• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

stacklok / toolhive / 29582646178
69%

Build:
DEFAULT BRANCH: main
Ran 17 Jul 2026 01:12PM UTC
Jobs 1
Files 805
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

17 Jul 2026 01:05PM UTC coverage: 68.552% (+0.08%) from 68.472%
29582646178

push

github

web-flow
Add RFC 8693 token exchange handler to the embedded AS (#5822)

* Add RFC 8693 token exchange handler

Implement the core token exchange logic for user-to-agent delegation.
An authenticated OAuth client presents a user's JWT as subject_token
and receives a delegated JWT with sub=user and an act claim identifying
the acting client, per RFC 8693 Section 4.1.

New package pkg/authserver/server/tokenexchange with:
- SubjectTokenValidator: verifies subject tokens against the AS's own
  JWKS using go-jose/v4, validates issuer/audience/expiry/subject,
  prefers kid-matched keys, requires exp claim, rejects malformed
  may_act values
- Handler: fosite TokenEndpointHandler for the token-exchange grant
  type, validates RFC 8693 parameters (subject_token, subject_token_type,
  requested_token_type), enforces RFC 8707 resource parameter, builds
  delegated session with act claim, caps delegation lifetime to
  min(subject_remaining, configured_max)
- Factory: server.Factory adapter returning (any, error) with comma-ok
  type assertions instead of panicking

Security hardening:
- Scope intersection: delegated scopes are the intersection of the
  client's registered scopes and the subject token's granted scopes;
  subject tokens without a scope claim grant no scopes (fail-closed)
- client_id binding: if the subject token carries a client_id claim,
  it must match the authenticated client; prevents cross-client theft
- may_act enforcement: if the subject token carries a may_act claim
  (RFC 8693 Section 4.1), it is the authoritative consent signal and
  enables cross-client delegation; client_id binding is skipped
- Confidential-client-only; public clients rejected
- Algorithm allowlist excludes none and HS-*; signature verification
  uses public keys only
- Error responses do not leak validation internals (no WithWrap)

Constants deduplicated: RFC 8693 grant type and token type URIs are
imported from pkg/oauthproto instead of redefined locally.

Factory signature c... (continued)

374 of 413 new or added lines in 4 files covered. (90.56%)

15 existing lines in 5 files now uncovered.

74890 of 109245 relevant lines covered (68.55%)

65.3 hits per line

Uncovered Changes

Lines Coverage ∆ File
23
20.69
pkg/authserver/server/tokenexchange/factory.go
11
95.6
pkg/authserver/server/tokenexchange/handler.go
4
86.53
0.34% pkg/authserver/server/provider.go
1
99.16
pkg/authserver/server/tokenexchange/validator.go

Coverage Regressions

Lines Coverage ∆ File
6
73.96
-1.78% pkg/runner/config.go
3
71.85
-1.11% pkg/ignore/processor.go
3
80.56
-0.7% pkg/transport/proxy/httpsse/http_proxy.go
2
96.05
0.0% pkg/authserver/storage/memory.go
1
61.78
0.26% pkg/workloads/manager.go
Jobs
ID Job ID Ran Files Coverage
1 29582646178.1 17 Jul 2026 01:12PM UTC 805
68.55
GitHub Action Run
Source Files on build 29582646178
  • Tree
  • List 805
  • Changed 7
  • Source Changed 1
  • Coverage Changed 7
Coverage ∆ File Lines Relevant Covered Missed Hits/Line
  • Back to Repo
  • Github Actions Build #29582646178
  • 3040872c on github
  • Prev Build on main (#29580704301)
  • Next Build on main (#29593232077)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc