Skip to content

feat: add authorizationEndpointBaseUrl override to embedded auth server#4396

Merged
jerm-dro merged 4 commits intomainfrom
feat/authorization-endpoint-base-url-override
Mar 27, 2026
Merged

feat: add authorizationEndpointBaseUrl override to embedded auth server#4396
jerm-dro merged 4 commits intomainfrom
feat/authorization-endpoint-base-url-override

Conversation

@jerm-dro
Copy link
Copy Markdown
Contributor

@jerm-dro jerm-dro commented Mar 26, 2026

Summary

  • Add optional authorizationEndpointBaseUrl field to EmbeddedAuthServerConfig that overrides only the authorization_endpoint in the OAuth discovery document
  • When set, the discovery document advertises {authorizationEndpointBaseUrl}/oauth/authorize instead of {issuer}/oauth/authorize; all other endpoints (token, registration, JWKS) remain derived from issuer
  • This enables deployments where the browser-facing authorization endpoint needs to be on a different host than the issuer used for backend-to-backend calls

Changes (7 source files + tests)

  • CRD types: new optional field on EmbeddedAuthServerConfig with same validation pattern as Issuer
  • RunConfig + Config: new field on both structs, validation via validateIssuerURL
  • AuthorizationServerParams + Config: new field, GetAuthorizationEndpointBaseURL() helper with issuer fallback, validation
  • Discovery handler: uses GetAuthorizationEndpointBaseURL() for authorization_endpoint
  • Threading: field passed through server_impl, runner, and operator conversion layers

What does NOT change

  • token_endpoint, registration_endpoint, jwks_uri — still derived from issuer
  • Upstream provider RedirectURI — already independently configurable
  • fosite.Config.AccessTokenIssuer — stays as issuer (for JWT iss claims)

Test plan

  • go build ./... passes
  • go test ./pkg/authserver/... — all existing + new tests pass
  • New tests cover: discovery override for both OAuth and OIDC endpoints, helper fallback behavior, invalid URL validation, Config validation

🤖 Generated with Claude Code

jerm-dro and others added 2 commits March 26, 2026 15:39
@jerm-dro @claude
feat: add authorizationEndpointBaseUrl override to embedded auth server
49afb88 
Allow the browser-facing authorization endpoint in the OAuth discovery
document to be served from a different host than the issuer. When the
new optional field is set, only authorization_endpoint changes; all
other endpoints (token, registration, JWKS) remain derived from issuer.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jerm-dro @claude
refactor: extract testSetupWithOptions to reduce test duplication
dc2fcea 
Extract parameterized test helper to eliminate ~70 lines of duplicated
setup code in the new discovery handler override tests.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions github-actions bot added the size/S Small PR: 100-299 lines changed label Mar 26, 2026
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 26, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.47%. Comparing base (8fc2c71) to head (1ca3d46).
⚠️ Report is 9 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #4396   +/-   ##
=======================================
  Coverage   69.47%   69.47%           
=======================================
  Files         485      485           
  Lines       49805    49825   +20     
=======================================
+ Hits        34603    34618   +15     
- Misses      12523    12530    +7     
+ Partials     2679     2677    -2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@jerm-dro jerm-dro requested a review from Copilot March 26, 2026 22:50
Copilot AI reviewed Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an optional authorizationEndpointBaseUrl override that changes only the advertised authorization_endpoint in the OAuth/OIDC discovery documents, enabling browser-facing auth to live on a different host than the issuer used for backend flows.

Changes:

  • Introduces AuthorizationEndpointBaseURL across CRD → operator conversion → runner/config → OAuth server params/config.
  • Updates discovery document generation to derive authorization_endpoint from GetAuthorizationEndpointBaseURL() (issuer fallback).
  • Adds unit tests for helper fallback/override behavior and for discovery document override behavior.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
pkg/authserver/server_impl.go Plumbs AuthorizationEndpointBaseURL into AuthorizationServerParams.
pkg/authserver/server/provider.go Adds field + validation + helper (GetAuthorizationEndpointBaseURL) on server config.
pkg/authserver/server/provider_test.go Adds tests for helper behavior and invalid override validation.
pkg/authserver/server/handlers/discovery.go Uses GetAuthorizationEndpointBaseURL() when constructing authorization_endpoint.
pkg/authserver/server/handlers/handlers_test.go Extends handler test setup and adds discovery override tests for OAuth + OIDC endpoints.
pkg/authserver/runner/embeddedauthserver.go Propagates RunConfig field into resolved authserver.Config.
pkg/authserver/config.go Adds AuthorizationEndpointBaseURL to RunConfig + Config and validates it.
pkg/authserver/config_test.go Adds validation test cases for authorization_endpoint_base_url.
cmd/thv-operator/pkg/controllerutil/authserver.go Copies CRD field into authserver.RunConfig.
cmd/thv-operator/api/v1alpha1/mcpexternalauthconfig_types.go Adds optional CRD field with pattern validation and documentation.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jerm-dro @claude
fix: resolve lint and regenerate docs
5ce256a 
Extract validateTokenLifespans and validateParams to reduce cyclomatic
complexity in NewAuthorizationServerConfig. Regenerate CRD docs, swagger,
and helm docs to include the new authorizationEndpointBaseUrl field.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jerm-dro jerm-dro requested a review from amirejaz as a code owner March 26, 2026 22:56
@github-actions github-actions bot added size/M Medium PR: 300-599 lines changed and removed size/S Small PR: 100-299 lines changed labels Mar 26, 2026
@jerm-dro @claude
docs: regenerate CRD manifests, API reference, and helm chart docs
1ca3d46 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions github-actions bot added size/M Medium PR: 300-599 lines changed and removed size/M Medium PR: 300-599 lines changed labels Mar 27, 2026
@jerm-dro jerm-dro merged commit d57d73b into main Mar 27, 2026
40 checks passed
@jerm-dro jerm-dro deleted the feat/authorization-endpoint-base-url-override branch March 27, 2026 12:55
@jhrozek jhrozek mentioned this pull request Mar 27, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jhrozek jhrozek jhrozek approved these changes

@JAORMX JAORMX Awaiting requested review from JAORMX JAORMX is a code owner

@ChrisJBurns ChrisJBurns Awaiting requested review from ChrisJBurns ChrisJBurns is a code owner

@yrobla yrobla Awaiting requested review from yrobla yrobla is a code owner

@amirejaz amirejaz Awaiting requested review from amirejaz amirejaz is a code owner

Assignees

No one assigned

Labels

size/M Medium PR: 300-599 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jerm-dro @jhrozek