Support non-OIDC OAuth in thv proxy (#1312)

Author: eleftherias

cmd/thv/app/proxy.go

@@ -60,13 +60,22 @@ Basic transparent proxy:
 
 	thv proxy my-server --target-uri http://localhost:8080
 
-Proxy with OAuth authentication to remote server:
+Proxy with OIDC authentication to remote server:
 
 	thv proxy my-server --target-uri https://api.example.com \
 	  --remote-auth --remote-auth-issuer https://auth.example.com \
 	  --remote-auth-client-id my-client-id \
 	  --remote-auth-client-secret-file /path/to/secret
 
+Proxy with non-OIDC OAuth authentication to remote server:
+
+	thv proxy my-server --target-uri https://api.example.com \
+	  --remote-auth \
+	  --remote-auth-authorize-url https://auth.example.com/oauth/authorize \
+	  --remote-auth-token-url https://auth.example.com/oauth/token \
+	  --remote-auth-client-id my-client-id \
+	  --remote-auth-client-secret-file /path/to/secret
+
 Proxy with OIDC protection for incoming requests:
 
 	thv proxy my-server --target-uri http://localhost:8080 \
@@ -98,6 +107,10 @@ var (
 	remoteAuthTimeout          time.Duration
 	remoteAuthCallbackPort     int
 	enableRemoteAuth           bool
+
+	// Manual OAuth endpoint configuration
+	remoteAuthAuthorizeURL string
+	remoteAuthTokenURL     string
 )
 
 // Default timeout constants
@@ -141,14 +154,18 @@ func init() {
 		"OAuth client secret for remote server authentication (optional for PKCE)")
 	proxyCmd.Flags().StringVar(&remoteAuthClientSecretFile, "remote-auth-client-secret-file", "",
 		"Path to file containing OAuth client secret (alternative to --remote-auth-client-secret)")
-	proxyCmd.Flags().StringSliceVar(&remoteAuthScopes, "remote-auth-scopes",
-		[]string{"openid", "profile", "email"}, "OAuth scopes to request for remote server authentication")
+	proxyCmd.Flags().StringSliceVar(&remoteAuthScopes, "remote-auth-scopes", []string{},
+		"OAuth scopes to request for remote server authentication (defaults: OIDC uses 'openid,profile,email')")
 	proxyCmd.Flags().BoolVar(&remoteAuthSkipBrowser, "remote-auth-skip-browser", false,
 		"Skip opening browser for remote server OAuth flow")
 	proxyCmd.Flags().DurationVar(&remoteAuthTimeout, "remote-auth-timeout", 30*time.Second,
 		"Timeout for OAuth authentication flow (e.g., 30s, 1m, 2m30s)")
 	proxyCmd.Flags().IntVar(&remoteAuthCallbackPort, "remote-auth-callback-port", 8666,
 		"Port for OAuth callback server during remote authentication (default: 8666)")
+	proxyCmd.Flags().StringVar(&remoteAuthAuthorizeURL, "remote-auth-authorize-url", "",
+		"OAuth authorization endpoint URL (alternative to --remote-auth-issuer for non-OIDC OAuth)")
+	proxyCmd.Flags().StringVar(&remoteAuthTokenURL, "remote-auth-token-url", "",
+		"OAuth token endpoint URL (alternative to --remote-auth-issuer for non-OIDC OAuth)")
 
 	// Mark target-uri as required
 	if err := proxyCmd.MarkFlagRequired("target-uri"); err != nil {
@@ -383,16 +400,34 @@ func performOAuthFlow(ctx context.Context, issuer, clientID, clientSecret string
 	scopes []string) (*oauth2.TokenSource, *oauth.Config, error) {
 	logger.Info("Starting OAuth authentication flow...")
 
-	// Create OAuth config from OIDC discovery
-	oauthConfig, err := oauth.CreateOAuthConfigFromOIDC(
-		ctx,
-		issuer,
-		clientID,
-		clientSecret,
-		scopes,
-		true, // Enable PKCE by default for security
-		remoteAuthCallbackPort,
-	)
+	var oauthConfig *oauth.Config
+	var err error
+
+	// Check if we have manual OAuth endpoints configured
+	if remoteAuthAuthorizeURL != "" && remoteAuthTokenURL != "" {
+		logger.Info("Using manual OAuth configuration")
+		oauthConfig, err = oauth.CreateOAuthConfigManual(
+			clientID,
+			clientSecret,
+			remoteAuthAuthorizeURL,
+			remoteAuthTokenURL,
+			scopes,
+			true, // Enable PKCE by default for security
+			remoteAuthCallbackPort,
+		)
+	} else {
+		// Fall back to OIDC discovery
+		logger.Info("Using OIDC discovery")
+		oauthConfig, err = oauth.CreateOAuthConfigFromOIDC(
+			ctx,
+			issuer,
+			clientID,
+			clientSecret,
+			scopes,
+			true, // Enable PKCE by default for security
+			remoteAuthCallbackPort,
+		)
+	}
 	if err != nil {
 		return nil, nil, fmt.Errorf("failed to create OAuth config: %w", err)
 	}
@@ -454,14 +489,24 @@ func handleOutgoingAuthentication(ctx context.Context) (*oauth2.TokenSource, *oa
 	}
 
 	if enableRemoteAuth {
-		// If OAuth is explicitly enabled, use provided configuration
-		if remoteAuthIssuer == "" {
-			return nil, nil, fmt.Errorf("remote-auth-issuer is required when remote authentication is enabled")
-		}
+		// If OAuth is explicitly enabled, validate configuration
 		if remoteAuthClientID == "" {
 			return nil, nil, fmt.Errorf("remote-auth-client-id is required when remote authentication is enabled")
 		}
 
+		// Check if we have either OIDC issuer or manual OAuth endpoints
+		hasOIDCConfig := remoteAuthIssuer != ""
+		hasManualConfig := remoteAuthAuthorizeURL != "" && remoteAuthTokenURL != ""
+
+		if !hasOIDCConfig && !hasManualConfig {
+			return nil, nil, fmt.Errorf("either --remote-auth-issuer (for OIDC) or both --remote-auth-authorize-url " +
+				"and --remote-auth-token-url (for OAuth) are required")
+		}
+
+		if hasOIDCConfig && hasManualConfig {
+			return nil, nil, fmt.Errorf("cannot specify both OIDC issuer and manual OAuth endpoints - choose one approach")
+		}
+
 		return performOAuthFlow(ctx, remoteAuthIssuer, remoteAuthClientID, clientSecret, remoteAuthScopes)
 	}
 

docs/cli/thv_proxy.md

@@ -0,0 +1,50 @@
+// Package oauth provides OAuth 2.0 and OIDC authentication functionality.
+package oauth
+
+import (
+	"fmt"
+
+	"github.com/stacklok/toolhive/pkg/networking"
+)
+
+// CreateOAuthConfigManual creates an OAuth config with manually provided endpoints
+func CreateOAuthConfigManual(
+	clientID, clientSecret string,
+	authURL, tokenURL string,
+	scopes []string,
+	usePKCE bool,
+	callbackPort int,
+) (*Config, error) {
+	if clientID == "" {
+		return nil, fmt.Errorf("client ID is required")
+	}
+	if authURL == "" {
+		return nil, fmt.Errorf("authorization URL is required")
+	}
+	if tokenURL == "" {
+		return nil, fmt.Errorf("token URL is required")
+	}
+
+	// Validate URLs
+	if err := networking.ValidateEndpointURL(authURL); err != nil {
+		return nil, fmt.Errorf("invalid authorization URL: %w", err)
+	}
+	if err := networking.ValidateEndpointURL(tokenURL); err != nil {
+		return nil, fmt.Errorf("invalid token URL: %w", err)
+	}
+
+	// Default scopes for regular OAuth (don't assume OIDC scopes)
+	if len(scopes) == 0 {
+		scopes = []string{}
+	}
+
+	return &Config{
+		ClientID:     clientID,
+		ClientSecret: clientSecret,
+		AuthURL:      authURL,
+		TokenURL:     tokenURL,
+		Scopes:       scopes,
+		UsePKCE:      usePKCE,
+		CallbackPort: callbackPort,
+	}, nil
+}