21295146313

Committed 23 Jan 2026 05:30PM UTC coverage: 59.991% (+0.05%) from 59.937%

Build # 21295146313

Build Type

push

github

Committed by

web-flow

Commit Message

Add token endpoint handler (#3408)

* Add token endpoint handler

Implement POST /oauth/token handler that exchanges authorization codes for
access tokens using fosite's access request/response flow. The handler
validates the incoming token request, retrieves the stored authorization
session, generates JWT access tokens, and supports RFC 8707 resource
parameter for audience-restricted tokens targeting specific MCP servers.

This handler completes the OAuth 2.0 authorization code flow started by the
authorize and callback handlers. When a client presents an authorization code,
fosite retrieves the session that was stored during the callback phase - this
session contains the user's subject, the upstream token session ID (tsid), and
the client ID binding. The token endpoint uses these stored claims to generate
the access token, maintaining the link between issued tokens and upstream IDP
tokens for later token injection by the proxy middleware. The test
infrastructure is extended to properly track authorization code and PKCE
sessions across the full authorize→callback→token flow.

* Add RFC 8707 audience validation for token endpoint

Implement proper validation of the resource parameter in the token
endpoint per RFC 8707. Previously, any client-provided resource was
blindly granted as the token audience, which was a security risk.

Changes:
- Add ErrInvalidTarget error for RFC 8707 invalid_target responses
- Add ValidateAudienceURI to validate URI format (absolute, no fragment,
  http/https only)
- Add ValidateAudienceAllowed to check resources against an allowlist
- Add AllowedAudiences config field to AuthorizationServerParams and
  AuthorizationServerConfig
- Update TokenHandler to validate before granting audience
- Secure default: empty AllowedAudiences rejects all resource requests

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Run Details

74 of 107 new or added lines in 4 files covered. (69.16%)

41 existing lines in 7 files now uncovered.

37199 of 62008 relevant lines covered (59.99%)

79.73 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

80.81

/pkg/transport/proxy/httpsse/http_proxy.go

stacklok / toolhive / 21295146313

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous