21265055373

Committed 22 Jan 2026 09:11PM UTC coverage: 59.78% (-0.05%) from 59.829%

Build # 21265055373

Build Type

push

github

Committed by

web-flow

Commit Message

feat(auth): persist OAuth tokens across workload restarts (#3382)

* feat(auth): persist OAuth tokens across workload restarts

This change enables remote MCP servers (like Datadog and Glean) to
restore their OAuth sessions after workload restarts without requiring
a new browser-based login.

Changes:
- Add CachedAccessToken, CachedRefreshToken, CachedTokenExpiry fields
  to remote.Config for token persistence
- Create PersistingTokenSource wrapper to save tokens when refreshed
- Modify Handler.Authenticate to restore from cached tokens when available
- Add token persister callback in runner to save tokens to config state

Fixes #3331

Signed-off-by: Frédéric LE FEURMOU <flfeurmou@indeed.com>

* chore: retry CI

Signed-off-by: Frédéric LE FEURMOU <flfeurmou@indeed.com>

* refactor(auth): store OAuth tokens in secret manager

Address reviewer feedback:
- Store refresh tokens securely in secret manager instead of plain text config
- Remove access token caching (can be regenerated from refresh token)
- Add TokenTypeOAuthRefreshToken for proper secret categorization
- Gracefully handle missing secret manager (tokens won't persist but OAuth works)

Security improvement: tokens are now stored in OS keyring/encrypted storage,
config only contains the secret reference (e.g., OAUTH_REFRESH_TOKEN_workload)

Signed-off-by: Frédéric LE FEURMOU <flfeurmou@indeed.com>

* refactor(auth): dedupe discovery calls in Authenticate

Address reviewer nit #3: DetectAuthenticationFromServer and discoverIssuerAndScopes
were called in both tryRestoreFromCachedTokens and authenticateWithOAuth.

Now these are called once in Authenticate and the results are passed to both
tryRestoreFromCachedTokens and performOAuthFlow, avoiding redundant network calls.

Signed-off-by: Frédéric LE FEURMOU <flfeurmou@indeed.com>

* refactor: only persist when refresh token changes

Avoids unnecessary writes since refresh tokens are long-lived
and usually don't change on every access-token refresh.... (continued)

Run Details

63 of 223 new or added lines in 5 files covered. (28.25%)

16 existing lines in 6 files now uncovered.

36873 of 61681 relevant lines covered (59.78%)

78.95 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

43.8

/pkg/auth/remote/handler.go

stacklok / toolhive / 21265055373

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous