stacklok / toolhive / 25739523544

66%

Build Type

push

github

Committed by web-flow

Commit Message

Add RFC 7523 JWT Bearer grant package (#5262)

Add pkg/oauthproto/jwtbearer, a self-contained client for the JWT
Bearer token grant defined by RFC 7523 Section 2.1. The grant exchanges
a signed JWT assertion for an OAuth 2.0 access token at a target
authorization server's token endpoint.

TokenURL validation reuses pkg/networking.ValidateEndpointURL plus
host, fragment, and userinfo checks to enforce RFC 6749 Section 3.2
(token endpoints must use TLS) and to reject URLs that smuggle
credentials in the URL itself. The token_type field in the success
response is validated as required by RFC 6749 Section 5.1. HTTP error
responses are returned as *oauth2.RetrieveError (from
golang.org/x/oauth2) with the raw Body scrubbed before return, matching
pkg/oauthproto/tokenexchange's stricter behavior so error strings
cannot leak upstream content into logs.

Client authentication is HTTP Basic per RFC 6749 Section 2.3.1; the
package targets confidential clients per XAA / ID-JAG §8.1 and does not
support public-client identification via a body client_id parameter.

Also add the GrantTypeJWTBearer URN constant to pkg/oauthproto, the
first consumer of which is this package.

The jwtbearer package is the Step B primitive used by the XAA (ID-JAG)
strategy. It has no XAA-specific behaviour at this layer and works for
any RFC 7523 JWT-Bearer exchange with a confidential client.

Coverage Stats

72 of 78 new or added lines in 1 file covered. (92.31%)

21 existing lines in 2 files now uncovered.

64269 of 98624 relevant lines covered (65.17%)

61.81 hits per line