• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

stacklok / toolhive / 28452107534

30 Jun 2026 02:30PM UTC coverage: 67.495% (+0.05%) from 67.443%
28452107534

push

github

web-flow
Add XAA (Cross-Application Access) outgoing auth strategy (#5684)

* Surface upstream ID tokens through auth middleware

Extend the in-process upstream token reader to return the OIDC ID tokens
captured during login alongside the refreshed access tokens, so that auth
strategies can use them as RFC 8693 subject tokens.

The TokenReader interface is consolidated to a single bulk method,
GetAllUpstreamCredentials, returning map[string]UpstreamCredential where
UpstreamCredential{AccessToken, IDToken} carries both tokens for a given
provider. This avoids the two-round-trips pattern of separate bulk-access
and bulk-ID methods reading from the same storage backend.

Identity gains an UpstreamIDTokens map populated by the auth middleware in
parallel with the existing UpstreamTokens map; values are redacted in
MarshalJSON. The serialized claims map also strips the tsid (token session
id) claim so session identifiers do not leak through Identity JSON.

ID tokens are captured at the initial OIDC login and refreshed
opportunistically: when an upstream returns a rotated id_token on refresh
(OIDC Core 1.0 section 12.2) the new one is surfaced and persisted;
otherwise the original login ID token is carried forward so it is not erased
from storage on a non-rotating refresh. ID tokens are not independently
re-validated for freshness, so callers MUST check the exp claim before using
one as an RFC 8693 subject token.

Fixes: #5679

Signed-off-by: Jakub Hrozek <jakub@stacklok.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* Add XAA (Cross-Application Access) outgoing auth strategy

Introduce the XAA runtime strategy for vMCP backends, implementing
draft-ietf-oauth-identity-assertion-authz-grant (ID-JAG) as the basis
for on-demand cross-application tokens. The strategy performs a two-
step OAuth exchange:

  Step A (RFC 8693): Exchange the user's upstream OIDC ID token for
  an ID-JAG assertion at the enterprise IdP. Validates that the
  response carries is... (continued)

246 of 275 new or added lines in 7 files covered. (89.45%)

10 existing lines in 4 files now uncovered.

70959 of 105132 relevant lines covered (67.5%)

64.37 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

80.56
/pkg/transport/proxy/httpsse/http_proxy.go


Source Not Available

STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc