fix ci

Author: taskbot

pkg/vmcp/client/client.go

@@ -17,7 +17,7 @@ import (
 
 	"github.com/stacklok/toolhive/pkg/logger"
 	"github.com/stacklok/toolhive/pkg/vmcp"
-	"github.com/stacklok/toolhive/pkg/vmcp/auth"
+	vmcpauth "github.com/stacklok/toolhive/pkg/vmcp/auth"
 )
 
 const (
@@ -48,7 +48,7 @@ type httpBackendClient struct {
 
 	// registry manages authentication strategies for outgoing requests to backend MCP servers.
 	// Must not be nil - use UnauthenticatedStrategy for no authentication.
-	registry auth.OutgoingAuthRegistry
+	registry vmcpauth.OutgoingAuthRegistry
 }
 
 // NewHTTPBackendClient creates a new HTTP-based backend client.
@@ -59,7 +59,7 @@ type httpBackendClient struct {
 // "unauthenticated" strategy.
 //
 // Returns an error if registry is nil.
-func NewHTTPBackendClient(registry auth.OutgoingAuthRegistry) (vmcp.BackendClient, error) {
+func NewHTTPBackendClient(registry vmcpauth.OutgoingAuthRegistry) (vmcp.BackendClient, error) {
 	if registry == nil {
 		return nil, fmt.Errorf("registry cannot be nil; use UnauthenticatedStrategy for no authentication")
 	}
@@ -79,12 +79,29 @@ func (f roundTripperFunc) RoundTrip(req *http.Request) (*http.Response, error) {
 	return f(req)
 }
 
+// contextPropagatingRoundTripper propagates the original request context to HTTP requests.
+// This ensures that identity information from the vMCP handler is available for authentication.
+type contextPropagatingRoundTripper struct {
+	base    http.RoundTripper
+	origCtx context.Context
+}
+
+// RoundTrip implements http.RoundTripper by propagating the original context to the request.
+func (c *contextPropagatingRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	// Clone the request with the original context that contains the identity
+	reqWithCtx := req.Clone(c.origCtx)
+	// Copy headers from the original request
+	reqWithCtx.Header = req.Header
+
+	return c.base.RoundTrip(reqWithCtx)
+}
+
 // authRoundTripper is an http.RoundTripper that adds authentication to backend requests.
 // The authentication strategy and metadata are pre-resolved and validated at client creation time,
 // eliminating per-request lookups and validation overhead.
 type authRoundTripper struct {
 	base         http.RoundTripper
-	authStrategy auth.Strategy
+	authStrategy vmcpauth.Strategy
 	authMetadata map[string]any
 	target       *vmcp.BackendTarget
 }
@@ -110,7 +127,7 @@ func (a *authRoundTripper) RoundTrip(req *http.Request) (*http.Response, error)
 // It handles defaulting to "unauthenticated" when no strategy is specified.
 // This method should be called once at client creation time to enable fail-fast
 // behavior for invalid authentication configurations.
-func (h *httpBackendClient) resolveAuthStrategy(target *vmcp.BackendTarget) (auth.Strategy, error) {
+func (h *httpBackendClient) resolveAuthStrategy(target *vmcp.BackendTarget) (vmcpauth.Strategy, error) {
 	strategyName := target.AuthStrategy
 
 	// Default to unauthenticated if not specified
@@ -129,7 +146,7 @@ func (h *httpBackendClient) resolveAuthStrategy(target *vmcp.BackendTarget) (aut
 
 // defaultClientFactory creates mark3labs MCP clients for different transport types.
 func (h *httpBackendClient) defaultClientFactory(ctx context.Context, target *vmcp.BackendTarget) (*client.Client, error) {
-	// Build transport chain: size limit → authentication → HTTP
+	// Build transport chain: size limit → context propagation → authentication → HTTP
 	var baseTransport = http.DefaultTransport
 
 	// Resolve authentication strategy ONCE at client creation time
@@ -153,6 +170,14 @@ func (h *httpBackendClient) defaultClientFactory(ctx context.Context, target *vm
 		target:       target,
 	}
 
+	// Add context propagation layer to ensure identity is available for authentication
+	// This wraps the authentication layer (is called before it in the RoundTripper chain)
+	// to propagate the original context containing identity information to downstream layers
+	baseTransport = &contextPropagatingRoundTripper{
+		base:    baseTransport,
+		origCtx: ctx,
+	}
+
 	// Add size limit layer for DoS protection
 	sizeLimitedTransport := roundTripperFunc(func(req *http.Request) (*http.Response, error) {
 		resp, err := baseTransport.RoundTrip(req)

pkg/vmcp/registry.go

@@ -121,15 +121,14 @@ func BackendToTarget(backend *Backend) *BackendTarget {
 	}
 
 	return &BackendTarget{
-		WorkloadID:         backend.ID,
-		WorkloadName:       backend.Name,
-		BaseURL:            backend.BaseURL,
-		TransportType:      backend.TransportType,
-		AuthStrategy:       backend.AuthStrategy,
-		AuthMetadata:       backend.AuthMetadata,
-		IncomingOIDCConfig: backend.IncomingOIDCConfig,
-		SessionAffinity:    false, // TODO: Add session affinity support in future phases
-		HealthStatus:       backend.HealthStatus,
-		Metadata:           backend.Metadata,
+		WorkloadID:      backend.ID,
+		WorkloadName:    backend.Name,
+		BaseURL:         backend.BaseURL,
+		TransportType:   backend.TransportType,
+		AuthStrategy:    backend.AuthStrategy,
+		AuthMetadata:    backend.AuthMetadata,
+		SessionAffinity: false, // TODO: Add session affinity support in future phases
+		HealthStatus:    backend.HealthStatus,
+		Metadata:        backend.Metadata,
 	}
 }

pkg/vmcp/types.go

@@ -54,19 +54,6 @@ type BackendTarget struct {
 	// This is opaque to the router and interpreted by the authenticator.
 	AuthMetadata map[string]any
 
-	// IncomingOIDCConfig contains the backend's OIDC authentication requirements.
-	//
-	// When a backend MCPServer has OIDCConfig configured, it means clients (including vMCP)
-	// must present OIDC tokens to access that backend.
-	//
-	// Discovery Mode: When vMCP's outgoing auth mode is "discovered", vMCP will use the
-	// authentication configuration defined in the backend MCPServer. This field stores the
-	// discovered OIDC config from the backend's OIDCConfig spec, which vMCP uses to
-	// authenticate when accessing OIDC-protected backends.
-	//
-	// See pkg/vmcp/workloads/k8s.go:discoverIncomingOIDCConfig for discovery implementation.
-	IncomingOIDCConfig map[string]interface{}
-
 	// SessionAffinity indicates if requests from the same session
 	// must be routed to this specific backend instance.
 	SessionAffinity bool
@@ -147,19 +134,6 @@ type Backend struct {
 	// AuthMetadata contains strategy-specific auth configuration.
 	AuthMetadata map[string]any
 
-	// IncomingOIDCConfig contains the backend's OIDC authentication requirements.
-	//
-	// When a backend MCPServer has OIDCConfig configured, it means clients (including vMCP)
-	// must present OIDC tokens to access that backend.
-	//
-	// Discovery Mode: When vMCP's outgoing auth mode is "discovered", vMCP will use the
-	// authentication configuration defined in the backend MCPServer. This field stores the
-	// discovered OIDC config from the backend's OIDCConfig spec, which vMCP uses to
-	// authenticate when accessing OIDC-protected backends.
-	//
-	// See pkg/vmcp/workloads/k8s.go:discoverIncomingOIDCConfig for discovery implementation.
-	IncomingOIDCConfig map[string]interface{}
-
 	// Metadata stores additional backend information.
 	Metadata map[string]string
 }

pkg/vmcp/workloads/k8s.go

@@ -5,10 +5,8 @@ import (
 	"fmt"
 	"strings"
 
-	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/types"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -200,12 +198,6 @@ func (d *k8sDiscoverer) mcpServerToBackend(ctx context.Context, mcpServer *mcpv1
 		return nil
 	}
 
-	// Discover and populate incoming OIDC configuration from MCPServer
-	if err := d.discoverIncomingOIDCConfig(ctx, mcpServer, backend); err != nil {
-		logger.Errorf("Failed to discover incoming OIDC config for MCPServer %s: %v", mcpServer.Name, err)
-		return nil
-	}
-
 	return backend
 }
 
@@ -242,97 +234,6 @@ func (d *k8sDiscoverer) discoverAuthConfig(ctx context.Context, mcpServer *mcpv1
 	return nil
 }
 
