pomerium / pomerium / 21318612414
44%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 613
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 45.858% (-0.003%) from 45.861%
21318612414

push

github

web-flow 
mcp: add OAuth 2.1 conformance tests for security behaviors (#6055)

## Summary

Add comprehensive E2E tests verifying MCP authorization server
compliance with OAuth 2.1 security requirements as specified in MCP
Authorization Spec (2025-11-25).

**New test coverage in `mcp_conformance_test.go`:**
- Token endpoint authentication (`client_secret_basic`)
- PKCE code verifier validation (wrong/missing/empty verifier)
- Authorization code replay protection (reuse, cross-client)
- Refresh token security (rotation, revocation, cross-client, malformed)
- Access token validation (missing, invalid, valid tokens)

**Refactored `mcp_auth_flow_test.go`:**
- Removed duplicate tests now covered by conformance tests (steps 7-8)
- Retained OAuth discovery flow tests (steps 1-6)

**Skipped tests (pending implementation):**
- `client_secret_basic` authentication validation not yet implemented in
`handler_token.go`

## Related issues

- Conformance suite reference:
https://github.com/modelcontextprotocol/conformance
- Fix https://linear.app/pomerium/issue/ENG-3464

## User Explanation

No user-facing changes. This PR adds internal test coverage for MCP
OAuth security behaviors.

## Checklist

- [x] reference any related issues
- [x] updated unit tests
- [x] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [x] ready for review

30604 of 66737 relevant lines covered (45.86%)

106.79 hits per line

Uncovered Existing Lines

Lines Coverage File
1
57.75
 -0.28% internal/controlplane/server.go
1
75.41
 0.0% pkg/storage/postgres/registry.go
9
87.75
 -2.94% config/config_source.go
Jobs
ID Job ID Ran Files Coverage
1 21318612414.1 613
45.86
 GitHub Action Run
Source Files on build 21318612414