18789006560

Committed 24 Oct 2025 06:42PM UTC coverage: 47.478% (+0.2%) from 47.326%

Build # 18789006560

Build Type

push

github

Committed by

web-flow

Commit Message

Add GitHub.com OAuth authentication provider for token introspection (#2322)

* Add GitHub.com OAuth authentication provider for token introspection

Implements a custom token introspection provider for GitHub.com OAuth
that validates GitHub OAuth tokens via GitHub's token validation API.
This enables per-user authentication scenarios where users authenticate
with their own GitHub tokens.

The provider implements the TokenIntrospector interface following the
same pattern as the existing GoogleProvider, with automatic registration
when GitHub API URLs are detected.

Key Features:
- Validates GitHub OAuth tokens via POST /applications/{client_id}/token
- Maps GitHub user attributes to JWT claims for Cedar authorization
- Supports claims: sub, login, email, scopes, site_admin, etc.
- Integrates with existing OIDC middleware for automatic opaque token detection

Security Hardening:
- Strict URL validation (api.github.com only, HTTPS required)
- SSRF protection via secured HTTP client with private IP blocking
- Local rate limiting (100 req/sec) to prevent DoS attacks
- GitHub API rate limit handling (429 responses with retry-after)

Testing:
- 10 comprehensive unit tests (all passing)
- Security tests for SSRF, HTTPS enforcement, rate limiting
- Linter clean (0 issues)

Note: Configuration examples and documentation will be added after #2321
is resolved to enable secure secret management via SecretKeyRef.

Related: #2321

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Juan Antonio Osorio <ozz@stacklok.com>

* Refactor NewTokenValidator to reduce complexity

Extract provider registration logic into a separate
registerIntrospectionProviders helper function to improve code
organization and reduce cyclomatic complexity.

Changes:
- Add registerIntrospectionProviders helper function that handles
  Google, GitHub, and RFC7662 provider registration
- Move client secret environment vari... (continued)

Run Details

176 of 209 new or added lines in 2 files covered. (84.21%)

17 existing lines in 3 files now uncovered.

19088 of 40204 relevant lines covered (47.48%)

15.43 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

91.81

/pkg/auth/github_provider.go

stacklok / toolhive / 18789006560

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous