stacklok / toolhive / 25732412599

coverage: 65.048% (+0.03%) from 65.014%
25732412599

push

github

web-flow 
Allow operators to inject baseline scopes into DCR registrations (#5233)

* Add BaselineClientScopes to embedded auth CRD

Some DCR clients narrow the scope field at /oauth/register but later
request additional scopes at /oauth/authorize, getting rejected with
invalid_scope. RFC 7591 ยง3.1.1 explicitly permits the AS to override
the registered scope, so let operators declare a baseline set that the
embedded auth server unions into every DCR registration.

This commit only adds the CRD field. The plumbing through RunConfig,
the runner, the server provider, and the DCR handler comes in
subsequent commits.

Refs #5224

* Plumb BaselineClientScopes into auth server RunConfig

Add the BaselineClientScopes field on the on-disk RunConfig and copy
it from the CRD's EmbeddedAuthServerConfig in the operator-side
builder. The runtime Config and the DCR handler are wired in
subsequent commits; startup validation that the baseline is a subset
of ScopesSupported lands with the next commit.

Refs #5224

* Validate baseline scopes are subset of supported

If an operator configures baseline_client_scopes with a value missing
from scopes_supported, the embedded DCR handler would later register
clients with a scope the server does not advertise, and fosite would
reject those clients at /oauth/authorize with invalid_scope. Catching
the misconfiguration at startup gives operators a clear error instead
of debugging silent rejections in production.

Add RunConfig.Validate() with a subset check, and call it from the
runner entry point before any secret resolution or HTTP wiring.
errors.Join wraps the (currently single) sub-check so future
RunConfig invariants compose without dropping existing checks.

Refs #5224

* Resolve baseline scopes into runtime Config

Add BaselineClientScopes to the runtime Config struct and copy it
from RunConfig in the runner's resolvedCfg block. The DCR handler
needs the baseline at request time, so it must travel through the
runtime Config the sam... (continued)

97 of 105 new or added lines in 10 files covered. (92.38%)

4 existing lines in 2 files now uncovered.

64131 of 98591 relevant lines covered (65.05%)

61.81 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

86.11
/pkg/authserver/server/provider.go


Source Not Available