stacklok / toolhive / 21295146313
60%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 464
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 59.991% (+0.05%) from 59.937%
21295146313

push

github

web-flow 
Add token endpoint handler (#3408)

* Add token endpoint handler

Implement POST /oauth/token handler that exchanges authorization codes for
access tokens using fosite's access request/response flow. The handler
validates the incoming token request, retrieves the stored authorization
session, generates JWT access tokens, and supports RFC 8707 resource
parameter for audience-restricted tokens targeting specific MCP servers.

This handler completes the OAuth 2.0 authorization code flow started by the
authorize and callback handlers. When a client presents an authorization code,
fosite retrieves the session that was stored during the callback phase - this
session contains the user's subject, the upstream token session ID (tsid), and
the client ID binding. The token endpoint uses these stored claims to generate
the access token, maintaining the link between issued tokens and upstream IDP
tokens for later token injection by the proxy middleware. The test
infrastructure is extended to properly track authorization code and PKCE
sessions across the full authorize→callback→token flow.

* Add RFC 8707 audience validation for token endpoint

Implement proper validation of the resource parameter in the token
endpoint per RFC 8707. Previously, any client-provided resource was
blindly granted as the token audience, which was a security risk.

Changes:
- Add ErrInvalidTarget error for RFC 8707 invalid_target responses
- Add ValidateAudienceURI to validate URI format (absolute, no fragment,
  http/https only)
- Add ValidateAudienceAllowed to check resources against an allowlist
- Add AllowedAudiences config field to AuthorizationServerParams and
  AuthorizationServerConfig
- Update TokenHandler to validate before granting audience
- Secure default: empty AllowedAudiences rejects all resource requests

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

74 of 107 new or added lines in 4 files covered. (69.16%)

41 existing lines in 7 files now uncovered.

37199 of 62008 relevant lines covered (59.99%)

79.73 hits per line

New Missed Lines in Diff

Lines Coverage File
2
93.75
 pkg/authserver/server/audience.go
4
83.22
 -1.67% pkg/authserver/server/provider.go
27
55.74
 pkg/authserver/server/handlers/token.go

Uncovered Existing Lines

Lines Coverage File
2
70.8
 -0.73% pkg/runner/config.go
2
80.81
 -0.54% pkg/transport/proxy/httpsse/http_proxy.go
2
57.89
 -3.51% pkg/transport/session/sse_session.go
2
84.23
 -0.28% pkg/vmcp/composer/workflow_engine.go
8
25.0
 -4.44% pkg/client/manager.go
11
65.0
 -13.75% pkg/client/discovery.go
14
66.67
 -7.91% pkg/client/config.go
Jobs
ID Job ID Ran Files Coverage
1 21295146313.1 464
59.99
 GitHub Action Run
Source Files on build 21295146313