stacklok / toolhive / 25120215684
65%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 708
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 64.231% (+0.09%) from 64.142%
25120215684

push

github

web-flow 
Allow OAuth2 upstreams to omit userInfo config (#5094)

* Allow OAuth2 upstreams to omit userInfo config

Some OAuth 2.0 authorization servers — notably MCP authorization
servers per the MCP authorization spec — expose no userinfo endpoint
and issue opaque (non-JWT) access tokens, leaving no surface to
resolve user identity from. With UserInfo previously required, the
embedded auth server could not integrate any such upstream: token
exchange would succeed and then the userinfo step would fail (e.g.
401 against an unrelated identity API), surfacing as
ErrIdentityResolutionFailed and aborting the auth flow.

Make OAuth2UpstreamConfig.UserInfo optional. When nil,
BaseOAuth2Provider.ExchangeCodeForIdentity skips the userinfo call
and synthesizes a deterministic, non-PII Subject from a SHA-256
prefix of the access token (35 chars, "tk-" prefix so synthesized
subjects are recognizable in logs and JWTs). Name and Email remain
empty in this mode. The synthesized subject is stable for the
lifetime of the access token and rotates on re-authentication, which
is sufficient for the proxy's session-key role.

Scoped to OAuth2 only — OIDC providers always have an ID-token-
derived subject and never reach this path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Bypass UserResolver for synthetic identities

Synthesized subjects (set by OAuth2 upstreams whose userInfo is nil)
are derived from the access token and rotate on every re-authentication.
The previous wiring fed them into UserResolver.ResolveUser, which falls
through to createUserWithIdentity whenever (providerID, providerSubject)
is unknown — i.e. on every re-auth, since the synthesized subject is
never the same twice. For a long-running auth server fronting a
synthesis-mode upstream, the `users` and `provider_identities` tables
grow without bound and per-user state fragments across many internal
IDs that all map back to the same human.

Mark synthesized identities with a new Identi... (continued)

118 of 133 new or added lines in 5 files covered. (88.72%)

11 existing lines in 3 files now uncovered.

60890 of 94798 relevant lines covered (64.23%)

59.86 hits per line

Uncovered Changes

Lines Coverage File
11
62.55
 1.52% cmd/thv-operator/controllers/virtualmcpserver_controller.go
4
82.96
 0.51% pkg/authserver/server/handlers/callback.go

Coverage Regressions

Lines Coverage File
6
76.15
 -5.5% pkg/secrets/keyring/keyctl_linux.go
3
71.85
 -1.11% pkg/ignore/processor.go
2
82.29
 -0.21% pkg/vmcp/composer/workflow_engine.go
Jobs
ID Job ID Ran Files Coverage
1 25120215684.1 708
64.23
 GitHub Action Run
Source Files on build 25120215684