pomerium / pomerium / 21929000250
44%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 670
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 44.324% (+0.06%) from 44.266%
21929000250

push

github

web-flow 
mcp: host Client ID Metadata Documents for auto-discovery mode (#6088)

## Summary

Add support for Pomerium to host Client ID Metadata Documents (CIMD) at
`/.pomerium/mcp/client/metadata.json` for MCP server routes using
auto-discovery mode (routes without `upstream_oauth2` configured).

When Pomerium acts as an OAuth 2.1 client to upstream MCP servers, it
needs to present its own CIMD to the upstream authorization server. This
enables dynamic client registration via the Client ID Metadata Document
spec (draft-ietf-oauth-client-id-metadata-document).

Key changes:
- Add `ClientIDMetadata` handler to serve per-host CIMD documents
- Add `UsesAutoDiscovery`/`GetServerHostInfo` methods to `HostInfo`
- Split OAuth callback endpoints: `server/oauth/callback` vs
`client/oauth/callback`
- Add debug logging for CIMD requests

## Related issues

-
[ENG-3525](https://linear.app/pomerium/issue/ENG-3525/host-client-id-metadata-documents-for-auto-discovery-mode)

## User Explanation

MCP server routes using auto-discovery mode (without explicit
`upstream_oauth2` configuration) now automatically serve a CIMD
document. This allows upstream MCP servers' authorization servers to
discover Pomerium's OAuth client metadata.

## Checklist

- [x] reference any related issues
- [x] updated unit tests
- [ ] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [ ] ready for review

82 of 90 new or added lines in 3 files covered. (91.11%)

17 existing lines in 7 files now uncovered.

32380 of 73053 relevant lines covered (44.32%)

117.45 hits per line

New Missed Lines in Diff

Lines Coverage File
2
97.18
 internal/mcp/handler_cimd.go
6
0.0
 0.0% internal/mcp/handler.go

Uncovered Existing Lines

Lines Coverage File
1
58.88
 -0.25% internal/controlplane/server.go
1
75.41
 0.0% pkg/storage/postgres/registry.go
2
48.82
 0.18% internal/databroker/server_clustered_follower.go
2
92.78
 -1.11% internal/fileutil/watcher.go
2
95.83
 -2.08% pkg/identity/manager/schedulers.go
2
88.18
 0.0% pkg/storage/postgres/postgres.go
7
72.3
 -4.73% pkg/grpcutil/client_manager.go
Jobs
ID Job ID Ran Files Coverage
1 21929000250.1 670
44.32
 GitHub Action Run
Source Files on build 21929000250