stacklok / toolhive / 21530685553

push

github

Persist DCR client credentials for OAuth session restoration (#3418)

* Persist DCR client credentials for OAuth session restoration

Extend OAuth token persistence to also store Dynamic Client Registration
(DCR) client credentials. This enables workloads that use DCR (like Datadog
and Glean) to restore OAuth sessions across restarts without requiring a
new browser-based authentication flow.

Changes:
- Add CachedClientIDRef and CachedClientSecretRef fields to remote.Config
- Add HasCachedClientCredentials() and ClearCachedClientCredentials() helpers
- Add TokenTypeOAuthClientID to secrets for secure storage
- Expose ClientID and ClientSecret in OAuthFlowResult from discovery
- Add ClientCredentialsPersister type for DCR credential persistence
- Update handler to restore and persist DCR credentials
- Update runner to wire up the client credentials persister

For PKCE flows (like Datadog), only the client_id is persisted since
no client_secret is issued.

Closes gh-3335

Signed-off-by: Frederic Le Feurmou <flfeurmou@indeed.com>

* fix(lint): move nosec comment to same line to satisfy gosec

Signed-off-by: Frederic Le Feurmou <flfeurmou@indeed.com>

* fix: address DCR review feedback

- Store ClientID as plain text instead of secret reference (it's public)
- Add CachedClientSecretExpiresAt field for expiration tracking
- Add CachedRegistrationAccessTokenRef field for registration updates
- Update handler to use plain text ClientID
- Simplify runner.go to not store ClientID in secret manager

* fix: address review feedback - remove unused TokenTypeOAuthClientID

- Remove TokenTypeOAuthClientID from secrets.go (client_id stored as plain text)
- Use lowercase test values for CachedClientID to reflect plain text storage

Signed-off-by: Frederic Le Feurmou <flfeurmou@indeed.com>

---------

Signed-off-by: Frederic Le Feurmou <flfeurmou@indeed.com>

9 of 67 new or added lines in 4 files covered. (13.43%)

39449 of 65373 relevant lines covered (60.34%)

76.37 hits per line