Skip to content

Integrate Embedded Auth Server with Runner #3541

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tgrunnagle merged 2 commits into from
Feb 2, 2026
Merged

Integrate Embedded Auth Server with Runner #3541

tgrunnagle merged 2 commits into from
Feb 2, 2026

Conversation

@tgrunnagle
Copy link
Contributor

@tgrunnagle tgrunnagle commented Jan 30, 2026

Depends on #3540

What

This PR integrates the embedded authorization server with the pkg/runner/ package, enabling MCP servers to have their own OAuth2/OIDC authorization server when EmbeddedAuthServerConfig is configured.

Key changes:

  • Add EmbeddedAuthServerConfig field to RunConfig for serializable auth server configuration
  • Initialize and start the embedded auth server during Runner.Run() when configured
  • Mount auth server routes at dedicated prefixes to avoid conflicts with MCP endpoints
  • Clean up the embedded auth server during Runner.Cleanup()

Why

This completes the Runner side of the Embedded Authorization Server feature (stacklok-epics#230). The integration allows:

  1. Per-server authorization - Each MCP server can optionally run its own embedded authorization server that delegates authentication to upstream identity providers (Okta, Auth0, GitHub, etc.)

  2. Clean endpoint separation - Auth server routes are mounted at specific prefixes (/oauth/, /.well-known/oauth-authorization-server, etc.) to avoid conflicts with MCP protocol endpoints like /.well-known/oauth-protected-resource

  3. Proper lifecycle management - The embedded auth server is initialized during runner startup and cleaned up during shutdown, ensuring resources are properly released

Related

@github-actions github-actions bot added the size/S Small PR: 100-299 lines changed label Jan 30, 2026
@codecov
Copy link

codecov bot commented Jan 30, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 5.88235% with 16 lines in your changes missing coverage. Please review.
✅ Project coverage is 65.46%. Comparing base (a82c591) to head (3563c30).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
pkg/runner/runner.go 5.88% 14 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3541      +/-   ##
==========================================
- Coverage   65.53%   65.46%   -0.08%     
==========================================
  Files         405      405              
  Lines       39678    39695      +17     
==========================================
- Hits        26004    25986      -18     
- Misses      11672    11705      +33     
- Partials     2002     2004       +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@tgrunnagle tgrunnagle force-pushed the auth-server_issue-230_2026-01-30 branch from d02114e to a15d25b Compare January 30, 2026 22:18
@tgrunnagle tgrunnagle force-pushed the auth-server_issue-230b_2026-01-30 branch from d5ff7fb to c539d7d Compare January 30, 2026 22:20
@github-actions github-actions bot added size/S Small PR: 100-299 lines changed and removed size/S Small PR: 100-299 lines changed labels Jan 30, 2026
jhrozek
jhrozek reviewed Feb 2, 2026
View reviewed changes
jhrozek
jhrozek previously approved these changes Feb 2, 2026
View reviewed changes
@tgrunnagle tgrunnagle force-pushed the auth-server_issue-230_2026-01-30 branch 2 times, most recently from f7f655d to 8f5eccb Compare February 2, 2026 16:44
@tgrunnagle tgrunnagle force-pushed the auth-server_issue-230b_2026-01-30 branch from e27e2e4 to 351e469 Compare February 2, 2026 16:45
@github-actions github-actions bot added size/S Small PR: 100-299 lines changed and removed size/S Small PR: 100-299 lines changed labels Feb 2, 2026
Base automatically changed from auth-server_issue-230_2026-01-30 to main February 2, 2026 17:14
@tgrunnagle tgrunnagle dismissed jhrozek’s stale review February 2, 2026 17:14

The base branch was changed.

@tgrunnagle
Integrate embedded auth server with runner
d65314f 
Add embedded OAuth/OIDC authorization server support to the Runner,
enabling MCP servers to have their own authorization server when
EmbeddedAuthServerConfig is configured.

Changes:
- Add embeddedAuthServer field to Runner struct
- Initialize embedded auth server during Run() when configured
- Mount auth server routes at specific prefixes to avoid conflicts
  with MCP endpoints (/.well-known/oauth-protected-resource is MCP)
- Close embedded auth server during Cleanup()
- Add comprehensive integration tests for handler mounting, endpoint
  responses, and cleanup behavior

The auth server routes are mounted at:
- /oauth/ (authorize, callback, token, register)
- /.well-known/oauth-authorization-server (RFC 8414)
- /.well-known/openid-configuration (OIDC Discovery)
- /.well-known/jwks.json (JSON Web Key Set)
@tgrunnagle
Remove useless test
3563c30
@tgrunnagle tgrunnagle force-pushed the auth-server_issue-230b_2026-01-30 branch from 351e469 to 3563c30 Compare February 2, 2026 17:16
@github-actions github-actions bot removed the size/S Small PR: 100-299 lines changed label Feb 2, 2026
@github-actions github-actions bot added the size/S Small PR: 100-299 lines changed label Feb 2, 2026
@tgrunnagle tgrunnagle mentioned this pull request Feb 2, 2026
Open
@tgrunnagle tgrunnagle merged commit 16ecb82 into main Feb 2, 2026
36 checks passed
@tgrunnagle tgrunnagle deleted the auth-server_issue-230b_2026-01-30 branch February 2, 2026 20:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhrozek jhrozek jhrozek approved these changes

@dmjb dmjb Awaiting requested review from dmjb dmjb is a code owner

@JAORMX JAORMX Awaiting requested review from JAORMX JAORMX is a code owner

@amirejaz amirejaz Awaiting requested review from amirejaz amirejaz is a code owner

@eleftherias eleftherias Awaiting requested review from eleftherias eleftherias is a code owner

@lujunsan lujunsan Awaiting requested review from lujunsan lujunsan is a code owner

@ChrisJBurns ChrisJBurns Awaiting requested review from ChrisJBurns

@yrobla yrobla Awaiting requested review from yrobla

@jerm-dro jerm-dro Awaiting requested review from jerm-dro

Assignees

No one assigned

Labels

size/S Small PR: 100-299 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tgrunnagle @jhrozek