• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

stacklok / toolhive / 28452107534
68%

Build:
DEFAULT BRANCH: main
Ran 30 Jun 2026 02:36PM UTC
Jobs 1
Files 774
Run time 4min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

30 Jun 2026 02:30PM UTC coverage: 67.495% (+0.05%) from 67.443%
28452107534

push

github

web-flow
Add XAA (Cross-Application Access) outgoing auth strategy (#5684)

* Surface upstream ID tokens through auth middleware

Extend the in-process upstream token reader to return the OIDC ID tokens
captured during login alongside the refreshed access tokens, so that auth
strategies can use them as RFC 8693 subject tokens.

The TokenReader interface is consolidated to a single bulk method,
GetAllUpstreamCredentials, returning map[string]UpstreamCredential where
UpstreamCredential{AccessToken, IDToken} carries both tokens for a given
provider. This avoids the two-round-trips pattern of separate bulk-access
and bulk-ID methods reading from the same storage backend.

Identity gains an UpstreamIDTokens map populated by the auth middleware in
parallel with the existing UpstreamTokens map; values are redacted in
MarshalJSON. The serialized claims map also strips the tsid (token session
id) claim so session identifiers do not leak through Identity JSON.

ID tokens are captured at the initial OIDC login and refreshed
opportunistically: when an upstream returns a rotated id_token on refresh
(OIDC Core 1.0 section 12.2) the new one is surfaced and persisted;
otherwise the original login ID token is carried forward so it is not erased
from storage on a non-rotating refresh. ID tokens are not independently
re-validated for freshness, so callers MUST check the exp claim before using
one as an RFC 8693 subject token.

Fixes: #5679

Signed-off-by: Jakub Hrozek <jakub@stacklok.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* Add XAA (Cross-Application Access) outgoing auth strategy

Introduce the XAA runtime strategy for vMCP backends, implementing
draft-ietf-oauth-identity-assertion-authz-grant (ID-JAG) as the basis
for on-demand cross-application tokens. The strategy performs a two-
step OAuth exchange:

  Step A (RFC 8693): Exchange the user's upstream OIDC ID token for
  an ID-JAG assertion at the enterprise IdP. Validates that the
  response carries is... (continued)

246 of 275 new or added lines in 7 files covered. (89.45%)

10 existing lines in 4 files now uncovered.

70959 of 105132 relevant lines covered (67.5%)

64.37 hits per line

Uncovered Changes

Lines Coverage ∆ File
19
12.14
-1.91% pkg/vmcp/auth/types/zz_generated.deepcopy.go
8
96.55
pkg/vmcp/auth/strategies/xaa.go
2
70.21
-0.52% pkg/vmcp/auth/factory/outgoing.go

Coverage Regressions

Lines Coverage ∆ File
3
97.37
-0.53% pkg/authz/authorizers/cedar/core.go
3
80.56
-0.7% pkg/transport/proxy/httpsse/http_proxy.go
2
96.36
-3.64% pkg/vmcp/config/defaults.go
2
62.3
0.09% pkg/workloads/manager.go
Jobs
ID Job ID Ran Files Coverage
1 28452107534.1 30 Jun 2026 02:36PM UTC 774
67.5
GitHub Action Run
Source Files on build 28452107534
  • Tree
  • List 774
  • Changed 10
  • Source Changed 6
  • Coverage Changed 10
Coverage ∆ File Lines Relevant Covered Missed Hits/Line
  • Back to Repo
  • Github Actions Build #28452107534
  • 1bb20f95 on github
  • Prev Build on main (#28446911783)
  • Next Build on main (#28452352865)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc