• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

stacklok / toolhive / 28513302228

01 Jul 2026 11:11AM UTC coverage: 67.558% (+0.05%) from 67.513%
28513302228

push

github

web-flow
Add XAA auth strategy CRD support (#5691)

The XAA (Cross-Application Access) outgoing auth strategy exists only as
runtime config with no declarative surface, so it cannot be configured
through the operator. Wire it into the CRDs and supply the conversion
needed to turn that config into a runtime strategy.

- Add an XAASpec to the MCPExternalAuthConfig CRD and surface XAA on the
  VirtualMCPServer CRD, both documented as EXPERIMENTAL since ID-JAG
  (draft-ietf-oauth-identity-assertion-authz-grant) is not yet a standard.
- Add a converter that maps the CRD spec to the runtime XAAConfig and
  register it with the auth converter registry.
- Wire XAA IdP/target client secrets through env vars in inline
  (externalAuthConfigRef) mode, mirroring tokenExchange, so confidential-client
  XAA configs work outside discovered mode.
- Add an optional SubjectTokenType field defaulting to the id_token URN,
  with CRD validation restricting it to a single allowed value for now so
  SAML upstream support can be added later without an API break.
- Auto-populate SubjectProviderName for XAA on the operator reconcile path,
  matching token_exchange and aws_sts.
- Validate XAA strategies in the vMCP config validator, add an HTTPS pattern to
  idpTokenUrl, and warn at wire-up on unauthenticated Step B or plain-HTTP
  target token URLs.
- Relax targetResource to optional per ID-JAG draft section 4.3 (RFC 8707
  resource is OPTIONAL) and correct its documentation.
- Consolidate the duplicated first-upstream-provider resolution into
  authserver.ResolveFirstUpstreamName.

Closes #5681

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>

215 of 235 new or added lines in 14 files covered. (91.49%)

11 existing lines in 4 files now uncovered.

71198 of 105388 relevant lines covered (67.56%)

63.56 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

80.56
/pkg/transport/proxy/httpsse/http_proxy.go


Source Not Available

STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc