stacklok / toolhive / 21189106084
60%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 454
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 59.519% (-0.01%) from 59.532%
21189106084

push

github

web-flow 
Add UserStorage interface to authserver for multi-IDP support (#3358)

Add UserStorage interface for multi-IDP support

The primary goal of this change is to provide a stable, unique "sub" claim
for tokens issued by ToolHive's authorization server, decoupled from any
specific upstream identity provider (IDP).

Without an internal user identity layer, ToolHive would be tightly coupled
to a single upstream IDP. The upstream provider's "sub" claim would flow
directly into issued tokens, creating problems:

- Changing or adding IDP providers would break existing user identities
- No path to supporting multiple IDPs (e.g., Google AND GitHub)
- The "sub" claim in issued tokens would be outside our control

Moreover, with pure OAuth providers we would /need/ to have a "sub"
claim in the upstream token to use it in the first place. This was
already hit by Trey and Gautam with Atlassian.

Introduce an internal User identity with a stable ID that becomes the "sub"
claim in all ToolHive-issued tokens. The upstream provider's subject is
stored separately in ProviderIdentity, creating an abstraction layer:

```
Upstream IDP          ToolHive                    Downstream
============          ========                    ==========
                      User.ID=uuid-xxx --------> JWT sub=uuid-xxx
                           ^
Google sub=abc123 -----> ProviderIdentity
GitHub sub=def456 -----> ProviderIdentity (future: multi-IDP support)
```

This enables:
- Adding new IDP providers without affecting existing users
- Future account linking (one user, multiple providers)
- Consistent "sub" claim regardless of authentication method

- New User and ProviderIdentity types with UserStorage interface
- UpstreamTokens now tracks ProviderID and separates UserID from UpstreamSubject
- DeleteUser cascades to remove associated ProviderIdentities and UpstreamTokens
- MemoryStorage implementation with full test coverage

This storage layer will be used by the OAuth callback handle... (continued)

152 of 306 new or added lines in 2 files covered. (49.67%)

8 existing lines in 3 files now uncovered.

36276 of 60949 relevant lines covered (59.52%)

79.15 hits per line

New Missed Lines in Diff

Lines Coverage File
154
2.16
 -0.83% pkg/authserver/storage/mocks/mock_storage.go

Uncovered Existing Lines

Lines Coverage File
2
57.89
 -3.51% pkg/transport/session/sse_session.go
2
71.43
 -1.68% pkg/vmcp/k8s/manager.go
4
80.27
 -1.08% pkg/transport/proxy/httpsse/http_proxy.go
Jobs
ID Job ID Ran Files Coverage
1 21189106084.1 454
59.52
 GitHub Action Run
Source Files on build 21189106084