stacklok / toolhive / 21494693263
61%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 487
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 60.485% (-0.005%) from 60.49%
21494693263

push

github

web-flow 
Add core OAuth authorization server interface and implementation (#3513)

This commit introduces a centralized OAuth 2.0 Authorization Server for
ToolHive, enabling MCP clients to authenticate via external Identity
Providers (like Google, Okta) and receive JWTs for accessing MCP servers.

Why this change:
- MCP clients need a way to authenticate users and obtain tokens
- ToolHive needs to issue its own JWTs rather than passing through IDP tokens
- Centralizing auth allows consistent token format across all MCP servers

Core changes:

Server interface (server.go):
- Handler() returns HTTP handler for all OAuth/OIDC endpoints
- IDPTokenStorage() provides access to upstream IDP tokens for middleware
- Close() releases resources

Implementation (server_impl.go):
- Integrates with fosite OAuth 2.0 framework
- Authorization code grant with PKCE (RFC 7636)
- JWT access tokens with asymmetric signing (JWKS endpoint)
- HMAC-signed authorization codes and refresh tokens
- Upstream IDP delegation for user authentication

Endpoints served:
- /.well-known/openid-configuration (OIDC Discovery)
- /.well-known/oauth-authorization-server (RFC 8414)
- /.well-known/jwks.json (JSON Web Key Set)
- /oauth/authorize (Authorization endpoint)
- /oauth/token (Token endpoint)
- /oauth/callback (Upstream IDP callback)
- /oauth/register (Dynamic Client Registration, RFC 7591)

Drive-by fixes discovered during integration:
- Add ScopesSupported to OAuth metadata (RFC 8414 compliance)
- Remove duplicate ScopesSupported field from OIDCDiscoveryDocument
  that shadowed the embedded AuthorizationServerMetadata field
- Sanitize upstream IDP error messages to avoid exposing internal
  details to clients (security hardening)
- Add mockgen directive for upstream.OAuth2Provider interface

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

125 of 215 new or added lines in 6 files covered. (58.14%)

2 existing lines in 1 file now uncovered.

39368 of 65087 relevant lines covered (60.49%)

76.1 hits per line

New Missed Lines in Diff

Lines Coverage File
1
80.1
 0.21% pkg/authserver/server/handlers/callback.go
17
86.72
 pkg/authserver/server_impl.go
72
6.49
 pkg/authserver/upstream/mocks/mock_provider.go

Uncovered Existing Lines

Lines Coverage File
2
82.83
 -0.26% pkg/vmcp/composer/workflow_engine.go
Jobs
ID Job ID Ran Files Coverage
1 21494693263.1 487
60.49
 GitHub Action Run
Source Files on build 21494693263