stacklok / toolhive / 21168189072
60%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 451
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 59.379% (+0.1%) from 59.278%
21168189072

push

github

web-flow 
Add OAuth handler infrastructure and discovery endpoints (#3321)

* Add OAuth handler infrastructure and discovery endpoints

This patch introduces the HTTP handler layer for the OAuth 2.0 authorization
server. The Handler struct coordinates all OAuth/OIDC endpoints and provides
route registration via chi router (consistent with ToolHive's API patterns).
The discovery endpoints (/.well-known/openid-configuration and jwks.json) are
fully implemented and OIDC Discovery 1.0 compliant, including the REQUIRED
fields subject_types_supported and id_token_signing_alg_values_supported. The
signing algorithms are dynamically extracted from the JWKS keys. OAuth endpoints
(authorize, token, callback, register) are stubbed for future implementation.

In the full authserver, the Handler is instantiated by server_impl.go
with four dependencies: a fosite.OAuth2Provider (the OAuth protocol engine),
AuthorizationServerConfig (issuer, token lifespans, signing keys), Storage
(where OAuth state is persisted), and an upstream.Provider (for relaying tokens
to/from the upstream IDP). The Server.Handler() method returns the chi router
as http.Handler, which can be mounted into any HTTP server. This design keeps
the handler layer focused on HTTP concerns while delegating OAuth logic to
fosite and state management to the storage layer.

* Add OAuth authorization server metadata endpoint (RFC 8414)

Add support for /.well-known/oauth-authorization-server alongside the
existing OIDC discovery endpoint for improved interoperability with
non-OIDC OAuth clients.

The MCP specification requires servers provide at least one discovery
mechanism. Supporting both RFC 8414 and OIDC Discovery 1.0 ensures
better client compatibility.

* Update authserver handlers to use shared pkg/oauth types

Refactor discovery handlers to use the shared OAuth/OIDC types from
pkg/oauth instead of local definitions

This removes the local struct definitions and aligns the authserver
with the consolidated ty... (continued)

103 of 127 new or added lines in 3 files covered. (81.1%)

166 existing lines in 5 files now uncovered.

35744 of 60196 relevant lines covered (59.38%)

80.91 hits per line

New Missed Lines in Diff

Lines Coverage File
24
76.0
 pkg/authserver/server/handlers/discovery.go

Uncovered Existing Lines

Lines Coverage File
2
71.43
 -1.68% pkg/vmcp/k8s/manager.go
3
81.35
 -0.27% pkg/transport/proxy/httpsse/http_proxy.go
40
80.26
 1.25% pkg/auth/token.go
44
86.22
 0.87% pkg/auth/oauth/flow.go
77
59.28
 0.87% cmd/thv-operator/controllers/virtualmcpserver_deployment.go
Jobs
ID Job ID Ran Files Coverage
1 21168189072.1 451
59.38
 GitHub Action Run
Source Files on build 21168189072