fix(deps): update module github.com/giantswarm/mcp-oauth to v0.2.137#667
Merged
renovate[bot] merged 5 commits intoMay 18, 2026
Merged
Conversation
renovate
Bot
force-pushed
the
renovate/github.com-giantswarm-mcp-oauth-0.x
branch
from
73ddf52 to
9141e22
Compare
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/github.com-giantswarm-mcp-oauth-0.x
branch
from
9141e22 to
fd66ad4
Compare
renovate
Bot
changed the title
This was referenced May 13, 2026
CI consistently fails the 12 SSO scenarios that use the mock IdP as muster's upstream OAuth server (use_as_muster_oauth_server: true) since the v0.2.135 bump, but the non-verbose runner output only emits "💥" without the muster subprocess stderr / per-step expectations needed to diagnose. Running with --verbose dumps STDERR and instance logs for failed scenarios, which is what we need to find the actual rejection (likely candidate: new RequireNonceEcho default in v0.2.135). This is diagnostic-only; once the root cause is found and fixed we can decide whether to keep --verbose on permanently.
Contributor
Author
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
mcp-oauth v0.2.137 enforces upstream id_token nonce echo (RequireNonceEcho defaults to true) and structurally requires three non-empty JWT segments in providers/oidc.ParseUnverifiedClaims. The mock IdP previously dropped the request nonce and issued alg:none tokens with an empty signature segment, causing every OAuth SSO behavioral scenario to fail with upstream callback HTTP 500 (audit reason id_token_parse_failed). Capture the nonce on /authorize and on GenerateAuthCode/WithSubject, echo it in the id_token claims for the authorization_code grant only (refresh and RFC 8693 exchange remain nonce-less per OIDC), and append a constant placeholder signature segment so structural parsing accepts the token. The tokens stay unsigned; signature trust is unchanged.
QuentinBisson
approved these changes
May 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v0.2.126→v0.2.137Release Notes
giantswarm/mcp-oauth (github.com/giantswarm/mcp-oauth)
v0.2.137Compare Source
What's Changed
Full Changelog: giantswarm/mcp-oauth@v0.2.136...v0.2.137
v0.2.136Compare Source
What's Changed
Full Changelog: giantswarm/mcp-oauth@v0.2.135...v0.2.136
v0.2.135Compare Source
What's Changed
Full Changelog: giantswarm/mcp-oauth@v0.2.134...v0.2.135
v0.2.134Compare Source
What's Changed
Full Changelog: giantswarm/mcp-oauth@v0.2.133...v0.2.134
v0.2.133Compare Source
What's Changed
Full Changelog: giantswarm/mcp-oauth@v0.2.132...v0.2.133
v0.2.132Compare Source
What's Changed
Full Changelog: giantswarm/mcp-oauth@v0.2.131...v0.2.132
v0.2.131Compare Source
What's Changed
Full Changelog: giantswarm/mcp-oauth@v0.2.130...v0.2.131
v0.2.130Compare Source
What's Changed
Full Changelog: giantswarm/mcp-oauth@v0.2.129...v0.2.130
v0.2.129Compare Source
What's Changed
Full Changelog: giantswarm/mcp-oauth@v0.2.128...v0.2.129
v0.2.128Compare Source
What's Changed
Full Changelog: giantswarm/mcp-oauth@v0.2.127...v0.2.128
v0.2.127Compare Source
What's Changed
Full Changelog: giantswarm/mcp-oauth@v0.2.126...v0.2.127
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.