stacklok / toolhive / 17645412382

59%

Build Type

push

github

Committed by web-flow

Commit Message

Fix OAuth issuer discovery to comply with RFC 8414 and RFC 9728 (#1839)

- Add support for RFC 9728 Protected Resource Metadata discovery
- Fix issuer detection to properly handle cases where the metadata URL differs from the actual issuer (e.g., Stripe's case)
- Add resource_metadata parameter parsing from WWW-Authenticate header
- Implement FetchResourceMetadata to retrieve protected resource metadata
- Add ValidateAndDiscoverAuthServer to handle issuer validation and discovery
- Update OAuth flow to use pre-discovered endpoints when available
- Fix DeriveIssuerFromRealm to validate realm as a proper HTTPS URL
- Add DiscoverActualIssuer in OIDC package to handle issuer mismatch cases
- Add workaround for resource metadata that incorrectly lists authorization servers that don't match the actual issuer (validates each server and uses the discovered issuer)
- Update tests to reflect the new DeriveIssuerFromRealm function behavior

This fixes the bug where issuer detection was incorrectly trying to derive
the issuer from the remote URL instead of using the realm parameter or
fetching resource metadata as specified in the RFCs.

The implementation now properly handles edge cases like Stripe's where the
resource metadata URL hosts the authorization server metadata but the actual
issuer identifier is different.

Signed-off-by: Juan Antonio Osorio <ozz@stacklok.com>

Run Details

148 of 282 new or added lines in 3 files covered. (52.48%)

29 existing lines in 5 files now uncovered.

12270 of 30695 relevant lines covered (39.97%)

17.06 hits per line