Embedded Auth Server Runner Integration

[tgrunnagle]

This PR introduces the EmbeddedAuthServer wrapper in pkg/authserver/runner/ that bridges serializable configuration with the authorization server runtime. The wrapper:

• Transforms authserver.RunConfig (file paths, env var names) to authserver.Config (resolved values) at runtime
• Loads signing keys from PEM files with fallback support for key rotation
• Reads HMAC secrets from files for signing authorization codes and refresh tokens
• Resolves upstream client secrets from files or environment variables
• Performs OIDC discovery to automatically populate authorization/token endpoints
• Supports both OIDC and pure OAuth2 upstream provider types

Why

This is the final step of the Embedded Authorization Server feature (stacklok-epics#230). It enables MCP servers running in Kubernetes to:

1. Run an embedded OAuth2/OIDC authorization server that authenticates users via upstream identity providers (Okta, Auth0, GitHub, etc.)

2. Handle secrets securely by keeping them out of serialized configuration - the RunConfig contains only file paths and environment variable names that are resolved at runtime from mounted Kubernetes Secrets

3. Support the complete MCP authentication flow where the embedded server issues tokens that downstream MCP clients use to access the MCP server's resources

Related

• Part of Epic: stacklok-epics#225 (Embedded Authorization Server)
• Implements pkg/authserver/ changes for: stacklok-epics#230

Large PR Justification

Implements single component with tests. Tests are 2/3rds of the added lines.

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

[codecov]

Codecov Report

❌ Patch coverage is 88.30409% with 20 lines in your changes missing coverage. Please review.
✅ Project coverage is 65.57%. Comparing base (f9bcd74) to head (a15d25b).

Files with missing lines	Patch %	Lines
pkg/authserver/runner/embeddedauthserver.go	88.30%	12 Missing and 8 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3540      +/-   ##
==========================================
+ Coverage   65.45%   65.57%   +0.11%     
==========================================
  Files         404      405       +1     
  Lines       39498    39669     +171     
==========================================
+ Hits        25852    26011     +159     
- Misses      11649    11655       +6     
- Partials     1997     2003       +6     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.