Skip to content

Add upstream_inject strategy type and auth server validation#4349

Merged
jhrozek merged 7 commits intomainfrom
vmcp-add-as-scaffolding-3
Mar 25, 2026
Merged

Add upstream_inject strategy type and auth server validation#4349
jhrozek merged 7 commits intomainfrom
vmcp-add-as-scaffolding-3

Conversation

@jhrozek
Copy link
Copy Markdown
Contributor

@jhrozek jhrozek commented Mar 24, 2026
edited
Loading

Summary

  • Backend auth strategies need a way to inject upstream IDP tokens obtained by the embedded auth server into backend requests. This requires a new upstream_inject strategy type.
  • Add StrategyTypeUpstreamInject and UpstreamInjectConfig to backend auth strategy types.
  • Add ValidateAuthServerIntegration(cfg *Config, rc *authserver.RunConfig) with cross-cutting validation rules V-01 through V-07 (issuer consistency, audience matching, provider existence, etc.).
  • The validator takes *Config and *authserver.RunConfig as separate arguments — no RuntimeConfig wrapper type needed.

Fixes #4142
Fixes #4144

Type of change

  • New feature

Test plan

  • Unit tests (task test)
  • Linting (task lint-fix)

Special notes for reviewers

Draft — stacked on #4348. Review the incremental diff only.

The validation functions accept (*Config, *RunConfig) as separate parameters rather than a combined RuntimeConfig type. This keeps the config package free of auth server dependencies and makes the function signatures explicit about what they inspect.

Generated with Claude Code

@jhrozek jhrozek mentioned this pull request Mar 24, 2026
Merged
4 tasks
@github-actions github-actions bot added the size/M Medium PR: 300-599 lines changed label Mar 24, 2026
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 24, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 85.26316% with 14 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.55%. Comparing base (074326e) to head (4e5376c).
⚠️ Report is 14 commits behind head on main.

Files with missing lines Patch % Lines
pkg/vmcp/config/validator.go 84.26% 7 Missing and 7 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4349      +/-   ##
==========================================
+ Coverage   68.45%   69.55%   +1.09%     
==========================================
  Files         479      480       +1     
  Lines       48642    48722      +80     
==========================================
+ Hits        33300    33890     +590     
+ Misses      12373    12221     -152     
+ Partials     2969     2611     -358

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

tgrunnagle
tgrunnagle reviewed Mar 24, 2026
View reviewed changes
@jhrozek jhrozek force-pushed the vmcp-add-as-scaffolding-2 branch from afc069c to 0bd1c80 Compare March 24, 2026 19:07
Base automatically changed from vmcp-add-as-scaffolding-2 to main March 24, 2026 19:59
@jhrozek
Add upstream_inject strategy and auth server validation
39a9a1e 
Add StrategyTypeUpstreamInject and UpstreamInjectConfig to backend
auth strategy types, enabling vMCP backends to inject upstream IDP
tokens obtained by the embedded authorization server.

Add ValidateAuthServerIntegration with cross-cutting validation rules
between the embedded auth server config and backend auth strategies:
- V-01: upstream_inject requires auth server
- V-02: upstream_inject providerName must exist in upstreams
- V-04: auth server issuer must match incomingAuth OIDC issuer
- V-05: auth server requires issuer and at least one upstream
- V-07: incomingAuth audience must be in allowed audiences
- V-09: auth server requires OIDC incoming auth
- V-10: warn on duplicate upstream_inject provider names
- V-11: warn when token_exchange targets the auth server
- V-13: AllowedAudiences required for MCP compliance

Refs: #4142
@jhrozek jhrozek force-pushed the vmcp-add-as-scaffolding-3 branch from d447384 to 39a9a1e Compare March 24, 2026 21:14
@github-actions github-actions bot added size/L Large PR: 600-999 lines changed and removed size/M Medium PR: 300-599 lines changed labels Mar 24, 2026
@jhrozek
Copy link
Copy Markdown
Contributor Author

jhrozek commented Mar 24, 2026

I apologize @tgrunnagle I shouldn't have opened the PR before I went through it carefully myself - that was unfiltered CC output that I just gave a cursory look to. I reviewed the patch manually this time and re-did it. I'm marking it ready for review.

@jhrozek jhrozek marked this pull request as ready for review March 24, 2026 21:15
@jhrozek @claude
Fix gci lint whitespace in validator.go
777eec5 
Remove extra blank line and trailing newline that caused the gci
linter to fail in CI.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions github-actions bot added size/L Large PR: 600-999 lines changed and removed size/L Large PR: 600-999 lines changed labels Mar 24, 2026
tgrunnagle
tgrunnagle previously approved these changes Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@tgrunnagle tgrunnagle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a couple non-blocking comments

jerm-dro
jerm-dro previously approved these changes Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@jerm-dro jerm-dro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean design — keeping (Config, RunConfig) as separate parameters is the right call. Validation rules are thorough and well-tested. The slices.Contains cleanup is a nice bonus.

jhrozek and others added 4 commits March 24, 2026 22:53
@jhrozek @claude
Clarify that AS-OIDC consistency check is strategy-agnostic
a98cced 
Expand the doc comment on validateAuthServerIncomingAuthConsistency
to explain that it applies regardless of outgoing backend strategy
(upstream_inject, token_exchange, etc.) and why the issuer/audience
match matters: the OIDC middleware rejects every token whose iss
claim differs from what it expects.

Addresses PR review feedback from @tgrunnagle.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jhrozek @claude
Remove duplicate upstream_inject provider warning
5f14225 
Multiple backends referencing the same upstream provider is a valid
and expected configuration (e.g., two GitHub-related backends both
needing the "github" upstream token). The "likely a copy-paste error"
warning was a false positive for legitimate configs.

Addresses PR review feedback from @tgrunnagle.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jhrozek @claude
Replace "(default)" magic string with defaultStrategyKey constant
b3a7c46 
Extract the synthetic map key for the default outgoing auth strategy
into a named constant. Use "<default-strategy>" instead of "(default)"
to clearly distinguish it from authserver.DefaultUpstreamName and
prevent key collisions with user-defined backend names.

Addresses PR review feedback from @tgrunnagle.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jhrozek @claude
Extract hasOIDCIncoming predicate from duplicated checks
01d6fd3 
Both validateAuthServerRequiresOIDC and hasAuthServerWithOIDCIncoming
checked the same three-field condition. Extract a shared hasOIDCIncoming
predicate so the logic lives in one place.

Addresses PR review feedback from @tgrunnagle.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@jhrozek jhrozek dismissed stale reviews from jerm-dro and tgrunnagle via 01d6fd3 March 24, 2026 23:18
@github-actions github-actions bot added size/L Large PR: 600-999 lines changed and removed size/L Large PR: 600-999 lines changed labels Mar 24, 2026
@jhrozek
Copy link
Copy Markdown
Contributor Author

jhrozek commented Mar 24, 2026

the additional commits address each of @tgrunnagle comments, patch per comment for easier review. the original patch is unchanged.

@jhrozek @claude
Fix revive lint: return validateAuthServerIncomingAuthConsistency dir…
4e5376c 
…ectly

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions github-actions bot added size/L Large PR: 600-999 lines changed and removed size/L Large PR: 600-999 lines changed labels Mar 25, 2026
@jhrozek jhrozek merged commit 8e2d877 into main Mar 25, 2026
42 of 43 checks passed
@jhrozek jhrozek deleted the vmcp-add-as-scaffolding-3 branch March 25, 2026 15:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tgrunnagle tgrunnagle tgrunnagle approved these changes

@jerm-dro jerm-dro jerm-dro left review comments

@JAORMX JAORMX Awaiting requested review from JAORMX JAORMX is a code owner

@ChrisJBurns ChrisJBurns Awaiting requested review from ChrisJBurns ChrisJBurns is a code owner

@yrobla yrobla Awaiting requested review from yrobla yrobla is a code owner

@amirejaz amirejaz Awaiting requested review from amirejaz amirejaz is a code owner

Assignees

No one assigned

Labels

size/L Large PR: 600-999 lines changed

Projects

None yet

Milestone

No milestone

3 participants

@jhrozek @tgrunnagle @jerm-dro