stacklok / toolhive / 21064766328
59%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 446
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 58.884% (+0.2%) from 58.658%
21064766328

push

github

web-flow 
Add OAuth2 authorization server configuration and JWKS utilities (#3306)

* Add OAuth2 authorization server configuration and JWKS utilities

Implement the client-facing OAuth2 authorization server configuration
using Ory Fosite's composable handler architecture. The core integration
centers on AuthorizationServerConfig, a wrapper around fosite.Config that
extends it with JWK/JWKS support for JWT signing. A Factory pattern
enables pluggable handler composition where each factory receives the
full config, storage, and strategy, returning handlers that are auto-
registered based on which fosite interfaces they implement
(AuthorizeEndpointHandler, TokenEndpointHandler, TokenIntrospector,
RevocationHandler, PushedAuthorizeEndpointHandler). Security settings
include enforced PKCE with S256-only per MCP specification, token
lifespan bounds validation, and HMAC secret rotation support via
RotatedGlobalSecrets for zero-downtime key changes.

This module serves as the configuration layer in the authserver's
federation model, where ToolHive acts as an intermediary between MCP
clients and upstream identity providers. MCP clients authenticate to
this authorization server, which then federates authentication to
upstream IDPs. AuthorizationServerConfig bridges AuthorizationServerParams
(cryptographic materials, token lifespans, issuer URL) with the fosite
framework, and is consumed by both the storage layer (fosite's
authorization/token/PKCE handlers) and the HTTP handlers serving OAuth2
endpoints. PublicJWKS() enables safe key exposure at /.well-known/jwks.json
for client token verification.

* Address PR review feedback for OAuth2 server config

- Validate rotated HMAC secrets meet minimum length requirement,
  not just the current secret. This is defense-in-depth to catch
  misconfiguration when HMACSecrets is constructed directly.
- Rename GetSigningJWKS to GetPrivateSigningJWKS to make it explicit
  that this method returns private key material, reducing risk ... (continued)

119 of 145 new or added lines in 2 files covered. (82.07%)

8 existing lines in 1 file now uncovered.

34864 of 59208 relevant lines covered (58.88%)

81.77 hits per line

New Missed Lines in Diff

Lines Coverage File
26
81.29
 pkg/authserver/server/provider.go

Uncovered Existing Lines

Lines Coverage File
8
54.74
 -8.42% pkg/secrets/keyring/keyctl_linux.go
Jobs
ID Job ID Ran Files Coverage
1 21064766328.1 446
58.88
 GitHub Action Run
Source Files on build 21064766328