessToken(accessToken string) (bool, *Application, *Token, error) {
 	token, err := GetTokenByAccessToken(accessToken)
 	if err != nil {
@@ -159,7 +138,7 @@ func CheckOAuthLogin(clientId string, responseType string, redirectUri string, s
 	return "", application, nil
 }
 
-func GetOAuthCode(userId string, clientId string, provider string, signinMethod string, responseType string, redirectUri string, scope string, state string, nonce string, challenge string, resource string, host string, lang string) (*Code, error) {
+func GetOAuthCode(userId string, clientId string, provider string, signinMethod string, responseType string, redirectUri string, scope string, state string, nonce string, challenge string, host string, lang string) (*Code, error) {
 	user, err := GetUser(userId)
 	if err != nil {
 		return nil, err
@@ -190,19 +169,11 @@ func GetOAuthCode(userId string, clientId string, provider string, signinMethod
 		}, nil
 	}
 
-	// Validate resource parameter (RFC 8707)
-	if err := validateResourceURI(resource); err != nil {
-		return &Code{
-			Message: err.Error(),
-			Code:    "",
-		}, nil
-	}
-
 	err = ExtendUserWithRolesAndPermissions(user)
 	if err != nil {
 		return nil, err
 	}
-	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, provider, signinMethod, nonce, scope, resource, host)
+	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, provider, signinMethod, nonce, scope, host)
 	if err != nil {
 		return nil, err
 	}
@@ -227,7 +198,6 @@ func GetOAuthCode(userId string, clientId string, provider string, signinMethod
 		CodeChallenge: challenge,
 		CodeIsUsed:    false,
 		CodeExpireIn:  time.Now().Add(time.Minute * 5).Unix(),
-		Resource:      resource,
 	}
 	_, err = AddToken(token)
 	if err != nil {
@@ -240,7 +210,7 @@ func GetOAuthCode(userId string, clientId string, provider string, signinMethod
 	}, nil
 }
 
-func GetOAuthToken(grantType string, clientId string, clientSecret string, code string, verifier string, scope string, nonce string, username string, password string, host string, refreshToken string, tag string, avatar string, lang string, subjectToken string, subjectTokenType string, audience string, resource string) (interface{}, error) {
+func GetOAuthToken(grantType string, clientId string, clientSecret string, code string, verifier string, scope string, nonce string, username string, password string, host string, refreshToken string, tag string, avatar string, lang string, subjectToken string, subjectTokenType string, audience string) (interface{}, error) {
 	application, err := GetApplicationByClientId(clientId)
 	if err != nil {
 		return nil, err
@@ -266,7 +236,7 @@ func GetOAuthToken(grantType string, clientId string, clientSecret string, code
 	var tokenError *TokenError
 	switch grantType {
 	case "authorization_code": // Authorization Code Grant
-		token, tokenError, err = GetAuthorizationCodeToken(application, clientSecret, code, verifier, resource)
+		token, tokenError, err = GetAuthorizationCodeToken(application, clientSecret, code, verifier)
 	case "password": //	Resource Owner Password Credentials Grant
 		token, tokenError, err = GetPasswordToken(application, username, password, scope, host)
 	case "client_credentials": // Client Credentials Grant
@@ -421,7 +391,7 @@ func RefreshToken(grantType string, refreshToken string, scope string, clientId
 		return nil, err
 	}
 
-	newAccessToken, newRefreshToken, tokenName, err := generateJwtToken(application, user, "", "", "", scope, "", host)
+	newAccessToken, newRefreshToken, tokenName, err := generateJwtToken(application, user, "", "", "", scope, host)
 	if err != nil {
 		return &TokenError{
 			Error:            EndpointError,
@@ -575,7 +545,7 @@ func createGuestUserToken(application *Application, clientSecret string, verifie
 	}
 
 	// Generate JWT token
-	accessToken, refreshToken, tokenName, err := generateJwtToken(application, guestUser, "", "", "", "", "", "")
+	accessToken, refreshToken, tokenName, err := generateJwtToken(application, guestUser, "", "", "", "", "")
 	if err != nil {
 		return nil, &TokenError{
 			Error:            EndpointError,
@@ -625,7 +595,7 @@ func generateGuestUsername() string {
 
 // GetAuthorizationCodeToken
 // Authorization code flow
-func GetAuthorizationCodeToken(application *Application, clientSecret string, code string, verifier string, resource string) (*Token, *TokenError, error) {
+func GetAuthorizationCodeToken(application *Application, clientSecret string, code string, verifier string) (*Token, *TokenError, error) {
 	if code == "" {
 		return nil, &TokenError{
 			Error:            InvalidRequest,
@@ -693,14 +663,6 @@ func GetAuthorizationCodeToken(application *Application, clientSecret string, co
 		}, nil
 	}
 
-	// RFC 8707: Validate resource parameter matches the one in the authorization request
-	if resource != token.Resource {
-		return nil, &TokenError{
-			Error:            InvalidGrant,
-			ErrorDescription: fmt.Sprintf("resource parameter does not match authorization request, expected: [%s], got: [%s]", token.Resource, resource),
-		}, nil
-	}
-
 	nowUnix := time.Now().Unix()
 	if nowUnix > token.CodeExpireIn {
 		// code must be used within 5 minutes
@@ -757,7 +719,7 @@ func GetPasswordToken(application *Application, username string, password string
 		return nil, nil, err
 	}
 
-	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", "", "", scope, "", host)
+	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", "", "", scope, host)
 	if err != nil {
 		return nil, &TokenError{
 			Error:            EndpointError,
@@ -803,7 +765,7 @@ func GetClientCredentialsToken(application *Application, clientSecret string, sc
 		Type:  "application",
 	}
 
-	accessToken, _, tokenName, err := generateJwtToken(application, nullUser, "", "", "", scope, "", host)
+	accessToken, _, tokenName, err := generateJwtToken(application, nullUser, "", "", "", scope, host)
 	if err != nil {
 		return nil, &TokenError{
 			Error:            EndpointError,
@@ -867,7 +829,7 @@ func GetTokenByUser(application *Application, user *User, scope string, nonce st
 		return nil, err
 	}
 
-	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", "", nonce, scope, "", host)
+	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", "", nonce, scope, host)
 	if err != nil {
 		return nil, err
 	}
@@ -974,7 +936,7 @@ func GetWechatMiniProgramToken(application *Application, code string, host strin
 		return nil, nil, err
 	}
 
-	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", "", "", "", "", host)
+	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", "", "", "", host)
 	if err != nil {
 		return nil, &TokenError{
 			Error:            EndpointError,
@@ -1148,7 +1110,7 @@ func GetTokenExchangeToken(application *Application, clientSecret string, subjec
 	}
 
 	// Generate new JWT token
-	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", "", "", scope, "", host)
+	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", "", "", scope, host)
 	if err != nil {
 		return nil, &TokenError{
 			Error:            EndpointError,

object/wellknown_oauth_prm.go

@@ -1,4 +1,4 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.

object/wellknown_oauth_prm_test.go

@@ -0,0 +1,105 @@
+// Copyright 2021 The Casdoor Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package object
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestGetOauthProtectedResourceMetadata(t *testing.T) {
+	// Test global discovery
+	host := "door.casdoor.com"
+	metadata := GetOauthProtectedResourceMetadata(host)
+
+	// Verify required fields are present
+	if metadata.Resource == "" {
+		t.Error("Resource field should not be empty")
+	}
+
+	if len(metadata.AuthorizationServers) == 0 {
+		t.Error("AuthorizationServers should not be empty")
+	}
+
+	// Verify resource and auth server match for global discovery
+	if metadata.Resource != metadata.AuthorizationServers[0] {
+		t.Errorf("For global discovery, Resource (%s) should match AuthorizationServers[0] (%s)",
+			metadata.Resource, metadata.AuthorizationServers[0])
+	}
+
+	// Verify it starts with https for proper domain
+	if len(metadata.Resource) < 8 || metadata.Resource[:8] != "https://" {
+		t.Errorf("Resource should start with https:// for domain, got: %s", metadata.Resource)
+	}
+
+	// Verify bearer methods supported
+	if len(metadata.BearerMethodsSupported) == 0 {
+		t.Error("BearerMethodsSupported should not be empty")
+	}
+
+	// Verify scopes supported
+	if len(metadata.ScopesSupported) == 0 {
+		t.Error("ScopesSupported should not be empty")
+	}
+}
+
+func TestGetOauthProtectedResourceMetadataByApplication(t *testing.T) {
+	// Test application-specific discovery
+	host := "door.casdoor.com"
+	appName := "my-app"
+	metadata := GetOauthProtectedResourceMetadataByApplication(host, appName)
+
+	// Verify required fields are present
+	if metadata.Resource == "" {
+		t.Error("Resource field should not be empty")
+	}
+
+	if len(metadata.AuthorizationServers) == 0 {
+		t.Error("AuthorizationServers should not be empty")
+	}
+
+	// Verify resource includes application name
+	expectedSuffix := "/.well-known/" + appName
+	if !strings.HasSuffix(metadata.Resource, expectedSuffix) {
+		t.Errorf("Resource should end with %s, got: %s", expectedSuffix, metadata.Resource)
+	}
+
+	// Verify auth server includes application name
+	if !strings.HasSuffix(metadata.AuthorizationServers[0], expectedSuffix) {
+		t.Errorf("AuthorizationServers[0] should end with %s, got: %s", expectedSuffix, metadata.AuthorizationServers[0])
+	}
+
+	// Verify resource and auth server match for application-specific discovery
+	if metadata.Resource != metadata.AuthorizationServers[0] {
+		t.Errorf("For application-specific discovery, Resource (%s) should match AuthorizationServers[0] (%s)",
+			metadata.Resource, metadata.AuthorizationServers[0])
+	}
+}
+
+func TestOauthProtectedResourceMetadataLocalhost(t *testing.T) {
+	// Test localhost (should use http://)
+	host := "localhost:8000"
+	metadata := GetOauthProtectedResourceMetadata(host)
+
+	// Verify it starts with http for localhost
+	if len(metadata.Resource) < 7 || metadata.Resource[:7] != "http://" {
+		t.Errorf("Resource should start with http:// for localhost, got: %s", metadata.Resource)
+	}
+
+	// Verify the host is included
+	if !strings.HasSuffix(metadata.Resource, host) {
+		t.Errorf("Resource should end with %s, got: %s", host, metadata.Resource)
+	}
+}

routers/router.go

@@ -298,7 +298,6 @@ func InitAPI() {
 	web.Router("/api/login/oauth/access_token", &controllers.ApiController{}, "POST:GetOAuthToken")
 	web.Router("/api/login/oauth/refresh_token", &controllers.ApiController{}, "POST:RefreshToken")
 	web.Router("/api/login/oauth/introspect", &controllers.ApiController{}, "POST:IntrospectToken")
-	web.Router("/api/oauth/register", &controllers.ApiController{}, "POST:DynamicClientRegister")
 
 	web.Router("/api/get-records", &controllers.ApiController{}, "GET:GetRecords")
 	web.Router("/api/get-records-filter", &controllers.ApiController{}, "POST:GetRecordsByFilter")
@@ -321,8 +320,6 @@ func InitAPI() {
 
 	web.Router("/.well-known/openid-configuration", &controllers.RootController{}, "GET:GetOidcDiscovery")
 	web.Router("/.well-known/:application/openid-configuration", &controllers.RootController{}, "GET:GetOidcDiscoveryByApplication")
-	web.Router("/.well-known/oauth-authorization-server", &controllers.RootController{}, "GET:GetOAuthServerMetadata")
-	web.Router("/.well-known/:application/oauth-authorization-server", &controllers.RootController{}, "GET:GetOAuthServerMetadataByApplication")
 	web.Router("/.well-known/jwks", &controllers.RootController{}, "*:GetJwks")
 	web.Router("/.well-known/:application/jwks", &controllers.RootController{}, "*:GetJwksByApplication")
 	web.Router("/.well-known/webfinger", &controllers.RootController{}, "GET:GetWebFinger")

routers/static_filter.go

@@ -89,7 +89,7 @@ func fastAutoSignin(ctx *context.Context) (string, error) {
 		return "", nil
 	}
 
-	code, err := object.GetOAuthCode(userId, clientId, "", "autoSignin", responseType, redirectUri, scope, state, nonce, codeChallenge, "", ctx.Request.Host, getAcceptLanguage(ctx))
+	code, err := object.GetOAuthCode(userId, clientId, "", "autoSignin", responseType, redirectUri, scope, state, nonce, codeChallenge, ctx.Request.Host, getAcceptLanguage(ctx))
 	if err != nil {
 		return "", err
 	} else if code.Message != "" {

