fix: propagate identity for token exchange + add real integration tests #2769
+1,104 −409
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Large PR Detected
This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.
How to unblock this PR:
Add a section to your PR description with the following format:
## Large PR Justification [Explain why this PR must be large, such as:] - Generated code that cannot be split - Large refactoring that must be atomic - Multiple related changes that would break if separated - Migration or data transformationAlternative:
Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.
See our Contributing Guidelines for more details.
This review will be automatically dismissed once you add the justification section.
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@ ## main #2769 +/- ## ========================================== - Coverage 56.56% 56.56% -0.01% ========================================== Files 320 320 Lines 30873 30882 +9 ========================================== + Hits 17464 17468 +4 - Misses 11908 11913 +5 Partials 1501 1501 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes token exchange for discovery mode in the Virtual MCP (vmcp) system by addressing configuration format issues and adding comprehensive end-to-end testing with mock servers deployed as Kubernetes resources.
Key Changes:
- Fixes vmcp configuration YAML format conversion to use a flat
token_cache.configstructure instead of separatememory/redissections, aligning with the YAML loader's expected format - Adds discovery logic for incoming OIDC configuration from backend MCPServers, enabling vMCP to authenticate to backends that require OIDC
- Implements comprehensive E2E tests with mock HTTP, OAuth token exchange, and OIDC servers deployed as Kubernetes pods to validate authentication flows
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| test/e2e/thv-operator/virtualmcp/virtualmcp_auth_discovery_test.go | Replaces simple httptest mock with Kubernetes-deployed mock servers (HTTP, OAuth, OIDC) for realistic E2E testing of auth discovery and token exchange flows |
| test/e2e/thv-operator/virtualmcp/helpers.go | Adds GetPodLogs helper function to retrieve logs from specific pods for debugging test failures |
| test/e2e/oidc_mock.go | Implements proper JWKS endpoint with RSA public key export and adds client_credentials grant type support |
| pkg/vmcp/workloads/k8s.go | Adds discoverIncomingOIDCConfig method to discover and populate OIDC configuration from backend MCPServers, enabling vMCP→backend authentication |
| pkg/vmcp/types.go | Adds IncomingOIDCConfig field to Backend and BackendTarget types for storing discovered OIDC configuration |
| pkg/vmcp/registry.go | Propagates IncomingOIDCConfig field when converting Backend to BackendTarget |
| cmd/thv-operator/controllers/virtualmcpserver_vmcpconfig.go | Implements convertToCLIFormat to transform Go config structs into vmcp CLI-compatible YAML format with flat token_cache.config structure |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
test/e2e/thv-operator/virtualmcp/virtualmcp_auth_discovery_test.go Outdated Show resolved Hide resolved
test/e2e/thv-operator/virtualmcp/virtualmcp_auth_discovery_test.go Outdated Show resolved Hide resolved
test/e2e/thv-operator/virtualmcp/virtualmcp_auth_discovery_test.go Outdated Show resolved Hide resolved
github-actions bot added size/XL github-actions bot dismissed their stale review Large PR justification has been provided. Thank you!
Contributor
| ✅ Large PR justification has been provided. The size review has been dismissed and this PR can now proceed with normal review. |
github-actions bot added size/XL 
yrobla force-pushed the fix/auth_discovery_test branch from 7c3263b to 68da4c9 Compare github-actions bot added size/XL yrobla force-pushed the fix/auth_discovery_test branch from 68da4c9 to b3ff79c Compare github-actions bot added size/XL yrobla force-pushed the fix/auth_discovery_test branch from b3ff79c to 28615db Compare github-actions bot added size/XL yrobla force-pushed the fix/auth_discovery_test branch from 28615db to bfe83b2 Compare github-actions bot added size/XL yrobla force-pushed the fix/auth_discovery_test branch from bfe83b2 to 5c6563b Compare Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
yrobla force-pushed the fix/auth_discovery_test branch from a27d766 to c7327cd Compare github-actions bot added size/XL yrobla force-pushed the fix/auth_discovery_test branch from c7327cd to 76eec1d Compare github-actions bot added size/XL yrobla force-pushed the fix/auth_discovery_test branch from 76eec1d to 7cf6767 Compare github-actions bot added size/XL 
jhrozek reviewed Dec 1, 2025
when using the discovered mode on vmcp, we discovered that it was not working for several problems. Add a fix and add proper testing to validate
yrobla force-pushed the fix/auth_discovery_test branch from 7cf6767 to ee2dd99 Compare github-actions bot added size/XL yrobla force-pushed the fix/auth_discovery_test branch from 0fe205d to 102c340 Compare github-actions bot added size/XL yrobla force-pushed the fix/auth_discovery_test branch from 102c340 to 373ed73 Compare github-actions bot added size/XL yrobla changed the title jhrozek approved these changes Dec 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
when using the discovered mode on vmcp, we discovered that it was not working because identity was not propagated. Add a fix and add proper testing to validate
Large PR Justification
This is a complete fix of the feature, including unit tests. The fixes are atomic and need to come together to solve the issue