Wire UpstreamTokenReader into vMCP incoming auth middleware by jhrozek · Pull Request #4394 · stacklok/toolhive

jhrozek · 2026-03-26T21:11:52Z

Summary

The vMCP binary created an EmbeddedAuthServer but never extracted its
UpstreamTokenReader to enrich Identity with upstream provider tokens.
The JWT tsid claim was present but Identity.UpstreamTokens was always
nil, causing the upstream_inject strategy to fail with "upstream token
not found".
Threads auth.TokenValidatorOption through NewIncomingAuthMiddleware and
newOIDCAuthMiddleware to GetAuthenticationMiddleware. In commands.go,
builds an InProcessService from the auth server's storage and refresher,
and passes it as WithUpstreamTokenReader.

Part of #4141

Type of change

Bug fix

Test plan

Unit tests (task test)
Linting (task lint-fix)

Changes

File	Change
`cmd/vmcp/app/commands.go`	Build InProcessService from auth server, pass as WithUpstreamTokenReader; fail fast if IDP token storage is nil
`pkg/vmcp/auth/factory/incoming.go`	Accept and thread TokenValidatorOption through middleware constructors

Special notes for reviewers

Stacked on Add CRD type and converter for upstream_inject strategy #4391. Review only the top commit.
Mirrors the proxy runner pattern at pkg/runner/runner.go:250-254 and pkg/auth/middleware.go:56.

🤖 Generated with Claude Code

codecov · 2026-03-26T21:18:25Z

Codecov Report

❌ Patch coverage is 58.33333% with 20 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.52%. Comparing base (e3c605f) to head (7971fa9).
⚠️ Report is 25 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/vmcp/app/commands.go	0.00%	10 Missing ⚠️
pkg/vmcp/auth/factory/incoming.go	16.66%	3 Missing and 2 partials ⚠️
...perator/controllers/virtualmcpserver_deployment.go	0.00%	2 Missing ⚠️
...d/thv-operator/pkg/controllerutil/tokenexchange.go	0.00%	2 Missing ⚠️
...erator/api/v1alpha1/mcpexternalauthconfig_types.go	87.50%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4394      +/-   ##
==========================================
+ Coverage   69.48%   69.52%   +0.04%     
==========================================
  Files         486      487       +1     
  Lines       50017    50056      +39     
==========================================
+ Hits        34753    34802      +49     
+ Misses      12578    12576       -2     
+ Partials     2686     2678       -8

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Bridge the Kubernetes operator API to the vMCP runtime config for the upstream_inject outgoing auth strategy. This is Phase 4 of RFC-0054. CRD changes: add ExternalAuthTypeUpstreamInject constant, UpstreamInjectSpec struct, CEL validation rules, and SubjectProviderName on TokenExchangeConfig. Converter changes: add UpstreamInjectConverter, wire SubjectProviderName in TokenExchangeConverter, and register in the converter registry. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

The vMCP binary created an EmbeddedAuthServer but never extracted its UpstreamTokenReader to enrich Identity with upstream provider tokens. The JWT tsid claim was present but Identity.UpstreamTokens was always nil, causing the upstream_inject strategy to fail with "upstream token not found". Thread auth.TokenValidatorOption through NewIncomingAuthMiddleware and newOIDCAuthMiddleware to GetAuthenticationMiddleware. In commands.go, build an InProcessService from the auth server's storage and refresher, pass it as WithUpstreamTokenReader. This mirrors the proxy runner pattern at pkg/runner/runner.go:250-254 and pkg/auth/middleware.go:56. Part of #4141 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

The base branch was changed.

jhrozek requested review from JAORMX, amirejaz, jerm-dro and yrobla as code owners March 26, 2026 21:11

github-actions bot added the size/XS Extra small PR: < 100 lines changed label Mar 26, 2026

jhrozek force-pushed the vmcp-add-as-scaffolding-6b branch from 12e1fc2 to a4b2892 Compare March 26, 2026 22:34

jhrozek requested a review from ChrisJBurns as a code owner March 26, 2026 22:34

jhrozek force-pushed the vmcp-add-as-scaffolding-7 branch from 8d3d9a5 to 202d8a0 Compare March 26, 2026 22:34

github-actions bot added size/XS Extra small PR: < 100 lines changed and removed size/XS Extra small PR: < 100 lines changed labels Mar 26, 2026

jhrozek force-pushed the vmcp-add-as-scaffolding-6b branch from a4b2892 to e49c89e Compare March 27, 2026 10:31

jhrozek force-pushed the vmcp-add-as-scaffolding-7 branch from 202d8a0 to e4d0916 Compare March 27, 2026 10:35