23919797653

Committed 02 Apr 2026 08:10PM UTC coverage: 65.396% (+0.06%) from 65.336%

Build # 23919797653

Build Type

push

github

Committed by

web-flow

Commit Message

Resolve JWKS keys in-process for embedded auth server (MCP server) (#4502)

When the embedded auth server is enabled, token validation currently fails silently because the token validator fetches JWKS keys over HTTP from the proxy's own endpoint. This self-referential HTTP call requires operators to set `insecureAllowHTTP` and/or `jwksAllowPrivateIP` flags — insecure workarounds that are difficult to debug when missing.

This PR eliminates the self-referential HTTP fetch by wiring the embedded auth server's `KeyProvider` directly into the token validator. When both components run in the same process, JWKS keys are resolved in-memory with a graceful fallback to HTTP for cases where the local provider cannot satisfy the request.

Note: this only addresses the issue for the runner and proxy runner - vMCP wiring will come in a separate change.

Coverage Stats

86 of 99 new or added lines in 6 files covered. (86.87%)

13 existing lines in 5 files now uncovered.

54415 of 83208 relevant lines covered (65.4%)

63.57 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

80.15

/pkg/transport/proxy/httpsse/http_proxy.go

stacklok / toolhive / 23919797653

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous