auth/oidc: support slice-typed extra claims via overlap match#1238
Merged
rdimitrov merged 1 commit intomodelcontextprotocol:mainfrom May 4, 2026
Merged
Conversation
Closes modelcontextprotocol#988. Direct equality fails when token claim is an array; do an any-of overlap instead.
This was referenced May 4, 2026
rdimitrov
added a commit
that referenced
this pull request
May 4, 2026
Drops the heavyweight ExchangeToken-based test cases added in earlier commits on this branch. The actual change in #1238 is the claimMatches helper, which is much simpler to cover with direct unit tests. Reverts the existing oidc_test.go to its main-branch state and adds a new oidc_internal_test.go (package auth) with table-driven cases for scalar/array/[]string combinations.
rdimitrov
added a commit
that referenced
this pull request
May 4, 2026
## Summary Follow-up to #1238 (closes #988). Adds direct unit-test coverage for the `claimMatches` helper, which was the actual change in #1238. `claimMatches` and `toAnySlice` are unexported, so the tests live in `oidc_internal_test.go` (`package auth`) — same pattern as `http_internal_test.go`. Cases covered: - scalar/scalar match and mismatch - scalar actual against array expected (both directions of overlap) - array actual against scalar expected - **array/array** — pre-#1238 this combination panicked with `comparing uncomparable type []interface {}` - `[]string` typed slice (exercises the typed-slice branch of `toAnySlice`, which `[]any` skips) - non-string scalars (int, bool) - empty actual array Test values use single letters (`x`, `y`, `p`, `q`) rather than role labels — only the relationships matter, and short tokens keep `goconst` quiet. ## Test plan - [x] `go test ./internal/api/handlers/v0/auth/...` — all 13 subtests pass - [x] `golangci-lint run ./internal/api/handlers/v0/auth/...` — no new issues vs main
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #988. Direct
actualValue != expectedValuefails when the token claim is an array (groups, roles, scp, aud). Switch to a slice-aware any-of overlap so OIDC list claims are validated correctly.