pomerium / pomerium / 22685279033
46%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 685
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 44.877% (+0.05%) from 44.824%
22685279033

push

github

web-flow 
mcp: add UpstreamAuthHandler for upstream token injection and 401/403 interception (#6165)

## Summary

- Add `UpstreamAuthHandler` implementing the
`extproc.UpstreamRequestHandler` interface for MCP upstream OAuth flows
- `GetUpstreamToken()` dispatches to static (`upstream_oauth2` config)
or auto-discovery (MCP token) paths with singleflight-deduplicated
refresh
- `HandleUpstreamResponse()` intercepts upstream 401/403, runs RFC 9728
PRM discovery, generates PKCE + state, stores `PendingUpstreamAuth`, and
returns 401 with Pomerium's PRM URL
- Token refresh classifies errors: permanent failures (4xx) clear the
cached token and return empty; transient failures (5xx, network)
preserve it and return an error (502)
- Add `tokenEndpointError` type to `upstream_token_exchange.go` for
error classification
- Add `resource_param` field to `PendingUpstreamAuth` and
`UpstreamMCPToken` protos (carry-over from
https://github.com/pomerium/pomerium/pull/6152 where protos were updated
but not generated files)
- Consolidate upstream OAuth2 token injection into the ext_proc path:
remove `GetUpstreamOAuth2Token` from `MCPAccessTokenProvider` interface
and simplify `fillMCPHeaders` to strip the Authorization header for all
MCP server routes (ext_proc now handles injection)
- Fix singleflight key in `Handler.GetUpstreamOAuth2Token` from `host`
to `host+":"+userID` to prevent cross-user token coalescing

## Related issues

- [ENG-3592](https://linear.app/pomerium/issue/ENG-3592)

## User Explanation

No user-facing changes. This is internal infrastructure for MCP upstream
OAuth token management.

## Checklist

- [x] reference any related issues
- [x] updated unit tests
- [ ] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [ ] ready for review

177 of 332 new or added lines in 7 files covered. (53.31%)

26 existing lines in 11 files now uncovered.

33938 of 75624 relevant lines covered (44.88%)

115.66 hits per line

New Missed Lines in Diff

Lines Coverage File
12
46.26
 -2.25% authorize/grpc.go
29
31.03
 -1.11% internal/mcp/token.go
114
58.84
 internal/mcp/upstream_auth.go

Uncovered Existing Lines

Lines Coverage File
1
82.24
 -0.2% pkg/envoy/resource_monitor_linux.go
1
79.91
 -0.22% pkg/ssh/manager.go
1
75.41
 0.0% pkg/storage/postgres/registry.go
2
69.92
 -0.3% internal/databroker/server_backend.go
2
48.82
 0.0% internal/databroker/server_clustered_follower.go
2
92.78
 -1.11% internal/fileutil/watcher.go
2
89.19
 -5.41% pkg/fanout/fanout.go
2
90.91
 -3.64% pkg/fanout/receive.go
2
95.83
 -2.08% pkg/identity/manager/schedulers.go
2
88.52
 0.0% pkg/storage/postgres/postgres.go
9
76.78
 -2.37% pkg/storage/postgres/backend.go
Jobs
ID Job ID Ran Files Coverage
1 22685279033.1 685
44.88
 GitHub Action Run
Source Files on build 22685279033