Add OIDC authentication support to ToolHive management API server (#634)

JAORMX · web-flow · commit 1fad17b17faa · 2025-06-05T14:21:02.000+03:00
diff --git a/cmd/thv/app/server.go b/cmd/thv/app/server.go
@@ -8,6 +8,7 @@ import (
 	"github.com/spf13/cobra"
 
 	s "github.com/stacklok/toolhive/pkg/api"
+	"github.com/stacklok/toolhive/pkg/auth"
 )
 
 var (
@@ -37,7 +38,24 @@ var serveCmd = &cobra.Command{
 			isUnixSocket = true
 		}
 
-		return s.Serve(ctx, address, isUnixSocket, debugMode, enableDocs)
+		// Get OIDC configuration if enabled
+		var oidcConfig *auth.JWTValidatorConfig
+		if IsOIDCEnabled(cmd) {
+			// Get OIDC flag values
+			issuer := GetStringFlagOrEmpty(cmd, "oidc-issuer")
+			audience := GetStringFlagOrEmpty(cmd, "oidc-audience")
+			jwksURL := GetStringFlagOrEmpty(cmd, "oidc-jwks-url")
+			clientID := GetStringFlagOrEmpty(cmd, "oidc-client-id")
+
+			oidcConfig = &auth.JWTValidatorConfig{
+				Issuer:   issuer,
+				Audience: audience,
+				JWKSURL:  jwksURL,
+				ClientID: clientID,
+			}
+		}
+
+		return s.Serve(ctx, address, isUnixSocket, debugMode, enableDocs, oidcConfig)
 	},
 }
 
@@ -48,4 +66,7 @@ func init() {
 		"Enable OpenAPI documentation endpoints (/api/openapi.json and /api/doc)")
 	serveCmd.Flags().StringVar(&socketPath, "socket", "", "UNIX socket path to bind the "+
 		"server to (overrides host and port if provided)")
+
+	// Add OIDC validation flags
+	AddOIDCFlags(serveCmd)
 }
diff --git a/docs/cli/thv_serve.md b/docs/cli/thv_serve.md
diff --git a/pkg/api/server.go b/pkg/api/server.go
@@ -26,6 +26,7 @@ import (
 	"github.com/go-chi/chi/v5/middleware"
 
 	v1 "github.com/stacklok/toolhive/pkg/api/v1"
+	"github.com/stacklok/toolhive/pkg/auth"
 	"github.com/stacklok/toolhive/pkg/container"
 	"github.com/stacklok/toolhive/pkg/lifecycle"
 	"github.com/stacklok/toolhive/pkg/logger"
@@ -78,14 +79,29 @@ func cleanupUnixSocket(address string) {
 // Serve starts the server on the given address and serves the API.
 // It is assumed that the caller sets up appropriate signal handling.
 // If isUnixSocket is true, address is treated as a UNIX socket path.
-func Serve(ctx context.Context, address string, isUnixSocket bool, debugMode bool, enableDocs bool) error {
+// If oidcConfig is provided, OIDC authentication will be enabled for all API endpoints.
+func Serve(
+	ctx context.Context,
+	address string,
+	isUnixSocket bool,
+	debugMode bool,
+	enableDocs bool,
+	oidcConfig *auth.JWTValidatorConfig,
+) error {
 	r := chi.NewRouter()
 	r.Use(
 		middleware.RequestID,
 		// TODO: Figure out logging middleware. We may want to use a different logger.
 		middleware.Timeout(middlewareTimeout),
 	)
 
+	// Add authentication middleware
+	authMiddleware, err := auth.GetAuthenticationMiddleware(ctx, oidcConfig)
+	if err != nil {
+		return fmt.Errorf("failed to create authentication middleware: %v", err)
+	}
+	r.Use(authMiddleware)
+
 	manager, err := lifecycle.NewManager(ctx)
 	if err != nil {
 		logger.Panicf("failed to create lifecycle manager: %v", err)
