stacklok / toolhive / 28061651474
67%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 763
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 67.095% (+0.01%) from 67.083%
28061651474

push

github

web-flow 
Add per-OIDC-provider SubjectClaim config (#5589)

* Add per-OIDC-provider SubjectClaim config

OIDC upstream identity resolution hardcoded the subject to the "sub"
claim, which breaks IdPs whose stable per-user identifier is a different
claim — most notably Entra/Azure AD, where "sub" rotates per application
and the stable id is "oid".

Add a per-provider SubjectClaim (default "sub", no behavior change when
unset). When set, the named claim is extracted from the validated ID
token and used as the upstream subject, failing loud if it is missing,
empty, or non-string rather than silently falling back to "sub". Brings
OIDC to parity with OAuth2's existing IdentityFromTokenConfig.SubjectPath.

Refs: stacklok/toolhive#5575, connector-gateway-as-storage RFC D7.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Laurel Orr <laurel@stacklok.com>

* Fix SubjectClaim refresh path and add operator CRD

Completes the per-OIDC-provider SubjectClaim feature so it works
end-to-end and is reachable from every OSS configuration surface.

Refresh path: the initial-login subject comes from resolveSubject (the
configured SubjectClaim, or "sub" by default), but RefreshTokens still
compared the refreshed ID token's raw "sub" against the stored subject.
With any non-"sub" SubjectClaim those differ by construction, so a
refresh that returned an ID token failed with ErrSubjectMismatch —
breaking refresh for exactly the IdPs the feature targets (e.g. Entra,
which returns an id_token on refresh). Resolve the refreshed token
through the same path before comparing.

Operator CRD: the Go config gained SubjectClaim, but operator-managed
deployments had no way to set it. Add subjectClaim to the
OIDCUpstreamConfig CRD and propagate it through buildOIDCUpstreamRunConfig.
A Pattern constraint restricts the value to a claim-name shape; empty
defaults to "sub". Pattern is used rather than a CEL XValidation rule so
the check stays off the CRD's CEL cost ... (continued)

36 of 40 new or added lines in 3 files covered. (90.0%)

3 existing lines in 1 file now uncovered.

69518 of 103612 relevant lines covered (67.09%)

66.2 hits per line

Uncovered Changes

Lines Coverage File
4
86.67
 0.24% pkg/authserver/upstream/oidc.go

Coverage Regressions

Lines Coverage File
3
97.37
 -0.53% pkg/authz/authorizers/cedar/core.go
Jobs
ID Job ID Ran Files Coverage
1 28061651474.1 763
67.09
 GitHub Action Run
Source Files on build 28061651474