Skip to content

Add OIDC authentication support to ToolHive management API server #634

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
JAORMX merged 1 commit into from
Jun 5, 2025
Merged

Add OIDC authentication support to ToolHive management API server #634

JAORMX merged 1 commit into from
Jun 5, 2025

Conversation

@JAORMX
Copy link
Collaborator

@JAORMX JAORMX commented Jun 5, 2025

Summary

This PR adds OIDC authentication support to the ToolHive management API server by reusing the existing authentication middleware from the pkg/auth package.

Changes

  • Added OIDC flags to thv serve command: --oidc-issuer, --oidc-audience, --oidc-jwks-url, --oidc-client-id
  • Integrated existing auth middleware: Reuses the same middleware architecture already used by MCP servers in thv run and thv proxy commands
  • Support for both OIDC and local authentication: When OIDC is not configured, falls back to local user authentication for development
  • All API endpoints protected: Authentication middleware is applied to all management API endpoints

Architecture

The implementation follows the same pattern used in other ToolHive commands:

  1. OIDC Configuration: Uses auth.JWTValidatorConfig to configure JWT validation with OIDC discovery support
  2. Middleware Selection: auth.GetAuthenticationMiddleware() automatically chooses between:
    • JWT validation middleware (when OIDC config is provided)
    • Local user middleware (when OIDC config is nil)
  3. Consistent Security Model: Same security architecture as MCP servers

Benefits

  • Enterprise-ready: Enables robust authentication for the management API
  • Consistent: Uses the same middleware architecture across all ToolHive components
  • Flexible: Supports both production OIDC and development local authentication
  • Secure by default: All endpoints are now protected by authentication

Testing

  • ✅ All existing tests pass
  • ✅ Linting passes with no issues
  • ✅ Build succeeds
  • ✅ OIDC flags are available in thv serve --help

Usage Examples

# Local development (uses local user authentication)
thv serve --port 8080

# Production with OIDC
thv serve --port 8080 \
  --oidc-issuer https://accounts.google.com \
  --oidc-audience my-toolhive-api \
  --oidc-client-id my-client-id

This addresses the need for enterprise-ready authorization in the management API server while maintaining consistency with the existing security architecture.

@JAORMX
Add OIDC authentication support to ToolHive management API server
bd31298 
- Add OIDC flags (--oidc-issuer, --oidc-audience, --oidc-jwks-url, --oidc-client-id) to 'thv serve' command
- Integrate existing auth middleware from pkg/auth into the API server
- Support both OIDC JWT validation and local user authentication fallback
- Reuse the same middleware architecture already used by MCP servers in 'thv run' and 'thv proxy'
- When OIDC is not configured, falls back to local user authentication for development
- All API endpoints are now protected by authentication middleware

This enables enterprise-ready authorization for the management API server,
consistent with the security model used for MCP servers.
@JAORMX JAORMX merged commit 1fad17b into main Jun 5, 2025
12 checks passed
@JAORMX JAORMX deleted the add-oidc-auth-to-management-api branch June 5, 2025 11:21
@dmjb
Copy link
Member

dmjb commented Jun 5, 2025

Rado beat me to it, but the changes look good to me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rdimitrov rdimitrov rdimitrov approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@JAORMX @dmjb @rdimitrov