From 62c8dc10afeaaab7d5fd870993fd50a53fb95312 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Thu, 23 Apr 2026 14:38:53 +0100 Subject: [PATCH] Move tokenexchange under pkg/oauthproto Relocate pkg/auth/tokenexchange to pkg/oauthproto/tokenexchange so the RFC 8693 Token Exchange grant sits next to the shared grant-helper primitives (pkg/oauthproto/grants.go, pkg/oauthproto/oauthtest) and the upcoming RFC 7523 JWT Bearer grant. With the refactor complete, pkg/oauthproto is the single home for OAuth 2.0 grant machinery in this repo; having one grant under pkg/auth and another under pkg/oauthproto would have been confusing. Pure rename. All source files move intact; every import path updated from github.com/stacklok/toolhive/pkg/auth/tokenexchange to github.com/stacklok/toolhive/pkg/oauthproto/tokenexchange. Also updated stale doc and agent references to the old path in docs/middleware.md, docs/operator/crd-api.md, and .claude/agents/oauth-expert.md. Regenerated docs/server/ swagger so the schema component key reflects the new import path. The wire format of tokenexchange.Config is unchanged; only the OpenAPI $ref key (a swaggo artifact derived from the Go import path) differs. task test and task lint-fix are clean. --- .claude/agents/oauth-expert.md | 2 +- .../v1beta1/mcpexternalauthconfig_types.go | 2 +- .../pkg/controllerutil/tokenexchange.go | 2 +- cmd/thv/app/auth_flags.go | 2 +- cmd/thv/app/proxy.go | 2 +- docs/middleware.md | 2 +- docs/operator/crd-api.md | 2 +- docs/server/docs.go | 86 +++++++++---------- docs/server/swagger.json | 86 +++++++++---------- docs/server/swagger.yaml | 78 ++++++++--------- pkg/oauthproto/grants.go | 2 +- .../tokenexchange/exchange.go | 0 .../tokenexchange/exchange_test.go | 0 .../tokenexchange/middleware.go | 0 .../tokenexchange/middleware_test.go | 0 pkg/runner/config.go | 2 +- pkg/runner/config_builder.go | 2 +- pkg/runner/config_builder_test.go | 2 +- pkg/runner/middleware.go | 2 +- pkg/transport/http.go | 2 +- pkg/transport/http_test.go | 2 +- pkg/vmcp/auth/strategies/tokenexchange.go | 2 +- 22 files changed, 140 insertions(+), 140 deletions(-) rename pkg/{auth => oauthproto}/tokenexchange/exchange.go (100%) rename pkg/{auth => oauthproto}/tokenexchange/exchange_test.go (100%) rename pkg/{auth => oauthproto}/tokenexchange/middleware.go (100%) rename pkg/{auth => oauthproto}/tokenexchange/middleware_test.go (100%) diff --git a/.claude/agents/oauth-expert.md b/.claude/agents/oauth-expert.md index 9d8cc047b0..08bc5e1692 100644 --- a/.claude/agents/oauth-expert.md +++ b/.claude/agents/oauth-expert.md @@ -46,7 +46,7 @@ Before providing guidance on OAuth/OIDC details, use WebFetch to verify RFC or s - `pkg/auth/token.go`: JWT parsing, validation, claims extraction - `pkg/auth/middleware.go`: HTTP authentication middleware - `pkg/auth/oauth/`: OAuth 2.0 and OIDC client implementations -- `pkg/auth/tokenexchange/`: RFC 8693 token exchange +- `pkg/oauthproto/tokenexchange/`: RFC 8693 token exchange - `pkg/auth/discovery/`: OAuth/OIDC discovery, RFC 9728 support - `pkg/authserver/`: OAuth2 authorization server (Ory Fosite, PKCE, JWT/JWKS) diff --git a/cmd/thv-operator/api/v1beta1/mcpexternalauthconfig_types.go b/cmd/thv-operator/api/v1beta1/mcpexternalauthconfig_types.go index 5716fe83b1..65710c528f 100644 --- a/cmd/thv-operator/api/v1beta1/mcpexternalauthconfig_types.go +++ b/cmd/thv-operator/api/v1beta1/mcpexternalauthconfig_types.go @@ -97,7 +97,7 @@ type MCPExternalAuthConfigSpec struct { // TokenExchangeConfig holds configuration for RFC-8693 OAuth 2.0 Token Exchange. // This configuration is used to exchange incoming authentication tokens for tokens // that can be used with external services. -// The structure matches the tokenexchange.Config from pkg/auth/tokenexchange/middleware.go +// The structure matches the tokenexchange.Config from pkg/oauthproto/tokenexchange/middleware.go type TokenExchangeConfig struct { // TokenURL is the OAuth 2.0 token endpoint URL for token exchange // +kubebuilder:validation:Required diff --git a/cmd/thv-operator/pkg/controllerutil/tokenexchange.go b/cmd/thv-operator/pkg/controllerutil/tokenexchange.go index 9deff402e4..a667c7b89e 100644 --- a/cmd/thv-operator/pkg/controllerutil/tokenexchange.go +++ b/cmd/thv-operator/pkg/controllerutil/tokenexchange.go @@ -15,7 +15,7 @@ import ( "github.com/stacklok/toolhive/cmd/thv-operator/pkg/oidc" "github.com/stacklok/toolhive/pkg/auth/awssts" "github.com/stacklok/toolhive/pkg/auth/remote" - "github.com/stacklok/toolhive/pkg/auth/tokenexchange" + "github.com/stacklok/toolhive/pkg/oauthproto/tokenexchange" "github.com/stacklok/toolhive/pkg/runner" ) diff --git a/cmd/thv/app/auth_flags.go b/cmd/thv/app/auth_flags.go index d192b7379a..fed12e75d3 100644 --- a/cmd/thv/app/auth_flags.go +++ b/cmd/thv/app/auth_flags.go @@ -13,7 +13,7 @@ import ( "github.com/spf13/cobra" - "github.com/stacklok/toolhive/pkg/auth/tokenexchange" + "github.com/stacklok/toolhive/pkg/oauthproto/tokenexchange" "github.com/stacklok/toolhive/pkg/runner" ) diff --git a/cmd/thv/app/proxy.go b/cmd/thv/app/proxy.go index de33227bcf..80ca864a23 100644 --- a/cmd/thv/app/proxy.go +++ b/cmd/thv/app/proxy.go @@ -20,8 +20,8 @@ import ( "github.com/stacklok/toolhive/pkg/auth/discovery" "github.com/stacklok/toolhive/pkg/auth/oauth" "github.com/stacklok/toolhive/pkg/auth/remote" - "github.com/stacklok/toolhive/pkg/auth/tokenexchange" "github.com/stacklok/toolhive/pkg/networking" + "github.com/stacklok/toolhive/pkg/oauthproto/tokenexchange" "github.com/stacklok/toolhive/pkg/transport" "github.com/stacklok/toolhive/pkg/transport/middleware" "github.com/stacklok/toolhive/pkg/transport/proxy/transparent" diff --git a/docs/middleware.md b/docs/middleware.md index 8fe2b1b687..19bb148cd1 100644 --- a/docs/middleware.md +++ b/docs/middleware.md @@ -357,7 +357,7 @@ thv config usage-metrics enable **Purpose**: Exchanges incoming JWT tokens for external service tokens using OAuth 2.0 Token Exchange (RFC 8693). -**Location**: `pkg/auth/tokenexchange/middleware.go` +**Location**: `pkg/oauthproto/tokenexchange/middleware.go` **Responsibilities**: - Extract claims from authenticated JWT tokens diff --git a/docs/operator/crd-api.md b/docs/operator/crd-api.md index cbe2011a85..315123821f 100644 --- a/docs/operator/crd-api.md +++ b/docs/operator/crd-api.md @@ -3112,7 +3112,7 @@ _Appears in:_ TokenExchangeConfig holds configuration for RFC-8693 OAuth 2.0 Token Exchange. This configuration is used to exchange incoming authentication tokens for tokens that can be used with external services. -The structure matches the tokenexchange.Config from pkg/auth/tokenexchange/middleware.go +The structure matches the tokenexchange.Config from pkg/oauthproto/tokenexchange/middleware.go diff --git a/docs/server/docs.go b/docs/server/docs.go index 1cd3a245da..e23c144d6d 100644 --- a/docs/server/docs.go +++ b/docs/server/docs.go @@ -355,48 +355,6 @@ const docTemplate = `{ }, "type": "object" }, - "github_com_stacklok_toolhive_pkg_auth_tokenexchange.Config": { - "description": "TokenExchangeConfig contains token exchange configuration for external authentication", - "properties": { - "audience": { - "description": "Audience is the target audience for the exchanged token", - "type": "string" - }, - "client_id": { - "description": "ClientID is the OAuth 2.0 client identifier", - "type": "string" - }, - "client_secret": { - "description": "ClientSecret is the OAuth 2.0 client secret", - "type": "string" - }, - "external_token_header_name": { - "description": "ExternalTokenHeaderName is the name of the custom header to use when HeaderStrategy is \"custom\"", - "type": "string" - }, - "header_strategy": { - "description": "HeaderStrategy determines how to inject the token\nValid values: HeaderStrategyReplace (default), HeaderStrategyCustom", - "type": "string" - }, - "scopes": { - "description": "Scopes is the list of scopes to request for the exchanged token", - "items": { - "type": "string" - }, - "type": "array", - "uniqueItems": false - }, - "subject_token_type": { - "description": "SubjectTokenType specifies the type of the subject token being exchanged.\nCommon values: oauthproto.TokenTypeAccessToken (default), oauthproto.TokenTypeIDToken, oauthproto.TokenTypeJWT.\nIf empty, defaults to oauthproto.TokenTypeAccessToken.", - "type": "string" - }, - "token_url": { - "description": "TokenURL is the OAuth 2.0 token endpoint URL", - "type": "string" - } - }, - "type": "object" - }, "github_com_stacklok_toolhive_pkg_auth_upstreamswap.Config": { "description": "UpstreamSwapConfig contains configuration for upstream token swap middleware.\nWhen set along with EmbeddedAuthServerConfig, this middleware exchanges ToolHive JWTs\nfor upstream IdP tokens before forwarding requests to the MCP server.", "properties": { @@ -1136,6 +1094,48 @@ const docTemplate = `{ }, "type": "object" }, + "github_com_stacklok_toolhive_pkg_oauthproto_tokenexchange.Config": { + "description": "TokenExchangeConfig contains token exchange configuration for external authentication", + "properties": { + "audience": { + "description": "Audience is the target audience for the exchanged token", + "type": "string" + }, + "client_id": { + "description": "ClientID is the OAuth 2.0 client identifier", + "type": "string" + }, + "client_secret": { + "description": "ClientSecret is the OAuth 2.0 client secret", + "type": "string" + }, + "external_token_header_name": { + "description": "ExternalTokenHeaderName is the name of the custom header to use when HeaderStrategy is \"custom\"", + "type": "string" + }, + "header_strategy": { + "description": "HeaderStrategy determines how to inject the token\nValid values: HeaderStrategyReplace (default), HeaderStrategyCustom", + "type": "string" + }, + "scopes": { + "description": "Scopes is the list of scopes to request for the exchanged token", + "items": { + "type": "string" + }, + "type": "array", + "uniqueItems": false + }, + "subject_token_type": { + "description": "SubjectTokenType specifies the type of the subject token being exchanged.\nCommon values: oauthproto.TokenTypeAccessToken (default), oauthproto.TokenTypeIDToken, oauthproto.TokenTypeJWT.\nIf empty, defaults to oauthproto.TokenTypeAccessToken.", + "type": "string" + }, + "token_url": { + "description": "TokenURL is the OAuth 2.0 token endpoint URL", + "type": "string" + } + }, + "type": "object" + }, "github_com_stacklok_toolhive_pkg_registry.OAuthPublicConfig": { "description": "AuthConfig contains the non-secret OAuth configuration when auth is configured.\nNil when auth_status is \"none\".", "properties": { @@ -1386,7 +1386,7 @@ const docTemplate = `{ "type": "string" }, "token_exchange_config": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_auth_tokenexchange.Config" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_oauthproto_tokenexchange.Config" }, "tools_filter": { "description": "DEPRECATED: Middleware configuration.\nToolsFilter is the list of tools to filter", diff --git a/docs/server/swagger.json b/docs/server/swagger.json index 2fa20abe2d..0be473b5da 100644 --- a/docs/server/swagger.json +++ b/docs/server/swagger.json @@ -348,48 +348,6 @@ }, "type": "object" }, - "github_com_stacklok_toolhive_pkg_auth_tokenexchange.Config": { - "description": "TokenExchangeConfig contains token exchange configuration for external authentication", - "properties": { - "audience": { - "description": "Audience is the target audience for the exchanged token", - "type": "string" - }, - "client_id": { - "description": "ClientID is the OAuth 2.0 client identifier", - "type": "string" - }, - "client_secret": { - "description": "ClientSecret is the OAuth 2.0 client secret", - "type": "string" - }, - "external_token_header_name": { - "description": "ExternalTokenHeaderName is the name of the custom header to use when HeaderStrategy is \"custom\"", - "type": "string" - }, - "header_strategy": { - "description": "HeaderStrategy determines how to inject the token\nValid values: HeaderStrategyReplace (default), HeaderStrategyCustom", - "type": "string" - }, - "scopes": { - "description": "Scopes is the list of scopes to request for the exchanged token", - "items": { - "type": "string" - }, - "type": "array", - "uniqueItems": false - }, - "subject_token_type": { - "description": "SubjectTokenType specifies the type of the subject token being exchanged.\nCommon values: oauthproto.TokenTypeAccessToken (default), oauthproto.TokenTypeIDToken, oauthproto.TokenTypeJWT.\nIf empty, defaults to oauthproto.TokenTypeAccessToken.", - "type": "string" - }, - "token_url": { - "description": "TokenURL is the OAuth 2.0 token endpoint URL", - "type": "string" - } - }, - "type": "object" - }, "github_com_stacklok_toolhive_pkg_auth_upstreamswap.Config": { "description": "UpstreamSwapConfig contains configuration for upstream token swap middleware.\nWhen set along with EmbeddedAuthServerConfig, this middleware exchanges ToolHive JWTs\nfor upstream IdP tokens before forwarding requests to the MCP server.", "properties": { @@ -1129,6 +1087,48 @@ }, "type": "object" }, + "github_com_stacklok_toolhive_pkg_oauthproto_tokenexchange.Config": { + "description": "TokenExchangeConfig contains token exchange configuration for external authentication", + "properties": { + "audience": { + "description": "Audience is the target audience for the exchanged token", + "type": "string" + }, + "client_id": { + "description": "ClientID is the OAuth 2.0 client identifier", + "type": "string" + }, + "client_secret": { + "description": "ClientSecret is the OAuth 2.0 client secret", + "type": "string" + }, + "external_token_header_name": { + "description": "ExternalTokenHeaderName is the name of the custom header to use when HeaderStrategy is \"custom\"", + "type": "string" + }, + "header_strategy": { + "description": "HeaderStrategy determines how to inject the token\nValid values: HeaderStrategyReplace (default), HeaderStrategyCustom", + "type": "string" + }, + "scopes": { + "description": "Scopes is the list of scopes to request for the exchanged token", + "items": { + "type": "string" + }, + "type": "array", + "uniqueItems": false + }, + "subject_token_type": { + "description": "SubjectTokenType specifies the type of the subject token being exchanged.\nCommon values: oauthproto.TokenTypeAccessToken (default), oauthproto.TokenTypeIDToken, oauthproto.TokenTypeJWT.\nIf empty, defaults to oauthproto.TokenTypeAccessToken.", + "type": "string" + }, + "token_url": { + "description": "TokenURL is the OAuth 2.0 token endpoint URL", + "type": "string" + } + }, + "type": "object" + }, "github_com_stacklok_toolhive_pkg_registry.OAuthPublicConfig": { "description": "AuthConfig contains the non-secret OAuth configuration when auth is configured.