25120215684

Committed 29 Apr 2026 04:11PM UTC coverage: 64.231% (+0.09%) from 64.142%

Build # 25120215684

Build Type

push

github

Committed by

web-flow

Commit Message

Allow OAuth2 upstreams to omit userInfo config (#5094)

* Allow OAuth2 upstreams to omit userInfo config

Some OAuth 2.0 authorization servers — notably MCP authorization
servers per the MCP authorization spec — expose no userinfo endpoint
and issue opaque (non-JWT) access tokens, leaving no surface to
resolve user identity from. With UserInfo previously required, the
embedded auth server could not integrate any such upstream: token
exchange would succeed and then the userinfo step would fail (e.g.
401 against an unrelated identity API), surfacing as
ErrIdentityResolutionFailed and aborting the auth flow.

Make OAuth2UpstreamConfig.UserInfo optional. When nil,
BaseOAuth2Provider.ExchangeCodeForIdentity skips the userinfo call
and synthesizes a deterministic, non-PII Subject from a SHA-256
prefix of the access token (35 chars, "tk-" prefix so synthesized
subjects are recognizable in logs and JWTs). Name and Email remain
empty in this mode. The synthesized subject is stable for the
lifetime of the access token and rotates on re-authentication, which
is sufficient for the proxy's session-key role.

Scoped to OAuth2 only — OIDC providers always have an ID-token-
derived subject and never reach this path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Bypass UserResolver for synthetic identities

Synthesized subjects (set by OAuth2 upstreams whose userInfo is nil)
are derived from the access token and rotate on every re-authentication.
The previous wiring fed them into UserResolver.ResolveUser, which falls
through to createUserWithIdentity whenever (providerID, providerSubject)
is unknown — i.e. on every re-auth, since the synthesized subject is
never the same twice. For a long-running auth server fronting a
synthesis-mode upstream, the `users` and `provider_identities` tables
grow without bound and per-user state fragments across many internal
IDs that all map back to the same human.

Mark synthesized identities with a new Identi... (continued)

Coverage Stats

118 of 133 new or added lines in 5 files covered. (88.72%)

11 existing lines in 3 files now uncovered.

60890 of 94798 relevant lines covered (64.23%)

59.86 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

62.55

/cmd/thv-operator/controllers/virtualmcpserver_controller.go

stacklok / toolhive / 25120215684

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous