stacklok / toolhive / 26231991634
66%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 735
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.726% (+0.02%) from 65.71%
26231991634

push

github

web-flow 
Fix DCR failure for authorization servers with non-root issuer paths (#5357)

* Fix DCR failure for issuers with non-root paths (#5356)

resolveDCRCredentials constructed a single OIDC issuer-suffix URL
({issuer}/.well-known/openid-configuration) and passed it to the DCR
resolver, which fetched exactly that URL via
FetchAuthorizationServerMetadataFromURL. Authorization servers that
serve their RFC 8414 metadata exclusively at the path-insertion URL
(scheme://host/.well-known/oauth-authorization-server/{path}) — such as
Gleean's AS with issuer https://example.com/oauth — received a 404 or
HTML response and the CLI failed with "unexpected content-type text/html"
before opening the browser.

Replace the single-URL construction with oauthproto.FetchAuthorizationServerMetadata,
which tries the three well-known URL forms in priority order (RFC 8414
path-insertion, OIDC issuer-suffix, bare RFC 8414), restoring the
fallback behaviour that existed in v0.27.x via
discoverOIDCEndpointsWithClientAndValidation. The fetched
code_challenge_methods_supported is forwarded to the resolver through a
new dcr.Request.CodeChallengeMethodsSupported field, so the S256 PKCE
gate fires without a second discovery round-trip inside the resolver.

Regression test added: TestHandleDynamicRegistration_NonRootIssuerRFC8414PathInsertion
mounts metadata only at /.well-known/oauth-authorization-server/oauth
and verifies DCR succeeds end-to-end.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Add coverage for CodeChallengeMethodsSupported field and synthesis path

Three gaps in the test suite left by the #5356 fix:

1. pkg/auth/dcr: TestResolveDCRCredentials_CodeChallengeMethodsSupportedFieldEnablesPublicClient
   pins the new Request.CodeChallengeMethodsSupported field on the
   RegistrationEndpoint-direct branch. Without a DiscoveryURL the S256
   gate has no metadata to read from; the field is the only input.
   Four cases: S256 allows public client, plain ... (continued)

23 of 31 new or added lines in 2 files covered. (74.19%)

4 existing lines in 2 files now uncovered.

64858 of 98680 relevant lines covered (65.73%)

62.5 hits per line

Uncovered Changes

Lines Coverage File
8
82.64
 0.59% pkg/auth/discovery/discovery.go

Coverage Regressions

Lines Coverage File
3
71.85
 -1.11% pkg/ignore/processor.go
1
88.35
 -0.18% pkg/auth/dcr/resolver.go
Jobs
ID Job ID Ran Files Coverage
1 26231991634.1 735
65.73
 GitHub Action Run
Source Files on build 26231991634