stacklok / toolhive / 25756530938
66%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 728
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.155% (-0.01%) from 65.169%
25756530938

push

github

web-flow 
Wire identityFromToken into the OAuth2 upstream provider (#5222)

* Extract and consume identity from OAuth2 token response

Wire identityFromToken into the embedded auth server's OAuth2 upstream
provider. Extension point: the existing tokenResponseRewriter (which
already reads and parses every successful token-endpoint response to
normalise non-standard envelopes) gains a parallel responsibility —
extract user identity claims from the same body when the operator
configures IdentityFromTokenConfig with gjson dot-notation paths.

Identity extraction runs on the RAW pre-rewrite body, so paths are
resolved against the original provider response even when
TokenResponseMapping is also configured. The rewriter passes the
extracted *partialIdentity back to exchangeCodeForTokens via a
returned reference; RefreshTokens passes nil and the rewriter is
either omitted entirely or runs with identityCfg=nil because
providers like Snowflake omit username on refresh and identity is
cached at auth-code time in session storage.

The new priority chain in BaseOAuth2Provider.ExchangeCodeForIdentity:

  1. IdentityFromToken — when configured, return the extracted
     identity. If extraction failed (path didn't resolve), return
     ErrIdentityResolutionFailed without consulting userInfo or
     synthesising — the operator's "identity is in the token" claim
     is explicit and we surface its failure rather than silently
     fall through.
  2. UserInfo — existing fetchUserInfo path, unchanged.
  3. Synthesis — existing synthesizeIdentity path (PR 5094),
     unchanged.

OIDC providers always have ID-token-derived identity, so the OIDC
provider's ExchangeCodeForIdentity discards the rewriter's
identityFromToken return value with a defensive WARN if a future
config-loader bug ever sets IdentityFromToken on an OIDC base config
(structurally absent on the OIDC CRD type today).

The tripwire test asserts userinfo HTTP is never contacted when
identityFromToken is configured, in... (continued)

96 of 104 new or added lines in 3 files covered. (92.31%)

34 existing lines in 4 files now uncovered.

64317 of 98714 relevant lines covered (65.15%)

62.45 hits per line

Uncovered Changes

Lines Coverage File
6
92.1
 -0.29% pkg/authserver/upstream/oauth2.go
2
86.43
 -0.58% pkg/authserver/upstream/oidc.go

Coverage Regressions

Lines Coverage File
12
75.09
 -4.33% pkg/client/config.go
12
67.9
 -14.81% pkg/client/discovery.go
8
23.56
 -4.6% pkg/client/manager.go
2
82.29
 -0.21% pkg/vmcp/composer/workflow_engine.go
Jobs
ID Job ID Ran Files Coverage
1 25756530938.1 728
65.15
 GitHub Action Run
Source Files on build 25756530938