Add authorization and callback handlers for authserver #3370
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Large PR Detected
This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.
How to unblock this PR:
Add a section to your PR description with the following format:
## Large PR Justification
[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformationAlternative:
Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.
See our Contributing Guidelines for more details.
This review will be automatically dismissed once you add the justification section.
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3370 +/- ##
==========================================
+ Coverage 64.83% 64.91% +0.08%
==========================================
Files 377 380 +3
Lines 36751 36992 +241
==========================================
+ Hits 23827 24015 +188
- Misses 11049 11094 +45
- Partials 1875 1883 +8 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
jhrozek
force-pushed
the
auth-proxy-pr-10-3-handlers-authorize
branch
from
2806669 to
0d5ff40
Compare
github-actions
bot
dismissed
their stale review
Large PR justification has been provided. Thank you!
Contributor
|
✅ Large PR justification has been provided. The size review has been dismissed and this PR can now proceed with normal review. |
github-actions
bot
added
size/XL
yrobla
reviewed
Jan 22, 2026
yrobla
reviewed
Jan 22, 2026
yrobla
previously approved these changes
Jan 22, 2026
Contributor
yrobla
left a comment
yrobla
left a comment
There was a problem hiding this comment.
just some comments about logging
This patch implements the OAuth 2.0 authorization code flow handlers for the authserver. The authorize handler validates incoming requests via fosite, generates cryptographic secrets for upstream correlation (state, PKCE verifier, nonce), stores the pending authorization, and redirects clients to the upstream identity provider. The callback handler receives the upstream response, exchanges the authorization code using the stored PKCE verifier, resolves the user identity through the UserResolver which maps provider subjects to internal users, stores the upstream tokens with session binding, and issues our own authorization code back to the client. Both handlers use fosite's RFC 6749 compliant error responses and properly clean up state on failure. These handlers integrate into the authserver as the core authentication entry points, sitting between downstream clients and the upstream identity provider. They rely on the storage layer for persisting pending authorizations, upstream tokens, users, and provider identities. The UserResolver provides identity mapping by maintaining a link between upstream provider subjects and internal user IDs, enabling a single user to potentially link multiple provider identities. The handlers connect to the upstream OAuth2Provider interface which abstracts the specific identity provider implementation, allowing the authserver to work with different OIDC providers without handler changes.
Remove two logs that don't align with ToolHive logging guidelines: - Remove INFO log on successful redirect to upstream IDP. Per logging guidelines, successful operations should be silent by default. - Remove WARN log for missing state parameter. Since PKCE is required and provides equivalent CSRF protection per OAuth Security BCP Section 4.7.1, the state parameter is redundant for security purposes. Logging a warning for its absence creates noise without actionable benefit. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
jhrozek
force-pushed
the
auth-proxy-pr-10-3-handlers-authorize
branch
from
0d5ff40 to
b40bdd4
Compare
github-actions
bot
added
size/XL
Contributor
Author
|
Thanks for the review I removed both. Originally I added the warning about missing state because state is supposed to be optional but recommended, but you're right it doesn't give us much. |
yrobla
approved these changes
Jan 22, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch implements the OAuth 2.0 authorization code flow handlers for the authserver.
The authorize handler validates incoming requests via fosite, generates cryptographic secrets for upstream correlation (state, PKCE verifier, nonce), stores the pending authorization, and redirects clients to the upstream identity provider.
The callback handler receives the upstream response, exchanges the authorization code using the stored PKCE verifier, resolves the user identity through the UserResolver which maps provider subjects to internal users, stores the upstream tokens with session binding, and issues our own authorization code back to the client. Both handlers use fosite's RFC 6749 compliant error responses and properly clean up state on failure.
These handlers integrate into the authserver as the core authentication entry points, sitting between downstream clients and the upstream identity provider. They rely on the storage layer for persisting pending authorizations, upstream tokens, users, and provider identities.
The UserResolver provides identity mapping by maintaining a link between upstream provider subjects and internal user IDs, enabling a single user to potentially link multiple provider identities. The handlers connect to the upstream OAuth2Provider interface which abstracts the specific identity provider implementation, allowing the authserver to work with different OIDC providers without handler changes.
Large PR Justification
The two handlers provide the oauth flow, reviewing authorize and callback in isolation would I think be just harder even if less code. What could be split was the UserResolver interface and its tests, but that's a small piece of the PR, line-wise.