stacklok / toolhive / 25860163109

coverage: 65.346% (+0.02%) from 65.324%
25860163109

push

github

web-flow 
Add identityFromToken to MCPExternalAuthConfig CRD (#5269)

Some OAuth2 upstream providers do not expose a usable userinfo
endpoint but include user identity in the token response itself
(e.g. Slack's `authed_user.id`, or Snowflake's `username` reachable
via the gjson `@upstreamjwt` modifier on the embedded access token).
Add an `identityFromToken` block on `OAuth2UpstreamConfig` that
lets operators map subject, name, and email to gjson dot-notation
paths into the token-endpoint response body.

The new type lives alongside `TokenResponseMapping` and
`UserInfoConfig`; doc comments cross-reference the blocks so
operators can find the right one for their provider. The
trust-model warning lives both on the `IdentityFromTokenConfig`
type and inline on `SubjectPath` so it surfaces in the field-by-
field reference (kubectl explain, generated API docs): claims read
from the token response are trusted only via TLS, not
cryptographically verified — prefer OIDC ID tokens when verifiable
claims are required. The same caveat applies to the `@upstreamjwt`
modifier, which performs no signature verification. Subject
uniqueness is scoped to the upstream provider entry; use distinct
providers for distinct trust domains.

Admission validation:

- SubjectPath: required, MinLength=1, MaxLength=256.
- NamePath, EmailPath: optional, MinLength=1, MaxLength=256
  (omit the field rather than setting it to an empty string).
- Reconcile-time: a new `validateOAuth2UpstreamConfig` helper
  rejects empty SubjectPath when the block is set, with errors
  scoped to `oauth2Config[.field]` so callers wrap with their
  own outer scope — matching the contract of
  `ValidateOAuth2DCRConfig`.

Coexistence with `UserInfo` and `TokenResponseMapping` is allowed
at admission; runtime priority is decided by the embedded auth
server in a later commit.

`SyntheticIdentityUpstreams()` — the predicate driving the
`ConditionTypeIdentitySynthesized` advisory — now also skips
upstreams configured with ... (continued)

10 of 24 new or added lines in 2 files covered. (41.67%)

8 existing lines in 3 files now uncovered.

64645 of 98927 relevant lines covered (65.35%)

62.34 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

79.38
/pkg/transport/proxy/httpsse/http_proxy.go


Source Not Available