stacklok / toolhive / 24536763992
66%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 635
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 66.163% (+0.06%) from 66.1%
24536763992

push

github

web-flow 
Validate audience matches resourceUrl for embedded auth server (#4904)

* Validate audience matches resourceUrl when embedded auth server is active (#4860)

The embedded auth server mints tokens with aud set to the ResourceURL
(the RFC 8707 resource parameter), but the token validator checks aud
against the user-specified OIDCConfigRef.Audience. When these diverge,
every authenticated request fails silently.

Add reconciler-time validation requiring audience == resourceUrl when an
embedded auth server is configured, with a clear error message guiding
operators to fix the mismatch. This mirrors the existing validation in
the vMCP inline config path (ValidateAuthServerIntegration).

Fixes #4860

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Extract audience validation into shared helper and improve error messages

Consolidate the duplicated audience/resourceUrl validation from
AddEmbeddedAuthServerConfigOptions and AddAuthServerRefOptions into
validateOIDCConfigForEmbeddedAuthServer. Add a distinct error for
empty audience (missing field) vs mismatched audience (wrong value)
to help operators identify the root cause faster.

Document the rationale for validation-based enforcement (Option D)
over silent override (Option A): operators see exactly what values
are in play and control both sides explicitly, consistent with the
existing vMCP inline config validation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix integration tests to set matching audience and resourceUrl

Integration test fixtures set OIDCConfigRef.Audience but not
ResourceURL, so the resolver auto-computed a different ResourceURL
from the proxy/server name. The new audience validation correctly
rejects this mismatch.

Set ResourceURL to match Audience in all embedded auth server
integration test fixtures so the audience consistency check passes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authore... (continued)

26 of 26 new or added lines in 1 file covered. (100.0%)

57565 of 87005 relevant lines covered (66.16%)

61.52 hits per line

Jobs
ID Job ID Ran Files Coverage
1 24536763992.1 635
66.16
 GitHub Action Run
Source Files on build 24536763992