Skip to content

Add upstream Identity Provider types and interfaces #3260

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jhrozek merged 2 commits into from
Jan 13, 2026
Merged

Add upstream Identity Provider types and interfaces #3260

jhrozek merged 2 commits into from
Jan 13, 2026
+763 −9

Conversation

@jhrozek
Copy link
Contributor

@jhrozek jhrozek commented Jan 12, 2026

Introduce foundational types for communicating with upstream Identity Providers (e.g. Google) in the authorization server:

  • Provider interface: abstracts IDP operations (authorization URL generation, code exchange, token refresh, userinfo)
  • IDTokenNonceValidator: optional interface for OIDC nonce validation to prevent replay attacks
  • UserInfoSubjectValidator: optional interface for OIDC Section 5.3.4 subject validation to prevent impersonation
  • Tokens: represents access/refresh/ID tokens from upstream IDP
  • IDTokenClaims: parsed OIDC ID token claims including azp for multi-audience token validation
  • Config: upstream IDP connection configuration with redirect URI validation

These types are implemented by OIDCProvider in the full authorization server and used for token exchange flows where the auth server acts as an OAuth client to upstream IDPs.

@jhrozek
Add upstream Identity Provider types and interfaces
db59000 
Introduce foundational types for communicating with upstream Identity
Providers (e.g. Google) in the authorization server:

- Provider interface: abstracts IDP operations (authorization URL
  generation, code exchange, token refresh, userinfo)
- IDTokenNonceValidator: optional interface for OIDC nonce validation
  to prevent replay attacks
- UserInfoSubjectValidator: optional interface for OIDC Section 5.3.4
  subject validation to prevent impersonation
- Tokens: represents access/refresh/ID tokens from upstream IDP
- IDTokenClaims: parsed OIDC ID token claims including azp for
  multi-audience token validation
- Config: upstream IDP connection configuration with redirect URI validation

These types are implemented by OIDCProvider in the full authorization
server and used for token exchange flows where the auth server acts
as an OAuth client to upstream IDPs.
@github-actions github-actions bot added the size/L Large PR: 600-999 lines changed label Jan 12, 2026
@codecov
Copy link

codecov bot commented Jan 12, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 63.66%. Comparing base (35ac572) to head (9cefdf1).
⚠️ Report is 15 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3260      +/-   ##
==========================================
+ Coverage   63.54%   63.66%   +0.12%     
==========================================
  Files         355      358       +3     
  Lines       35058    35199     +141     
==========================================
+ Hits        22279    22411     +132     
- Misses      10978    10984       +6     
- Partials     1801     1804       +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

dmjb
dmjb reviewed Jan 12, 2026
View reviewed changes
dmjb
dmjb previously approved these changes Jan 12, 2026
View reviewed changes
@jhrozek
Remove unused http client
9cefdf1 
In a future commit when we actually make use of the itnerface, we'll
rather use one from toolhive's networking package
@github-actions github-actions bot added size/L Large PR: 600-999 lines changed and removed size/L Large PR: 600-999 lines changed labels Jan 12, 2026
jhrozek
jhrozek commented Jan 12, 2026
View reviewed changes
@jhrozek jhrozek merged commit d76bb0d into main Jan 13, 2026
37 checks passed
@jhrozek jhrozek deleted the auth-proxy-pr-5-upstream branch January 13, 2026 11:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JAORMX JAORMX JAORMX approved these changes

@dmjb dmjb dmjb left review comments

Assignees

No one assigned

Labels

size/L Large PR: 600-999 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jhrozek @JAORMX @dmjb