22137623963
62%

Ran 18 Feb 2026 11:28AM UTC

Jobs 1

Files 0

Run time –

Badge

Embed ▾

pending completion

Build # 22137623963

Build Type

push

github

Committed by

web-flow

Commit Message

Harden scope handling in DCR and callback handler (#3831)

The embedded auth server had three scope-handling gaps that weakened
least-privilege enforcement. These are not directly exploitable under
the current default configuration, but reduce defense-in-depth:

1. DCR registered every client with all ScopesSupported scopes
   unconditionally, ignoring what the client actually needs.

2. The callback handler copied all stored scopes from
   PendingAuthorization into GrantedScope without filtering
   against the client's registration.

3. No explicit ScopeStrategy was configured — fosite's default
   WildcardScopeStrategy works for current scope names but is
   less strict than necessary.

Changes:
- Set fosite ScopeStrategy to ExactScopeStrategy explicitly
- Add scope field to DCR requests; validate against
  ScopesSupported; default to DefaultScopes when omitted
- Filter callback scopes against client registration and log
  when scopes are dropped
- Deduplicate scope values
- Add integration test for scope elevation rejection
- Add prefix/substring scope validation tests
- Replace hardcoded scope slices with registration.DefaultScopes
- Fix stale ScopesSupported comments in config.go

Fixes #3745

Run Details

Jobs

ID	Job ID	Ran	Files	Coverage
1	22137623963.1	18 Feb 2026 11:28AM UTC	1070	62.38	GitHub Action Run

Source Files on build 22137623963

Detailed source file information is not available for this build.

stacklok / toolhive / 22137623963
62%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build 22137623963

stacklok / toolhive / 22137623963 62%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build 22137623963

stacklok / toolhive / 22137623963
62%

README BADGES
x