• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

stacklok / toolhive / 29618549899
69%

Build:
DEFAULT BRANCH: main
Ran 17 Jul 2026 10:46PM UTC
Jobs 1
Files 806
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

17 Jul 2026 10:39PM UTC coverage: 68.592%. Remained the same
29618549899

push

github

web-flow
Respect DCR-negotiated token endpoint auth method (#5866)

* Respect DCR-negotiated token endpoint auth method

The upstream OAuth2 client hardcoded AuthStyleInParams
(client_secret_post) at the token endpoint, ignoring the
token_endpoint_auth_method negotiated during Dynamic Client
Registration. Authorization servers that register confidential
clients as client_secret_basic (e.g. Ory Hydra's default) reject
the code exchange with invalid_client, leaving the integrator no
workaround since the method is a property of the upstream's
registration response.

Thread the negotiated method through to the token exchange:

- Add TokenEndpointAuthMethod to upstream.OAuth2Config and map it
  to oauth2.AuthStyle in newBaseOAuth2Provider (basic -> header,
  post/unset -> body), preserving existing behavior for statically
  configured upstreams.
- Copy dcr.Resolution.TokenEndpointAuthMethod through
  applyResolutionToOAuth2Config so DCR-registered clients present
  credentials the way the upstream expects.
- Add client_secret_basic/client_secret_post constants to oauthproto.

Fixes #5865

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

* Fail loudly on unsupported token endpoint auth method

Addresses stacklok/toolhive#5866 review comments:
- MEDIUM pkg/authserver/upstream/oauth2.go (3605835893): reject an
  unrecognised non-empty token_endpoint_auth_method (e.g.
  private_key_jwt, which the DCR resolver ranks first) at construction
  instead of silently degrading to POST-body credentials, per the
  fail-loudly-on-unknown-enum convention. Recognised methods
  (basic/post/none) and unset are unchanged.
- INFO pkg/authserver/upstream/oauth2.go (3605835902): document that
  statically-configured upstreams have no path to set the field.
- LOW pkg/authserver/runner/dcr_adapter.go (3605835908): note the
  negotiated auth method (not just the secret) is dropped when the
  paired call is skipped.
- LOW pkg/authserver/upstream/oauth2.go (3605835911): centralise the... (continued)

14 of 14 new or added lines in 2 files covered. (100.0%)

10 existing lines in 4 files now uncovered.

75064 of 109435 relevant lines covered (68.59%)

71.63 hits per line

Coverage Regressions

Lines Coverage ∆ File
3
97.37
-0.53% pkg/authz/authorizers/cedar/core.go
3
71.85
-1.11% pkg/ignore/processor.go
2
82.29
-0.21% pkg/vmcp/composer/workflow_engine.go
2
61.69
-0.17% pkg/workloads/manager.go
Jobs
ID Job ID Ran Files Coverage
1 29618549899.1 17 Jul 2026 10:46PM UTC 806
68.59
GitHub Action Run
Source Files on build 29618549899
  • Tree
  • List 806
  • Changed 7
  • Source Changed 2
  • Coverage Changed 7
Coverage ∆ File Lines Relevant Covered Missed Hits/Line
  • Back to Repo
  • Github Actions Build #29618549899
  • 52ecebcc on github
  • Prev Build on main (#29604167811)
  • Next Build on main (#29639299804)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc