stacklok / toolhive / 25860163109 / 1
66%
main: 66%

DEFAULT BRANCH: main
Ran
Files 730
Run time 25s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 65.346% (+0.02%) from 65.324%
25860163109.1

push

github

web-flow 
Add identityFromToken to MCPExternalAuthConfig CRD (#5269)

Some OAuth2 upstream providers do not expose a usable userinfo
endpoint but include user identity in the token response itself
(e.g. Slack's `authed_user.id`, or Snowflake's `username` reachable
via the gjson `@upstreamjwt` modifier on the embedded access token).
Add an `identityFromToken` block on `OAuth2UpstreamConfig` that
lets operators map subject, name, and email to gjson dot-notation
paths into the token-endpoint response body.

The new type lives alongside `TokenResponseMapping` and
`UserInfoConfig`; doc comments cross-reference the blocks so
operators can find the right one for their provider. The
trust-model warning lives both on the `IdentityFromTokenConfig`
type and inline on `SubjectPath` so it surfaces in the field-by-
field reference (kubectl explain, generated API docs): claims read
from the token response are trusted only via TLS, not
cryptographically verified — prefer OIDC ID tokens when verifiable
claims are required. The same caveat applies to the `@upstreamjwt`
modifier, which performs no signature verification. Subject
uniqueness is scoped to the upstream provider entry; use distinct
providers for distinct trust domains.

Admission validation:

- SubjectPath: required, MinLength=1, MaxLength=256.
- NamePath, EmailPath: optional, MinLength=1, MaxLength=256
  (omit the field rather than setting it to an empty string).
- Reconcile-time: a new `validateOAuth2UpstreamConfig` helper
  rejects empty SubjectPath when the block is set, with errors
  scoped to `oauth2Config[.field]` so callers wrap with their
  own outer scope — matching the contract of
  `ValidateOAuth2DCRConfig`.

Coexistence with `UserInfo` and `TokenResponseMapping` is allowed
at admission; runtime priority is decided by the embedded auth
server in a later commit.

`SyntheticIdentityUpstreams()` — the predicate driving the
`ConditionTypeIdentitySynthesized` advisory — now also skips
upstreams configured with ... (continued)

64645 of 98927 relevant lines covered (65.35%)

62.34 hits per line

Source Files on job 25860163109.1