Wire jwksUrl and introspectionUrl from vMCP inline OIDC config to runtime#4501
Merged
ChrisJBurns merged 3 commits intomainfrom Apr 2, 2026
Merged
Wire jwksUrl and introspectionUrl from vMCP inline OIDC config to runtime#4501ChrisJBurns merged 3 commits intomainfrom
ChrisJBurns merged 3 commits intomainfrom
Conversation
…time Implements changes for issue #4485: - Add JwksUrl and IntrospectionUrl fields to vmcpconfig.OIDCConfig - Map resolved JWKSURL/IntrospectionURL in CRD-to-vMCP converter - Pass JWKSURL/IntrospectionURL to auth.TokenValidatorConfig in auth factory - Add converter and YAML loader tests for the new fields - Fix pre-existing goconst lint issue in crd_cli_roundtrip_test.go
Fixed issues from code review: - MEDIUM: Rename Go struct fields JwksUrl -> JWKSURL and IntrospectionUrl -> IntrospectionURL to follow codebase acronym conventions (JSON tags unchanged) - MEDIUM: Revert unrelated crd_cli_roundtrip_test.go cleanup that replaced "oidc" string literals with IncomingAuthTypeOIDC constant
tgrunnagle
requested review from
ChrisJBurns,
JAORMX,
amirejaz,
jerm-dro,
jhrozek and
yrobla
as code owners
JAORMX
previously approved these changes
Apr 2, 2026
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4501 +/- ##
==========================================
+ Coverage 69.30% 69.37% +0.06%
==========================================
Files 502 502
Lines 51632 51636 +4
==========================================
+ Hits 35785 35821 +36
+ Misses 13082 13049 -33
- Partials 2765 2766 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
github-actions
bot
added
size/S
jerm-dro
approved these changes
Apr 2, 2026
Contributor
jerm-dro
left a comment
jerm-dro
left a comment
There was a problem hiding this comment.
Good fix. Worth noting this is an example of the CRD → runtime config plumbing gap that toolhive-rfcs#65 aims to address systemically — fields accepted by the CRD but silently dropped in conversion. cc @ChrisJBurns
ChrisJBurns
approved these changes
Apr 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The VirtualMCPServer CRD supports
jwksUrlandintrospectionUrlin its inline OIDC config, but the vMCP runtime path silently dropped both fields during conversion. This meant vMCP always fell back to OIDC discovery for the JWKS endpoint, which fails when the issuer does not serve/.well-known/openid-configurationor when the operator explicitly overrides these URLs. The MCPServer path already handled these fields correctly; this PR closes the gap for the vMCP path.Closes #4485
Type of change
Test plan
task test)task test-e2e)task lint-fix)Changes
pkg/vmcp/config/config.goJWKSURLandIntrospectionURLfields toOIDCConfigstruct with JSON/YAML tags and documentationcmd/thv-operator/pkg/vmcpconfig/converter.goresolved.JWKSURLandresolved.IntrospectionURLinmapResolvedOIDCToVmcpConfigpkg/vmcp/auth/factory/incoming.goJWKSURLandIntrospectionURLtoauth.TokenValidatorConfigin the auth factorycmd/thv-operator/pkg/vmcpconfig/converter_test.gopkg/vmcp/config/yaml_loader_test.goDoes this introduce a user-facing change?
Yes. Operators can now set
jwksUrlandintrospectionUrlonVirtualMCPServerinline OIDC config and have those values reach the token validator at runtime. Previously these fields were accepted by the CRD but silently ignored.Generated with Claude Code