web/src/ApplicationEditPage.js

@@ -48,7 +48,6 @@ import ProviderTable from "./table/ProviderTable";
 import SigninMethodTable from "./table/SigninMethodTable";
 import SignupTable from "./table/SignupTable";
 import SamlAttributeTable from "./table/SamlAttributeTable";
-import ScopeTable from "./table/ScopeTable";
 import PromptPage from "./auth/PromptPage";
 import copy from "copy-to-clipboard";
 import ThemeEditor from "./common/theme/ThemeEditor";
@@ -308,61 +307,6 @@ class ApplicationEditPage extends React.Component {
               }} />
             </Col>
           </Row>
-          <Row style={{marginTop: "20px"}} >
-            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
-              {Setting.getLabel(i18next.t("general:Category"), i18next.t("general:Category - Tooltip"))} :
-            </Col>
-            <Col span={21} >
-              <Select
-                virtual={false}
-                style={{width: "100%"}}
-                value={this.state.application.category}
-                onChange={(value) => {
-                  this.updateApplicationField("category", value);
-                  if (value === "Agent") {
-                    this.updateApplicationField("type", "MCP");
-                  } else {
-                    this.updateApplicationField("type", "All");
-                  }
-                }}
-              >
-                <Option value="Default">Default</Option>
-                <Option value="Agent">Agent</Option>
-              </Select>
-            </Col>
-          </Row>
-          <Row style={{marginTop: "20px"}} >
-            <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
-              {Setting.getLabel(i18next.t("general:Type"), i18next.t("general:Type - Tooltip"))} :
-            </Col>
-            <Col span={21} >
-              <Select
-                virtual={false}
-                style={{width: "100%"}}
-                value={this.state.application.type}
-                onChange={(value) => {
-                  this.updateApplicationField("type", value);
-                }}
-              >
-                {
-                  (this.state.application.category === "Agent") ? (
-                    <>
-                      <Option value="MCP">MCP</Option>
-                      <Option value="A2A">A2A</Option>
-                    </>
-                  ) : (
-                    <>
-                      <Option value="All">All</Option>
-                      <Option value="OIDC">OIDC</Option>
-                      <Option value="OAuth">OAuth</Option>
-                      <Option value="SAML">SAML</Option>
-                      <Option value="CAS">CAS</Option>
-                    </>
-                  )
-                }
-              </Select>
-            </Col>
-          </Row>
           <Row style={{marginTop: "20px"}} >
             <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
               {Setting.getLabel(i18next.t("general:Is shared"), i18next.t("general:Is shared - Tooltip"))} :
@@ -572,22 +516,6 @@ class ApplicationEditPage extends React.Component {
               </Select>
             </Col>
           </Row>
-          {
-            (this.state.application.category === "Agent") ? (
-              <Row style={{marginTop: "20px"}} >
-                <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
-                  {Setting.getLabel(i18next.t("general:Scopes"), i18next.t("general:Scopes - Tooltip"))} :
-                </Col>
-                <Col span={21} >
-                  <ScopeTable
-                    title={i18next.t("general:Scopes")}
-                    table={this.state.application.scopes}
-                    onUpdateTable={(value) => {this.updateApplicationField("scopes", value);}}
-                  />
-                </Col>
-              </Row>
-            ) : null
-          }
           <Row style={{marginTop: "20px"}} >
             <Col style={{marginTop: "5px"}} span={(Setting.isMobile()) ? 22 : 3}>
               {Setting.getLabel(i18next.t("application:Token format"), i18next.t("application:Token format - Tooltip"))} :

web/src/ApplicationListPage.js

@@ -38,9 +38,6 @@ class ApplicationListPage extends BaseListPage {
       organization: organizationName,
       createdTime: moment().format(),
       displayName: `New Application - ${randomName}`,
-      category: "Default",
-      type: "All",
-      scopes: [],
       logo: `${Setting.StaticBaseUrl}/img/casdoor-logo_1185x256.png`,
       enablePassword: true,
       enableSignUp: true,
@@ -182,40 +179,6 @@ class ApplicationListPage extends BaseListPage {
         sorter: true,
         ...this.getColumnSearchProps("displayName"),
       },
-      {
-        title: i18next.t("general:Category"),
-        dataIndex: "category",
-        key: "category",
-        width: "120px",
-        sorter: true,
-        ...this.getColumnSearchProps("category"),
-        render: (text, record, index) => {
-          const category = text;
-          const tagColor = category === "Agent" ? "green" : "blue";
-          return (
-            <span style={{
-              padding: "4px 8px",
-              borderRadius: "4px",
-              backgroundColor: tagColor,
-              color: "white",
-              fontWeight: "500",
-            }}>
-              {category}
-            </span>
-          );
-        },
-      },
-      {
-        title: i18next.t("general:Type"),
-        dataIndex: "type",
-        key: "type",
-        width: "100px",
-        sorter: true,
-        ...this.getColumnSearchProps("type"),
-        render: (text, record, index) => {
-          return text;
-        },
-      },
       {
         title: "Logo",
         dataIndex: "logo",

web/src/table/ScopeTable.js

@@ -1,166 +0,0 @@
-// Copyright 2026 The Casdoor Authors. All Rights Reserved.
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//      http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-import React from "react";
-import {DeleteOutlined, DownOutlined, UpOutlined} from "@ant-design/icons";
-import {Button, Input, Table, Tooltip} from "antd";
-import * as Setting from "../Setting";
-import i18next from "i18next";
-
-class ScopeTable extends React.Component {
-  constructor(props) {
-    super(props);
-    this.state = {
-      classes: props,
-    };
-  }
-
-  updateTable(table) {
-    this.props.onUpdateTable(table);
-  }
-
-  updateField(table, index, key, value) {
-    table[index][key] = value;
-    this.updateTable(table);
-  }
-
-  addRow(table) {
-    const row = {name: "", displayName: "", description: ""};
-    if (table === undefined) {
-      table = [];
-    }
-    table = Setting.addRow(table, row);
-    this.updateTable(table);
-  }
-
-  deleteRow(table, i) {
-    table = Setting.deleteRow(table, i);
-    this.updateTable(table);
-  }
-
-  upRow(table, i) {
-    table = Setting.swapRow(table, i - 1, i);
-    this.updateTable(table);
-  }
-
-  downRow(table, i) {
-    table = Setting.swapRow(table, i, i + 1);
-    this.updateTable(table);
-  }
-
-  renderTable(table) {
-    if (table === null) {
-      return null;
-    }
-
-    const columns = [
-      {
-        title: i18next.t("general:Name"),
-        dataIndex: "name",
-        key: "name",
-        width: "25%",
-        render: (text, record, index) => {
-          return (
-            <Input
-              value={text}
-              placeholder="e.g., files:read"
-              onChange={e => {
-                this.updateField(table, index, "name", e.target.value);
-              }}
-            />
-          );
-        },
-      },
-      {
-        title: i18next.t("general:Display name"),
-        dataIndex: "displayName",
-        key: "displayName",
-        width: "25%",
-        render: (text, record, index) => {
-          return (
-            <Input
-              value={text}
-              placeholder="e.g., Read Files"
-              onChange={e => {
-                this.updateField(table, index, "displayName", e.target.value);
-              }}
-            />
-          );
-        },
-      },
-      {
-        title: i18next.t("general:Description"),
-        dataIndex: "description",
-        key: "description",
-        width: "40%",
-        render: (text, record, index) => {
-          return (
-            <Input
-              value={text}
-              placeholder="e.g., Allow reading your files and documents"
-              onChange={e => {
-                this.updateField(table, index, "description", e.target.value);
-              }}
-            />
-          );
-        },
-      },
-      {
-        title: i18next.t("general:Action"),
-        key: "action",
-        width: "10%",
-        render: (text, record, index) => {
-          return (
-            <div>
-              <Tooltip placement="bottomLeft" title={i18next.t("general:Up")}>
-                <Button style={{marginRight: "5px"}} disabled={index === 0} icon={<UpOutlined />} size="small" onClick={() => this.upRow(table, index)} />
-              </Tooltip>
-              <Tooltip placement="topLeft" title={i18next.t("general:Down")}>
-                <Button style={{marginRight: "5px"}} disabled={index === table.length - 1} icon={<DownOutlined />} size="small" onClick={() => this.downRow(table, index)} />
-              </Tooltip>
-              <Tooltip placement="topLeft" title={i18next.t("general:Delete")}>
-                <Button icon={<DeleteOutlined />} size="small" onClick={() => this.deleteRow(table, index)} />
-              </Tooltip>
-            </div>
-          );
-        },
-      },
-    ];
-
-    return (
-      <div>
-        <Table scroll={{x: "max-content"}} rowKey={(record, index) => index} columns={columns} dataSource={table} size="middle" bordered pagination={false}
-          title={() => (
-            <div>
-              {this.props.title}&nbsp;&nbsp;&nbsp;&nbsp;
-              <Button style={{marginRight: "5px"}} type="primary" size="small" onClick={() => this.addRow(table)}>{i18next.t("general:Add")}</Button>
-            </div>
-          )}
-        />
-      </div>
-    );
-  }
-
-  render() {
-    return (
-      <div>
-        {
-          this.renderTable(this.props.table)
-        }
-      </div>
-    );
-  }
-}
-
-export default ScopeTable;