Move tokenexchange under pkg/oauthproto

.claude/agents/oauth-expert.md

@@ -46,7 +46,7 @@ Before providing guidance on OAuth/OIDC details, use WebFetch to verify RFC or s
 - `pkg/auth/token.go`: JWT parsing, validation, claims extraction
 - `pkg/auth/middleware.go`: HTTP authentication middleware
 - `pkg/auth/oauth/`: OAuth 2.0 and OIDC client implementations
-- `pkg/auth/tokenexchange/`: RFC 8693 token exchange
+- `pkg/oauthproto/tokenexchange/`: RFC 8693 token exchange
 - `pkg/auth/discovery/`: OAuth/OIDC discovery, RFC 9728 support
 - `pkg/authserver/`: OAuth2 authorization server (Ory Fosite, PKCE, JWT/JWKS)
 

cmd/thv-operator/api/v1beta1/mcpexternalauthconfig_types.go

@@ -97,7 +97,7 @@ type MCPExternalAuthConfigSpec struct {
 // TokenExchangeConfig holds configuration for RFC-8693 OAuth 2.0 Token Exchange.
 // This configuration is used to exchange incoming authentication tokens for tokens
 // that can be used with external services.
-// The structure matches the tokenexchange.Config from pkg/auth/tokenexchange/middleware.go
+// The structure matches the tokenexchange.Config from pkg/oauthproto/tokenexchange/middleware.go
 type TokenExchangeConfig struct {
 	// TokenURL is the OAuth 2.0 token endpoint URL for token exchange
 	// +kubebuilder:validation:Required

cmd/thv-operator/pkg/controllerutil/tokenexchange.go

@@ -15,7 +15,7 @@ import (
 	"github.com/stacklok/toolhive/cmd/thv-operator/pkg/oidc"
 	"github.com/stacklok/toolhive/pkg/auth/awssts"
 	"github.com/stacklok/toolhive/pkg/auth/remote"
-	"github.com/stacklok/toolhive/pkg/auth/tokenexchange"
+	"github.com/stacklok/toolhive/pkg/oauthproto/tokenexchange"
 	"github.com/stacklok/toolhive/pkg/runner"
 )
 

cmd/thv/app/auth_flags.go

@@ -13,7 +13,7 @@ import (
 
 	"github.com/spf13/cobra"
 
-	"github.com/stacklok/toolhive/pkg/auth/tokenexchange"
+	"github.com/stacklok/toolhive/pkg/oauthproto/tokenexchange"
 	"github.com/stacklok/toolhive/pkg/runner"
 )
 

cmd/thv/app/proxy.go

@@ -20,8 +20,8 @@ import (
 	"github.com/stacklok/toolhive/pkg/auth/discovery"
 	"github.com/stacklok/toolhive/pkg/auth/oauth"
 	"github.com/stacklok/toolhive/pkg/auth/remote"
-	"github.com/stacklok/toolhive/pkg/auth/tokenexchange"
 	"github.com/stacklok/toolhive/pkg/networking"
+	"github.com/stacklok/toolhive/pkg/oauthproto/tokenexchange"
 	"github.com/stacklok/toolhive/pkg/transport"
 	"github.com/stacklok/toolhive/pkg/transport/middleware"
 	"github.com/stacklok/toolhive/pkg/transport/proxy/transparent"

docs/middleware.md

@@ -357,7 +357,7 @@ thv config usage-metrics enable
 
 **Purpose**: Exchanges incoming JWT tokens for external service tokens using OAuth 2.0 Token Exchange (RFC 8693).
 
-**Location**: `pkg/auth/tokenexchange/middleware.go`
+**Location**: `pkg/oauthproto/tokenexchange/middleware.go`
 
 **Responsibilities**:
 - Extract claims from authenticated JWT tokens

pkg/oauthproto/grants.go

@@ -231,7 +231,7 @@ func DoTokenRequest(client *http.Client, req *http.Request) (*TokenResponse, err
 // pkg/networking.NewHttpClientBuilder. The builder blocks loopback and RFC
 // 1918 ranges, which would break localhost IdPs (dex, Keycloak-in-Docker)
 // and the httptest.NewServer-based tests that bind to 127.0.0.1. Not a
-// default today for behavior-compatibility with pkg/auth/tokenexchange.
+// default today for behavior-compatibility with pkg/oauthproto/tokenexchange.
 func DefaultHTTPClient() *http.Client {
 	return sharedHTTPClient
 }