Altinity / altinity-mcp / 25869800703
77%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 17
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 81.407% (+0.2%) from 81.212%
25869800703

push

github

BorisTyshkevich 
oauth: normalize Google URI-form scopes + strict OIDC scope advertisement

ChatGPT renders a cosmetic "permissions not granted" warning when its requested
scope (openid email profile) doesn't byte-match the response scope. Google's
/oauth/token emits the OIDC-identity scopes in URI form
(https://www.googleapis.com/auth/userinfo.email instead of email), which our
broker echoed back verbatim. The mismatch is purely shape; the identity claims
are present and the connector works, but the warning erodes trust.

Two helpers in oauth_server.go centralise the fix:

- normalizeUpstreamScopeForClient maps the three Google OIDC URI aliases back
  to standard names (openid/email/profile). Applied at /oauth/token responses
  for the authorization-code grant and the forward-mode refresh grant.
  Upstream-stored scope (oauthIssuedCode.Scope, refresh-JWE claims) keeps
  Google's original form so subsequent upstream refresh calls hit Google with
  the same string Google returned.

- oidcScopesForAdvertisement is an explicit allowlist
  (openid/email/profile/offline_access) applied to every site where MCP
  surfaces scopes to clients: protected-resource doc, AS metadata,
  openid-configuration, the DCR registration response, and the
  WWW-Authenticate challenge. Filters out URI-form upstream scopes and
  arbitrary resource-server scopes (mcp:read, calendar.list, …) that aren't
  exercised in altinity-mcp today (RequiredScopes is empty in every helm
  values file). Auth0 deployments keep offline_access for the refresh-token
  gate; Google deployments naturally omit it (Google uses access_type=offline
  param, not a scope).

When scope-based tool authorization is added, extend the allowlist explicitly.

TestNormalizeUpstreamScopeForClient + TestOidcScopesForAdvertisement cover
URI mapping, dedup, order preservation, and the empty/passthrough/filter cases.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

67 of 77 new or added lines in 1 file covered. (87.01%)

316 existing lines in 3 files now uncovered.

4733 of 5814 relevant lines covered (81.41%)

1.19 hits per line

Uncovered Changes

Lines Coverage File
10
78.57
 0.89% cmd/altinity-mcp/oauth_server.go

Coverage Regressions

Lines Coverage File
218
78.57
 0.89% cmd/altinity-mcp/oauth_server.go
67
85.7
 -0.19% cmd/altinity-mcp/main.go
31
91.04
 -0.15% pkg/server/server_auth_oauth.go
Jobs
ID Job ID Ran Files Coverage
1 25869800703.1 17
81.41
 GitHub Action Run
Source Files on build 25869800703