• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

stacklok / toolhive / 28446911783
68%

Build:
DEFAULT BRANCH: main
Ran 30 Jun 2026 01:17PM UTC
Jobs 1
Files 773
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

30 Jun 2026 01:11PM UTC coverage: 67.443% (+0.03%) from 67.417%
28446911783

push

github

web-flow
Surface upstream ID tokens through auth middleware (#5682)

Extend the in-process upstream token reader to return the OIDC ID tokens
captured during login alongside the refreshed access tokens, so that auth
strategies can use them as RFC 8693 subject tokens.

The TokenReader interface is consolidated to a single bulk method,
GetAllUpstreamCredentials, returning map[string]UpstreamCredential where
UpstreamCredential{AccessToken, IDToken} carries both tokens for a given
provider. This avoids the two-round-trips pattern of separate bulk-access
and bulk-ID methods reading from the same storage backend.

Identity gains an UpstreamIDTokens map populated by the auth middleware in
parallel with the existing UpstreamTokens map; values are redacted in
MarshalJSON. The serialized claims map also strips the tsid (token session
id) claim so session identifiers do not leak through Identity JSON.

ID tokens are captured at the initial OIDC login and refreshed
opportunistically: when an upstream returns a rotated id_token on refresh
(OIDC Core 1.0 section 12.2) the new one is surfaced and persisted;
otherwise the original login ID token is carried forward so it is not erased
from storage on a non-rotating refresh. ID tokens are not independently
re-validated for freshness, so callers MUST check the exp claim before using
one as an RFC 8693 subject token.

Fixes: #5679

Signed-off-by: Jakub Hrozek <jakub@stacklok.com>
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

85 of 87 new or added lines in 5 files covered. (97.7%)

7 existing lines in 2 files now uncovered.

70723 of 104864 relevant lines covered (67.44%)

64.49 hits per line

Uncovered Changes

Lines Coverage ∆ File
2
97.33
-2.67% pkg/auth/identity.go

Coverage Regressions

Lines Coverage ∆ File
6
72.15
-1.9% pkg/runner/config.go
1
62.21
0.52% pkg/workloads/manager.go
Jobs
ID Job ID Ran Files Coverage
1 28446911783.1 30 Jun 2026 01:17PM UTC 773
67.44
GitHub Action Run
Source Files on build 28446911783
  • Tree
  • List 773
  • Changed 14
  • Source Changed 8
  • Coverage Changed 11
Coverage ∆ File Lines Relevant Covered Missed Hits/Line
  • Back to Repo
  • Github Actions Build #28446911783
  • 98b35dbb on github
  • Prev Build on main (#28407311417)
  • Next Build on main (#28452107534)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc