pomerium / pomerium / 22776581569

46%

Build Type

push

github

Committed by web-flow

Commit Message

mcp: add controlplane wiring and upstream OAuth callback handler (#6172)

## Summary

Wire `UpstreamAuthHandler` into the controlplane and implement the
`ClientOAuthCallback` handler that completes upstream OAuth flows.

When ext_proc intercepts a 401 from an upstream MCP server, it stores
`PendingUpstreamAuth` state and kicks off an OAuth flow.
`ClientOAuthCallback` receives the redirect back from the upstream AS,
exchanges the auth code for tokens, stores the `UpstreamMCPToken`, and
completes the flow via one of two paths depending on how the flow was
initiated:

- **Reactive** (ext_proc 401-intercept) — redirects to the original
upstream URL
- **Proactive** (MCP authorize flow) — issues a Pomerium auth code back
to the
  MCP client via `AuthorizationResponse()`

See `internal/mcp/DESIGN.md` → "Callback Completion Paths" for details.

## Related issues

- ENG-3593
- ENG-3594

## User Explanation

No user-facing changes. This wires up internal infrastructure for MCP
upstream
OAuth flows.

## Checklist

- [x] reference any related issues
- [x] updated unit tests
- [ ] add appropriate label (`enhancement`)
- [ ] ready for review

Run Details

139 of 179 new or added lines in 3 files covered. (77.65%)

17 existing lines in 7 files now uncovered.

34338 of 75969 relevant lines covered (45.2%)

116.28 hits per line