• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

stacklok / toolhive / 29412915156

15 Jul 2026 11:48AM UTC coverage: 68.005% (-0.006%) from 68.011%
29412915156

push

github

web-flow
Validate aud and resource claims in returned ID-JAG JWT (#5716)

The XAA IdP exchange (RFC 8693) returned an ID-JAG JWT without
validating its aud or resource claims against the values requested in
the exchange. If the IdP minted an ID-JAG for a different audience or
resource, ToolHive forwarded it to the target AS unchanged — a token-
misbinding / confused-deputy risk.

Add validateIDJAGClaims to check the aud claim (REQUIRED per draft
§3.1, membership check per RFC 7519 §4.1.3) and the resource claim
(OPTIONAL per §3.1, validated when one was requested) inside the
returned ID-JAG JWT. A non-JWT assertion that fails to parse is now
rejected rather than forwarded. The typ header check remains logged-
only by design (the draft §3.1 MUST is on the issuer; ToolHive is the
holder/presenter).

Closes #5696

49 of 51 new or added lines in 1 file covered. (96.08%)

32 existing lines in 7 files now uncovered.

73526 of 108119 relevant lines covered (68.0%)

63.46 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

80.56
/pkg/transport/proxy/httpsse/http_proxy.go


Source Not Available

STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc