21841918310

Committed 09 Feb 2026 09:44PM UTC coverage: 61.409% (+0.06%) from 61.348%

Build # 21841918310

Build Type

push

github

Committed by

web-flow

Commit Message

Enable OIDC provider support in the embedded auth server (#3720)

Previously, the embedded auth server converted all upstream configs to
OAuth2Config, which meant OIDCProviderImpl was never instantiated even
when the upstream was configured as type "oidc". This caused OIDC
features like ID token validation and automatic discovery to be silently
skipped.

Refactor UpstreamConfig to carry an explicit provider type ("oidc" or
"oauth2") with separate OIDCConfig and OAuth2Config fields. The upstream
factory now dispatches on type, creating OIDCProviderImpl (with OIDC
discovery and ID token validation) for OIDC upstreams and
BaseOAuth2Provider for OAuth2 upstreams. Config validation enforces
mutual exclusivity between the two config fields.

Tested end-to-end with Google as the OIDC upstream:

```yaml
    upstreamProviders:
      - name: google
        type: oidc
        oidcConfig:
          issuerUrl: "https://accounts.google.com"
          clientId: "<google-client-id>"
          clientSecretRef:
            name: google-oauth-secret
            key: client-secret
          redirectUri: "https://example.com/oauth/callback"
          scopes:
            - openid
            - email
```yaml

Fixes: https://github.com/stacklok/stacklok-epics/issues/235

Run Details

69 of 75 new or added lines in 3 files covered. (92.0%)

8 existing lines in 2 files now uncovered.

42427 of 69089 relevant lines covered (61.41%)

76.08 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

90.98

/pkg/authserver/server_impl.go

stacklok / toolhive / 21841918310

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous