• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

stacklok / toolhive / 29582646178

17 Jul 2026 01:05PM UTC coverage: 68.552% (+0.08%) from 68.472%
29582646178

push

github

web-flow
Add RFC 8693 token exchange handler to the embedded AS (#5822)

* Add RFC 8693 token exchange handler

Implement the core token exchange logic for user-to-agent delegation.
An authenticated OAuth client presents a user's JWT as subject_token
and receives a delegated JWT with sub=user and an act claim identifying
the acting client, per RFC 8693 Section 4.1.

New package pkg/authserver/server/tokenexchange with:
- SubjectTokenValidator: verifies subject tokens against the AS's own
  JWKS using go-jose/v4, validates issuer/audience/expiry/subject,
  prefers kid-matched keys, requires exp claim, rejects malformed
  may_act values
- Handler: fosite TokenEndpointHandler for the token-exchange grant
  type, validates RFC 8693 parameters (subject_token, subject_token_type,
  requested_token_type), enforces RFC 8707 resource parameter, builds
  delegated session with act claim, caps delegation lifetime to
  min(subject_remaining, configured_max)
- Factory: server.Factory adapter returning (any, error) with comma-ok
  type assertions instead of panicking

Security hardening:
- Scope intersection: delegated scopes are the intersection of the
  client's registered scopes and the subject token's granted scopes;
  subject tokens without a scope claim grant no scopes (fail-closed)
- client_id binding: if the subject token carries a client_id claim,
  it must match the authenticated client; prevents cross-client theft
- may_act enforcement: if the subject token carries a may_act claim
  (RFC 8693 Section 4.1), it is the authoritative consent signal and
  enables cross-client delegation; client_id binding is skipped
- Confidential-client-only; public clients rejected
- Algorithm allowlist excludes none and HS-*; signature verification
  uses public keys only
- Error responses do not leak validation internals (no WithWrap)

Constants deduplicated: RFC 8693 grant type and token type URIs are
imported from pkg/oauthproto instead of redefined locally.

Factory signature c... (continued)

374 of 413 new or added lines in 4 files covered. (90.56%)

15 existing lines in 5 files now uncovered.

74890 of 109245 relevant lines covered (68.55%)

65.3 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

80.56
/pkg/transport/proxy/httpsse/http_proxy.go


Source Not Available

STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc