stacklok / toolhive / 26762868986

66%

Build Type

push

github

Committed by web-flow

Commit Message

Fall back to request-token claims for opaque upstream tokens (#5147)

VirtualMCPServer (Cedar incoming authz) denied every request when the
embedded auth servers upstream provider issues opaque OAuth 2.0 access
tokens (Googles ya29.*, GitHubs gho_*). resolveClaims tried to JWT-parse
the upstream token unconditionally and returned the parse error verbatim,
so every authorization check failed and the gateway skipped every tool.

Discriminate by token shape: if the upstream token is not three dot-
separated segments it cannot be a JWT, so fall back to identity.Claims
(the request-token claims). The embedded auth server already mirrors
the upstream OIDC sub, email and name into its issued AS token (see
pkg/authserver/server/session/session.go), so policies referencing
standard OIDC claims continue to evaluate correctly.

JWT-shaped tokens (three segments) that fail to parse still return the
error: a tampered or corrupted upstream JWT must not silently degrade
to fallback claims.

Closes #5146

Signed-off-by: Cody J. Hanson <cjohnhanson@users.noreply.github.com>
Co-authored-by: Cody J. Hanson <cjohnhanson@users.noreply.github.com>

Coverage Stats

26 of 26 new or added lines in 1 file covered. (100.0%)

15 existing lines in 3 files now uncovered.

65753 of 99795 relevant lines covered (65.89%)

62.97 hits per line