21729113644

Committed 05 Feb 2026 09:26PM UTC coverage: 60.931% (-0.004%) from 60.935%

Build # 21729113644

Build Type

push

github

Committed by

web-flow

Commit Message

Add OIDC provider methods and ID token validation (#3580)

* Add OIDC provider methods and ID token validation

This implements the remaining OIDC provider functionality building on the OIDCProvider type. The changes add WithNonce authorization option for replay attack prevention, AuthorizationURL with OIDC-specific parameters (nonce, prompt), ExchangeCode with mandatory ID token validation per OIDC Core spec section 3.1.3.3, and RefreshTokens with optional ID token validation per section 12.2. The validateIDToken function uses the go-oidc library verifier to ensure proper token validation. Comprehensive tests cover all new methods using table-driven patterns.

This is part of the larger auth-proxy effort to add proper OIDC upstream support to the embedded auth server. It follows the initial OIDC provider type addition and will be followed by integration tests that verify the end-to-end OIDC flow, and then config pipeline changes that preserve the OIDC provider type through the authserver configuration so that OIDC-specific features like ID token validation are available at runtime.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Address PR review feedback and add sub claim validation

- Wrap validateIDToken error for debugging context (reviewer feedback)
- Clarify ExchangeCode nonce deferral with accurate comments
- Use validateIDToken consistently in ExchangeCode and RefreshTokens
  instead of calling p.verifier.Verify directly
- Document intentional nonce omission in RefreshTokens per Section 12.2
- Add sub claim validation to RefreshTokens per OIDC Core Section 12.2
  (sub MUST match original on refresh) with ErrSubjectMismatch sentinel
- Update OAuth2Provider interface to accept expectedSubject parameter

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Add ErrNonceMissing sentinel and validate openid scope

Address review feedback from tgrunnagle:

- Add ErrNonceMissing sentinel error for consistency with ErrNonceMismatch
 ... (continued)

Run Details

101 of 121 new or added lines in 3 files covered. (83.47%)

37 existing lines in 5 files now uncovered.

41192 of 67604 relevant lines covered (60.93%)

78.38 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

80.37

/pkg/transport/proxy/httpsse/http_proxy.go

stacklok / toolhive / 21729113644

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous