stacklok / toolhive / 25463362294
65%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 718
Run time 7min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
25463362294

push

github

web-flow 
Add identity extractor for OAuth2 token responses (#5200)

Some OAuth2 upstream providers do not expose a usable userinfo
endpoint and instead place user identity directly in the token
endpoint response. Two response shapes appear in practice:

  - Identity as side-attributes alongside the tokens, e.g.
    Snowflake's `username`, Slack's `authed_user.id`, Shopify's
    `associated_user.{id,email,first_name}`.
  - Identity claims embedded inside a JWT-shaped access token, e.g.
    Auth0, Azure AD, Keycloak, Cognito.

Introduce a pure helper that reads operator-supplied gjson
dot-notation paths from the raw token-response body to extract
subject, name, and email. Register a custom gjson modifier
`@upstreamjwt` so paths can pipe through a JWT payload decode step
(e.g. "access_token|@upstreamjwt|sub"). The modifier base64url-decodes
the JWT payload without verifying the signature; trust comes from the
TLS-authenticated channel to the AS, the same trust model as the
existing userinfo path. Signed-token flows remain handled by the
existing OIDC provider type. Modifier registration is exported and
explicit (RegisterModifiers) so callers control when the
process-global gjson state mutates.

The helper is consumed by the embedded auth server's OAuth2 upstream
provider in a later commit; nothing in this commit calls it yet.

Type guard restricts the subject to scalar string or number values to
avoid silently returning a JSON blob as the user's identity. Numeric
subjects are returned via the raw JSON token rather than gjson's
float64 formatting to preserve integer precision beyond 2^53. Error
messages never include any portion of the body.

Closes #5152

63139 of 97464 relevant lines covered (64.78%)

59.03 hits per line

Jobs
ID Job ID Ran Files Coverage
1 25463362294.1 718
64.78
 GitHub Action Run
Source Files on build 25463362294