-// discoverIncomingOIDCConfig discovers and stores the backend's OIDC authentication requirements.
-//
-// When a backend MCPServer has OIDCConfig configured, it means clients (including vMCP) must present
-// OIDC tokens to access that backend. This method discovers the backend's OIDC configuration and
-// stores it in backend.IncomingOIDCConfig.
-//
-// Authentication Flow:
-//   - When vMCP's outgoing auth mode is "discovered", vMCP will use the authentication configuration
-//     defined in the backend MCPServer (via ExternalAuthConfigRef for token exchange/header injection,
-//     or via OIDCConfig for OIDC-protected backends)
-//   - The discovered OIDC config is stored in Backend.IncomingOIDCConfig (see pkg/vmcp/types.go)
-//   - This config is used by vMCP to authenticate to backends that require OIDC tokens
-//
-// Return behavior:
-//   - Returns nil error if OIDCConfig is nil (no OIDC required) - this is expected behavior
-//   - Returns nil error if OIDC config is discovered and successfully populated into backend
-//   - Returns error if OIDC config exists but discovery/resolution fails (e.g., secret not found)
-func (d *k8sDiscoverer) discoverIncomingOIDCConfig(
-	ctx context.Context, mcpServer *mcpv1alpha1.MCPServer, backend *vmcp.Backend,
-) error {
-	// If no OIDC config, nothing to discover
-	if mcpServer.Spec.OIDCConfig == nil {
-		logger.Debugf("MCPServer %s has no OIDCConfig, no incoming auth required", mcpServer.Name)
-		return nil
-	}
-
-	oidcConfig := mcpServer.Spec.OIDCConfig
-
-	// Convert OIDC config to map for storage in backend
-	config := make(map[string]interface{})
-
-	// Handle inline OIDC configuration
-	if oidcConfig.Type == "inline" && oidcConfig.Inline != nil {
-		inline := oidcConfig.Inline
-		config["issuer"] = inline.Issuer
-
-		if inline.Audience != "" {
-			config["audience"] = inline.Audience
-		}
-
-		if inline.ClientID != "" {
-			config["client_id"] = inline.ClientID
-		}
-
-		// Resolve client secret from secret reference if present
-		if inline.ClientSecretRef != nil {
-			secret := &corev1.Secret{}
-			secretKey := types.NamespacedName{
-				Name:      inline.ClientSecretRef.Name,
-				Namespace: mcpServer.Namespace,
-			}
-
-			if err := d.k8sClient.Get(ctx, secretKey, secret); err != nil {
-				return fmt.Errorf("failed to get secret %s/%s: %w",
-					mcpServer.Namespace, inline.ClientSecretRef.Name, err)
-			}
-
-			secretValue, ok := secret.Data[inline.ClientSecretRef.Key]
-			if !ok {
-				return fmt.Errorf("secret %s/%s does not contain key %s",
-					mcpServer.Namespace, inline.ClientSecretRef.Name, inline.ClientSecretRef.Key)
-			}
-
-			config["client_secret"] = string(secretValue)
-		} else if inline.ClientSecret != "" {
-			// Use direct client secret if provided (not recommended but supported)
-			config["client_secret"] = inline.ClientSecret
-		}
-
-		if inline.JWKSURL != "" {
-			config["jwks_url"] = inline.JWKSURL
-		}
-
-		if inline.IntrospectionURL != "" {
-			config["introspection_url"] = inline.IntrospectionURL
-		}
-
-		// Add security flags
-		config["insecure_allow_http"] = inline.InsecureAllowHTTP
-		config["jwks_allow_private_ip"] = inline.JWKSAllowPrivateIP
-		config["protected_resource_allow_private_ip"] = inline.ProtectedResourceAllowPrivateIP
-	}
-
-	// Store the discovered OIDC config
-	backend.IncomingOIDCConfig = config
-
-	logger.Infof("✓ Discovered incoming OIDC config for MCPServer %s: issuer=%s, client_id=%s",
-		mcpServer.Name, config["issuer"], config["client_id"])
-	return nil
-}
-
 // mapK8SWorkloadPhaseToHealth converts a MCPServerPhase to a backend health status.
 func mapK8SWorkloadPhaseToHealth(phase mcpv1alpha1.MCPServerPhase) vmcp.BackendHealthStatus {
 	switch phase {