stacklok / toolhive / 18115880722

50%

Build Type

push

github

Committed by web-flow

Commit Message

Fix remote MCP server authentication with issuer mismatch (#1980)

This fixes authentication failures when remote MCP servers return a
different issuer URL than their public-facing URL in the OIDC discovery
response.

The fix adds a new priority level to the issuer discovery algorithm,
placing well-known endpoint discovery before URL derivation. This allows
accepting the authoritative issuer from the .well-known/openid-configuration
endpoint even when it differs from the server URL, complying with RFC 8414.

New discovery priority chain:
1. Configured issuer (if provided)
2. Realm-derived issuer (RFC 8414)
3. Resource metadata discovery (RFC 9728)
4. Well-known endpoint discovery (NEW - accepts actual issuer)
5. URL-derived issuer (fallback)

Changes:
- Add tryDiscoverFromWellKnown to attempt discovery before URL derivation
- Accept the actual issuer from ValidateAndDiscoverAuthServer
- Preserve HTTP scheme for localhost URLs in DeriveIssuerFromURL
- Add path normalization to DeriveIssuerFromRealm for security
- Add comprehensive test coverage for discovery priority chain
- Fix linting issues with constants and parallel test execution

The fix maintains backward compatibility while supporting real-world
OAuth deployments where the issuer differs from the server endpoint.

Fixes #1957

Signed-off-by: Juan Antonio Osorio <ozz@stacklok.com>

Run Details

42 of 46 new or added lines in 2 files covered. (91.3%)

9 existing lines in 3 files now uncovered.

16162 of 35701 relevant lines covered (45.27%)

15.5 hits per line