\nNil when auth_status is \"none\".", "properties": { @@ -1379,7 +1379,7 @@ "type": "string" }, "token_exchange_config": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_auth_tokenexchange.Config" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_oauthproto_tokenexchange.Config" }, "tools_filter": { "description": "DEPRECATED: Middleware configuration.\nToolsFilter is the list of tools to filter", diff --git a/docs/server/swagger.yaml b/docs/server/swagger.yaml index 46fa4b74a4..26bbbfb2c9 100644 --- a/docs/server/swagger.yaml +++ b/docs/server/swagger.yaml @@ -355,44 +355,6 @@ components: use_pkce: type: boolean type: object - github_com_stacklok_toolhive_pkg_auth_tokenexchange.Config: - description: TokenExchangeConfig contains token exchange configuration for external - authentication - properties: - audience: - description: Audience is the target audience for the exchanged token - type: string - client_id: - description: ClientID is the OAuth 2.0 client identifier - type: string - client_secret: - description: ClientSecret is the OAuth 2.0 client secret - type: string - external_token_header_name: - description: ExternalTokenHeaderName is the name of the custom header to - use when HeaderStrategy is "custom" - type: string - header_strategy: - description: |- - HeaderStrategy determines how to inject the token - Valid values: HeaderStrategyReplace (default), HeaderStrategyCustom - type: string - scopes: - description: Scopes is the list of scopes to request for the exchanged token - items: - type: string - type: array - uniqueItems: false - subject_token_type: - description: |- - SubjectTokenType specifies the type of the subject token being exchanged. - Common values: oauthproto.TokenTypeAccessToken (default), oauthproto.TokenTypeIDToken, oauthproto.TokenTypeJWT. - If empty, defaults to oauthproto.TokenTypeAccessToken. - type: string - token_url: - description: TokenURL is the OAuth 2.0 token endpoint URL - type: string - type: object github_com_stacklok_toolhive_pkg_auth_upstreamswap.Config: description: |- UpstreamSwapConfig contains configuration for upstream token swap middleware. @@ -1143,6 +1105,44 @@ components: description: Whether to print resolved overlay paths for debugging type: boolean type: object + github_com_stacklok_toolhive_pkg_oauthproto_tokenexchange.Config: + description: TokenExchangeConfig contains token exchange configuration for external + authentication + properties: + audience: + description: Audience is the target audience for the exchanged token + type: string + client_id: + description: ClientID is the OAuth 2.0 client identifier + type: string + client_secret: + description: ClientSecret is the OAuth 2.0 client secret + type: string + external_token_header_name: + description: ExternalTokenHeaderName is the name of the custom header to + use when HeaderStrategy is "custom" + type: string + header_strategy: + description: |- + HeaderStrategy determines how to inject the token + Valid values: HeaderStrategyReplace (default), HeaderStrategyCustom + type: string + scopes: + description: Scopes is the list of scopes to request for the exchanged token + items: + type: string + type: array + uniqueItems: false + subject_token_type: + description: |- + SubjectTokenType specifies the type of the subject token being exchanged. + Common values: oauthproto.TokenTypeAccessToken (default), oauthproto.TokenTypeIDToken, oauthproto.TokenTypeJWT. + If empty, defaults to oauthproto.TokenTypeAccessToken. + type: string + token_url: + description: TokenURL is the OAuth 2.0 token endpoint URL + type: string + type: object github_com_stacklok_toolhive_pkg_registry.OAuthPublicConfig: description: |- AuthConfig contains the non-secret OAuth configuration when auth is configured. @@ -1379,7 +1379,7 @@ components: ThvCABundle is the path to the CA certificate bundle for ToolHive HTTP operations type: string token_exchange_config: - $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_auth_tokenexchange.Config' + $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_oauthproto_tokenexchange.Config' tools_filter: description: |- DEPRECATED: Middleware configuration. diff --git a/pkg/oauthproto/grants.go b/pkg/oauthproto/grants.go index c1f818072a..376baabb38 100644 --- a/pkg/oauthproto/grants.go +++ b/pkg/oauthproto/grants.go @@ -231,7 +231,7 @@ func DoTokenRequest(client *http.Client, req *http.Request) (*TokenResponse, err // pkg/networking.NewHttpClientBuilder. The builder blocks loopback and RFC // 1918 ranges, which would break localhost IdPs (dex, Keycloak-in-Docker) // and the httptest.NewServer-based tests that bind to 127.0.0.1. Not a -// default today for behavior-compatibility with pkg/auth/tokenexchange. +// default today for behavior-compatibility with pkg/oauthproto/tokenexchange. func DefaultHTTPClient() *http.Client { return sharedHTTPClient } diff --git a/pkg/auth/tokenexchange/exchange.go b/pkg/oauthproto/tokenexchange/exchange.go similarity index 100% rename from pkg/auth/tokenexchange/exchange.go rename to pkg/oauthproto/tokenexchange/exchange.go diff --git a/pkg/auth/tokenexchange/exchange_test.go b/pkg/oauthproto/tokenexchange/exchange_test.go similarity index 100% rename from pkg/auth/tokenexchange/exchange_test.go rename to pkg/oauthproto/tokenexchange/exchange_test.go diff --git a/pkg/auth/tokenexchange/middleware.go b/pkg/oauthproto/tokenexchange/middleware.go similarity index 100% rename from pkg/auth/tokenexchange/middleware.go rename to pkg/oauthproto/tokenexchange/middleware.go diff --git a/pkg/auth/tokenexchange/middleware_test.go b/pkg/oauthproto/tokenexchange/middleware_test.go similarity index 100% rename from pkg/auth/tokenexchange/middleware_test.go rename to pkg/oauthproto/tokenexchange/middleware_test.go diff --git a/pkg/runner/config.go b/pkg/runner/config.go index 3934a632dd..3894f3486f 100644 --- a/pkg/runner/config.go +++ b/pkg/runner/config.go @@ -18,7 +18,6 @@ import ( "github.com/stacklok/toolhive/pkg/auth/awssts" "github.com/stacklok/toolhive/pkg/auth/remote" authsecrets "github.com/stacklok/toolhive/pkg/auth/secrets" - "github.com/stacklok/toolhive/pkg/auth/tokenexchange" "github.com/stacklok/toolhive/pkg/auth/upstreamswap" "github.com/stacklok/toolhive/pkg/authserver" "github.com/stacklok/toolhive/pkg/authz" @@ -29,6 +28,7 @@ import ( "github.com/stacklok/toolhive/pkg/ignore" "github.com/stacklok/toolhive/pkg/labels" "github.com/stacklok/toolhive/pkg/networking" + "github.com/stacklok/toolhive/pkg/oauthproto/tokenexchange" "github.com/stacklok/toolhive/pkg/secrets" "github.com/stacklok/toolhive/pkg/state" "github.com/stacklok/toolhive/pkg/telemetry" diff --git a/pkg/runner/config_builder.go b/pkg/runner/config_builder.go index 88c4fd1cb2..66a9f92d9c 100644 --- a/pkg/runner/config_builder.go +++ b/pkg/runner/config_builder.go @@ -22,7 +22,6 @@ import ( "github.com/stacklok/toolhive/pkg/auth" "github.com/stacklok/toolhive/pkg/auth/awssts" "github.com/stacklok/toolhive/pkg/auth/remote" - "github.com/stacklok/toolhive/pkg/auth/tokenexchange" "github.com/stacklok/toolhive/pkg/authserver" "github.com/stacklok/toolhive/pkg/authserver/server/registration" "github.com/stacklok/toolhive/pkg/authz" @@ -32,6 +31,7 @@ import ( "github.com/stacklok/toolhive/pkg/ignore" "github.com/stacklok/toolhive/pkg/labels" "github.com/stacklok/toolhive/pkg/mcp" + "github.com/stacklok/toolhive/pkg/oauthproto/tokenexchange" "github.com/stacklok/toolhive/pkg/recovery" "github.com/stacklok/toolhive/pkg/telemetry" "github.com/stacklok/toolhive/pkg/transport" diff --git a/pkg/runner/config_builder_test.go b/pkg/runner/config_builder_test.go index af885a219f..b78ff27485 100644 --- a/pkg/runner/config_builder_test.go +++ b/pkg/runner/config_builder_test.go @@ -17,12 +17,12 @@ import ( "github.com/stacklok/toolhive-core/permissions" regtypes "github.com/stacklok/toolhive-core/registry/types" "github.com/stacklok/toolhive/pkg/auth" - "github.com/stacklok/toolhive/pkg/auth/tokenexchange" "github.com/stacklok/toolhive/pkg/authserver" "github.com/stacklok/toolhive/pkg/authserver/server/registration" appconfig "github.com/stacklok/toolhive/pkg/config" "github.com/stacklok/toolhive/pkg/mcp" "github.com/stacklok/toolhive/pkg/networking" + "github.com/stacklok/toolhive/pkg/oauthproto/tokenexchange" "github.com/stacklok/toolhive/pkg/transport/types" "github.com/stacklok/toolhive/pkg/webhook" ) diff --git a/pkg/runner/middleware.go b/pkg/runner/middleware.go index be9dd33506..5f9168b19c 100644 --- a/pkg/runner/middleware.go +++ b/pkg/runner/middleware.go @@ -9,13 +9,13 @@ import ( "github.com/stacklok/toolhive/pkg/audit" "github.com/stacklok/toolhive/pkg/auth" "github.com/stacklok/toolhive/pkg/auth/awssts" - "github.com/stacklok/toolhive/pkg/auth/tokenexchange" "github.com/stacklok/toolhive/pkg/auth/upstreamswap" "github.com/stacklok/toolhive/pkg/authserver" "github.com/stacklok/toolhive/pkg/authz" "github.com/stacklok/toolhive/pkg/authz/authorizers/cedar" cfg "github.com/stacklok/toolhive/pkg/config" "github.com/stacklok/toolhive/pkg/mcp" + "github.com/stacklok/toolhive/pkg/oauthproto/tokenexchange" "github.com/stacklok/toolhive/pkg/ratelimit" "github.com/stacklok/toolhive/pkg/recovery" "github.com/stacklok/toolhive/pkg/telemetry" diff --git a/pkg/transport/http.go b/pkg/transport/http.go index 53b9af6d12..612623805e 100644 --- a/pkg/transport/http.go +++ b/pkg/transport/http.go @@ -16,9 +16,9 @@ import ( "golang.org/x/oauth2" - "github.com/stacklok/toolhive/pkg/auth/tokenexchange" "github.com/stacklok/toolhive/pkg/container" rt "github.com/stacklok/toolhive/pkg/container/runtime" + "github.com/stacklok/toolhive/pkg/oauthproto/tokenexchange" transporterrors "github.com/stacklok/toolhive/pkg/transport/errors" "github.com/stacklok/toolhive/pkg/transport/middleware" "github.com/stacklok/toolhive/pkg/transport/proxy/transparent" diff --git a/pkg/transport/http_test.go b/pkg/transport/http_test.go index 507390232c..650fae7c8f 100644 --- a/pkg/transport/http_test.go +++ b/pkg/transport/http_test.go @@ -12,8 +12,8 @@ import ( "github.com/stretchr/testify/assert" "go.uber.org/mock/gomock" - "github.com/stacklok/toolhive/pkg/auth/tokenexchange" rt "github.com/stacklok/toolhive/pkg/container/runtime" + "github.com/stacklok/toolhive/pkg/oauthproto/tokenexchange" "github.com/stacklok/toolhive/pkg/transport/types" "github.com/stacklok/toolhive/pkg/transport/types/mocks" ) diff --git a/pkg/vmcp/auth/strategies/tokenexchange.go b/pkg/vmcp/auth/strategies/tokenexchange.go index ed754fd972..ec9351ad8b 100644 --- a/pkg/vmcp/auth/strategies/tokenexchange.go +++ b/pkg/vmcp/auth/strategies/tokenexchange.go @@ -16,7 +16,7 @@ import ( "github.com/stacklok/toolhive-core/env" "github.com/stacklok/toolhive/pkg/auth" - "github.com/stacklok/toolhive/pkg/auth/tokenexchange" + "github.com/stacklok/toolhive/pkg/oauthproto/tokenexchange" authtypes "github.com/stacklok/toolhive/pkg/vmcp/auth/types" healthcontext "github.com/stacklok/toolhive/pkg/vmcp/health/context" )