pomerium / pomerium / 22685279033 / 1
45%
main: 45%

DEFAULT BRANCH: main
Ran
Files 685
Run time 15s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 44.877% (+0.05%) from 44.824%
22685279033.1

push

github

web-flow 
mcp: add UpstreamAuthHandler for upstream token injection and 401/403 interception (#6165)

## Summary

- Add `UpstreamAuthHandler` implementing the
`extproc.UpstreamRequestHandler` interface for MCP upstream OAuth flows
- `GetUpstreamToken()` dispatches to static (`upstream_oauth2` config)
or auto-discovery (MCP token) paths with singleflight-deduplicated
refresh
- `HandleUpstreamResponse()` intercepts upstream 401/403, runs RFC 9728
PRM discovery, generates PKCE + state, stores `PendingUpstreamAuth`, and
returns 401 with Pomerium's PRM URL
- Token refresh classifies errors: permanent failures (4xx) clear the
cached token and return empty; transient failures (5xx, network)
preserve it and return an error (502)
- Add `tokenEndpointError` type to `upstream_token_exchange.go` for
error classification
- Add `resource_param` field to `PendingUpstreamAuth` and
`UpstreamMCPToken` protos (carry-over from
https://github.com/pomerium/pomerium/pull/6152 where protos were updated
but not generated files)
- Consolidate upstream OAuth2 token injection into the ext_proc path:
remove `GetUpstreamOAuth2Token` from `MCPAccessTokenProvider` interface
and simplify `fillMCPHeaders` to strip the Authorization header for all
MCP server routes (ext_proc now handles injection)
- Fix singleflight key in `Handler.GetUpstreamOAuth2Token` from `host`
to `host+":"+userID` to prevent cross-user token coalescing

## Related issues

- [ENG-3592](https://linear.app/pomerium/issue/ENG-3592)

## User Explanation

No user-facing changes. This is internal infrastructure for MCP upstream
OAuth token management.

## Checklist

- [x] reference any related issues
- [x] updated unit tests
- [ ] add appropriate label (`enhancement`, `bug`, `breaking`,
`dependencies`, `ci`)
- [ ] ready for review

33938 of 75624 relevant lines covered (44.88%)

115.66 hits per line

Source Files on job 22685279033.1