pomerium / pomerium / 22967674384
45%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 687
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 45.46% (+0.2%) from 45.24%
22967674384

push

github

web-flow 
mcp: add auto-discovery support to connect, disconnect, and authorize endpoints (#6179)

## Summary

MCP server routes can be configured with static `upstream_oauth2`
credentials, but many upstream servers publish their authorization
server dynamically via RFC 9728 Protected Resource Metadata (PRM). This
PR adds auto-discovery support so users can connect to those servers
without manual OAuth config.

### Routes portal (connect/disconnect)

Users clicking "Connect" in the routes portal need a seamless flow even
when the upstream server uses dynamic OAuth. The connect handler now
probes for PRM, registers a client via DCR if needed, and redirects the
user to the upstream authorization server — all transparently. Discovery
failures are surfaced as `connect_error` query params rather than 500
errors, so the UI can show a meaningful message.

Disconnecting must clean up auto-discovery tokens (not just static
OAuth2 tokens), otherwise stale credentials accumulate silently.

### Route sign-in (authorize)

When a user signs into a route, the authorize endpoint opportunistically
sets up upstream tokens via auto-discovery so the user doesn't hit a 401
on first request. Discovery errors are non-fatal here — the user still
authenticates to Pomerium, and upstream auth can happen later via
ext_proc 401 interception.

### Redirect URL validation

The connect endpoint accepts a `redirect_url` parameter. To prevent open
redirect vulnerabilities, it validates that the target is either a known
MCP client route or the same host as the server route (needed for the
portal's own connect flow). The validator naming follows CodeQL's
barrier-guard convention to avoid false-positive static analysis
warnings.

## Linear

- [ENG-3596](https://linear.app/pomerium/issue/ENG-3596) — extend
/routes and /connect for auto-discovery upstream auth
- [ENG-3593](https://linear.app/pomerium/issue/ENG-3593) — authorize
endpoint auto-discovery

## Test plan

- [x] Unit tests for redirect URL... (continued)

238 of 494 new or added lines in 3 files covered. (48.18%)

20 existing lines in 8 files now uncovered.

34783 of 76514 relevant lines covered (45.46%)

115.23 hits per line

New Missed Lines in Diff

Lines Coverage File
23
56.1
 40.51% internal/mcp/handler_authorization.go
233
32.44
 32.44% internal/mcp/handler_connect.go

Uncovered Existing Lines

Lines Coverage File
1
56.1
 40.51% internal/mcp/handler_authorization.go
1
32.44
 32.44% internal/mcp/handler_connect.go
1
75.41
 0.0% pkg/storage/postgres/registry.go
2
90.91
 0.0% pkg/fanout/receive.go
2
85.67
 -0.62% pkg/grpc/databroker/syncer.go
4
77.03
 -2.7% pkg/grpcutil/client_manager.go
4
76.52
 -0.26% pkg/storage/postgres/backend.go
5
48.28
 -0.9% internal/databroker/server_clustered_follower.go
Jobs
ID Job ID Ran Files Coverage
1 22967674384.1 687
45.46
 GitHub Action Run
Source Files on build 22967674384