properly set token exchange

taskbot · taskbot · commit bb4421a6cf39 · 2025-11-13T09:42:18.000+01:00
diff --git a/cmd/thv-operator/api/v1alpha1/mcpexternalauthconfig_types.go b/cmd/thv-operator/api/v1alpha1/mcpexternalauthconfig_types.go
@@ -53,9 +53,12 @@ type TokenExchangeConfig struct {
 	Scopes []string `json:"scopes,omitempty"`
 
 	// SubjectTokenType is the type of the incoming subject token.
-	// Valid values: "urn:ietf:params:oauth:token-type:jwt", "urn:ietf:params:oauth:token-type:access_token", "urn:ietf:params:oauth:token-type:id_token"
-	// If not specified, defaults to "urn:ietf:params:oauth:token-type:access_token"
-	// For OIDC/JWT tokens (like Okta), use "urn:ietf:params:oauth:token-type:jwt"
+	// Accepts short forms: "access_token" (default), "id_token", "jwt"
+	// Or full URNs: "urn:ietf:params:oauth:token-type:access_token",
+	//               "urn:ietf:params:oauth:token-type:id_token",
+	//               "urn:ietf:params:oauth:token-type:jwt"
+	// For Google Workload Identity Federation with OIDC providers (like Okta), use "id_token"
+	// +kubebuilder:validation:Pattern=`^(access_token|id_token|jwt|urn:ietf:params:oauth:token-type:(access_token|id_token|jwt))?$`
 	// +optional
 	SubjectTokenType string `json:"subjectTokenType,omitempty"`
 
diff --git a/cmd/thv-operator/pkg/controllerutil/tokenexchange.go b/cmd/thv-operator/pkg/controllerutil/tokenexchange.go
@@ -143,6 +143,12 @@ func AddExternalAuthConfigOptions(
 		headerStrategy = "custom"
 	}
 
+	// Normalize SubjectTokenType to full URN (accepts both short forms and full URNs)
+	normalizedTokenType, err := tokenexchange.NormalizeTokenType(tokenExchangeSpec.SubjectTokenType)
+	if err != nil {
+		return fmt.Errorf("invalid subject token type: %w", err)
+	}
+
 	// Build token exchange configuration
 	// Client secret is provided via TOOLHIVE_TOKEN_EXCHANGE_CLIENT_SECRET environment variable
 	// to avoid embedding plaintext secrets in the ConfigMap
@@ -151,7 +157,7 @@ func AddExternalAuthConfigOptions(
 		ClientID:                tokenExchangeSpec.ClientID,
 		Audience:                tokenExchangeSpec.Audience,
 		Scopes:                  tokenExchangeSpec.Scopes,
-		SubjectTokenType:        tokenExchangeSpec.SubjectTokenType,
+		SubjectTokenType:        normalizedTokenType,
 		HeaderStrategy:          headerStrategy,
 		ExternalTokenHeaderName: tokenExchangeSpec.ExternalTokenHeaderName,
 	}
diff --git a/deploy/charts/operator-crds/crds/toolhive.stacklok.dev_mcpexternalauthconfigs.yaml b/deploy/charts/operator-crds/crds/toolhive.stacklok.dev_mcpexternalauthconfigs.yaml
@@ -100,9 +100,12 @@ spec:
                   subjectTokenType:
                     description: |-
                       SubjectTokenType is the type of the incoming subject token.
-                      Valid values: "urn:ietf:params:oauth:token-type:jwt", "urn:ietf:params:oauth:token-type:access_token", "urn:ietf:params:oauth:token-type:id_token"
-                      If not specified, defaults to "urn:ietf:params:oauth:token-type:access_token"
-                      For OIDC/JWT tokens (like Okta), use "urn:ietf:params:oauth:token-type:jwt"
+                      Accepts short forms: "access_token" (default), "id_token", "jwt"
+                      Or full URNs: "urn:ietf:params:oauth:token-type:access_token",
+                                    "urn:ietf:params:oauth:token-type:id_token",
+                                    "urn:ietf:params:oauth:token-type:jwt"
+                      For Google Workload Identity Federation with OIDC providers (like Okta), use "id_token"
+                    pattern: ^(access_token|id_token|jwt|urn:ietf:params:oauth:token-type:(access_token|id_token|jwt))?$
                     type: string
                   tokenUrl:
                     description: TokenURL is the OAuth 2.0 token endpoint URL for
diff --git a/pkg/auth/tokenexchange/exchange.go b/pkg/auth/tokenexchange/exchange.go
@@ -243,19 +243,14 @@ func (c *ExchangeConfig) Validate() error {
 	// don't require client credentials and rely on the trust relationship
 	// configured in the identity provider (e.g., Workload Identity Federation)
 
-	// Validate SubjectTokenType if provided
+	// Validate and normalize SubjectTokenType if provided
 	if c.SubjectTokenType != "" {
-		validTypes := []string{tokenTypeAccessToken, tokenTypeIDToken, tokenTypeJWT}
-		isValid := false
-		for _, validType := range validTypes {
-			if c.SubjectTokenType == validType {
-				isValid = true
-				break
-			}
-		}
-		if !isValid {
-			return fmt.Errorf("invalid SubjectTokenType %q: must be one of %v", c.SubjectTokenType, validTypes)
+		normalized, err := NormalizeTokenType(c.SubjectTokenType)
+		if err != nil {
+			return fmt.Errorf("invalid SubjectTokenType: %w", err)
 		}
+		// Update the config with the normalized value
+		c.SubjectTokenType = normalized
 	}
 
 	// Validate URL format
diff --git a/pkg/auth/tokenexchange/middleware.go b/pkg/auth/tokenexchange/middleware.go
@@ -345,6 +345,9 @@ func createTokenExchangeMiddleware(
 				return
 			}
 
+			// Token exchange succeeded
+			logger.Debug("Token exchange successful")
+
 			// Inject the exchanged token into the request using the pre-selected strategy
 			if err := injectToken(r, exchangedToken.AccessToken); err != nil {
 				logger.Warnf("Failed to inject token: %v", err)

Original file line number	Diff line number	Diff line change
`@@ -345,6 +345,9 @@ func createTokenExchangeMiddleware(`
`345`	`345`	`return`
`346`	`346`	`}`
`347`	`347`
	`348`	`+ // Token exchange succeeded`
	`349`	`+ logger.Debug("Token exchange successful")`
	`350`	`+`
`348`	`351`	`// Inject the exchanged token into the request using the pre-selected strategy`
`349`	`352`	`if err := injectToken(r, exchangedToken.AccessToken); err != nil {`
`350`	`353`	`logger.Warnf("Failed to inject token: %v", err)`