stacklok / toolhive / 21729113644
63%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 495
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 60.931% (-0.004%) from 60.935%
21729113644

push

github

web-flow 
Add OIDC provider methods and ID token validation (#3580)

* Add OIDC provider methods and ID token validation

This implements the remaining OIDC provider functionality building on the OIDCProvider type. The changes add WithNonce authorization option for replay attack prevention, AuthorizationURL with OIDC-specific parameters (nonce, prompt), ExchangeCode with mandatory ID token validation per OIDC Core spec section 3.1.3.3, and RefreshTokens with optional ID token validation per section 12.2. The validateIDToken function uses the go-oidc library verifier to ensure proper token validation. Comprehensive tests cover all new methods using table-driven patterns.

This is part of the larger auth-proxy effort to add proper OIDC upstream support to the embedded auth server. It follows the initial OIDC provider type addition and will be followed by integration tests that verify the end-to-end OIDC flow, and then config pipeline changes that preserve the OIDC provider type through the authserver configuration so that OIDC-specific features like ID token validation are available at runtime.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Address PR review feedback and add sub claim validation

- Wrap validateIDToken error for debugging context (reviewer feedback)
- Clarify ExchangeCode nonce deferral with accurate comments
- Use validateIDToken consistently in ExchangeCode and RefreshTokens
  instead of calling p.verifier.Verify directly
- Document intentional nonce omission in RefreshTokens per Section 12.2
- Add sub claim validation to RefreshTokens per OIDC Core Section 12.2
  (sub MUST match original on refresh) with ErrSubjectMismatch sentinel
- Update OAuth2Provider interface to accept expectedSubject parameter

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Add ErrNonceMissing sentinel and validate openid scope

Address review feedback from tgrunnagle:

- Add ErrNonceMissing sentinel error for consistency with ErrNonceMismatch
 ... (continued)

101 of 121 new or added lines in 3 files covered. (83.47%)

37 existing lines in 5 files now uncovered.

41192 of 67604 relevant lines covered (60.93%)

78.38 hits per line

New Missed Lines in Diff

Lines Coverage File
4
6.49
 0.0% pkg/authserver/upstream/mocks/mock_provider.go
16
87.19
 -0.6% pkg/authserver/upstream/oidc.go

Uncovered Existing Lines

Lines Coverage File
2
80.37
 0.27% pkg/transport/proxy/httpsse/http_proxy.go
2
57.89
 -3.51% pkg/transport/session/sse_session.go
8
25.0
 -4.44% pkg/client/manager.go
11
68.42
 -14.47% pkg/client/discovery.go
14
62.61
 -5.88% pkg/client/config.go
Jobs
ID Job ID Ran Files Coverage
1 21729113644.1 495
60.93
 GitHub Action Run
Source Files on build 21729113644