• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

stacklok / toolhive / 29582646178 / 1
69%
main: 69%

Build:
DEFAULT BRANCH: main
Ran 17 Jul 2026 01:12PM UTC
Files 805
Run time 37s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

17 Jul 2026 01:05PM UTC coverage: 68.552% (+0.08%) from 68.472%
29582646178.1

push

github

web-flow
Add RFC 8693 token exchange handler to the embedded AS (#5822)

* Add RFC 8693 token exchange handler

Implement the core token exchange logic for user-to-agent delegation.
An authenticated OAuth client presents a user's JWT as subject_token
and receives a delegated JWT with sub=user and an act claim identifying
the acting client, per RFC 8693 Section 4.1.

New package pkg/authserver/server/tokenexchange with:
- SubjectTokenValidator: verifies subject tokens against the AS's own
  JWKS using go-jose/v4, validates issuer/audience/expiry/subject,
  prefers kid-matched keys, requires exp claim, rejects malformed
  may_act values
- Handler: fosite TokenEndpointHandler for the token-exchange grant
  type, validates RFC 8693 parameters (subject_token, subject_token_type,
  requested_token_type), enforces RFC 8707 resource parameter, builds
  delegated session with act claim, caps delegation lifetime to
  min(subject_remaining, configured_max)
- Factory: server.Factory adapter returning (any, error) with comma-ok
  type assertions instead of panicking

Security hardening:
- Scope intersection: delegated scopes are the intersection of the
  client's registered scopes and the subject token's granted scopes;
  subject tokens without a scope claim grant no scopes (fail-closed)
- client_id binding: if the subject token carries a client_id claim,
  it must match the authenticated client; prevents cross-client theft
- may_act enforcement: if the subject token carries a may_act claim
  (RFC 8693 Section 4.1), it is the authoritative consent signal and
  enables cross-client delegation; client_id binding is skipped
- Confidential-client-only; public clients rejected
- Algorithm allowlist excludes none and HS-*; signature verification
  uses public keys only
- Error responses do not leak validation internals (no WithWrap)

Constants deduplicated: RFC 8693 grant type and token type URIs are
imported from pkg/oauthproto instead of redefined locally.

Factory signature c... (continued)

74890 of 109245 relevant lines covered (68.55%)

65.3 hits per line

Source Files on job 29582646178.1
  • Tree
  • List 805
  • Changed 7
  • Source Changed 1
  • Coverage Changed 7
Coverage ∆ File Lines Relevant Covered Missed Hits/Line
  • Back to Build 29582646178
  • 3040872c on github
  • Prev Job for on main (#29580704301.1)
  • Next Job for on main (#29593232077.1)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc