fix: oauth issues and add tokenResponseMapping for non-standard providers (#4009)

* Fix TOOLHIVE_DEBUG env var not enabling debug logging

The logger was initialized in main.go before viper.BindEnv was called
in commands.go, so TOOLHIVE_DEBUG had no effect on log level. Move the
env var binding before the logger initialization.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Propagate upstream user name and email into JWT claims

The embedded auth server resolved user identity (name, email) from the
upstream IDP via the userInfo endpoint but only stored the subject
claim in the JWT. This caused audit logs to show "anonymous" for the
user field despite successful authentication.

Propagate name and email from the upstream Identity through to the
session's JWT claims as standard OIDC claims (name, email per OIDC
Core Section 5.1). The auth middleware's claimsToIdentity function
already reads these claims, so the audit middleware will now display
the actual user name.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix remote URL path not forwarded to backend server

When the remote URL has a path (e.g., https://mcp.asana.com/v2/mcp),
the proxy stripped it and only used the scheme+host as the target.
Client requests to /mcp were forwarded to https://mcp.asana.com/mcp
instead of https://mcp.asana.com/v2/mcp, causing Asana to return
401 invalid_token because the endpoint doesn't exist at /mcp.

Extract the remote URL's path and pass it to the transparent proxy
via WithRemoteBasePath. The proxy's Director rewrites incoming
request paths to the remote server's configured path.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add tokenResponseMapping for non-standard OAuth token responses

Some OAuth providers (e.g., GovSlack) nest token fields under
non-standard paths instead of returning them at the top level.
GovSlack returns access_token under authed_user.access_token,
causing the standard oauth2 library to fail with "response missing
access_token".

Add a tokenResponseMapping field to OAuth2UpstreamConfig that
configures dot-notation paths for extracting token fields from
non-standard response formats. When set, the token exchange bypasses
golang.org/x/oauth2 and makes the HTTP POST directly, extracting
fields using gjson (already a dependency).

Example usage:
  tokenResponseMapping:
    accessTokenPath: "authed_user.access_token"
    tokenTypePath: "authed_user.token_type"

Changes span the full config pipeline: CRD types, RunConfig,
operator conversion, runtime resolution, and the upstream provider.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Regenerate CRD manifests and docs for tokenResponseMapping

Run `task operator-manifests` and `crd-ref-docs` to update the
CRD schema with the new tokenResponseMapping field on
OAuth2UpstreamConfig and regenerate the API reference docs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Update image build dependencies and fix run-on-main workflow

* Normalize token_type to Bearer in token response rewriter

GovSlack returns token_type "user" which the oauth2 library rejects
since it only accepts "Bearer". Since the rewriter already handles
non-standard responses, always normalize token_type to "Bearer" so
the oauth2 library accepts it.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* chore: respond to reviewer

* chore: fixing debug env usage in thv cli

* fix: regenerated swag docs

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: aron-muon

cmd/thv-operator/api/v1alpha1/mcpexternalauthconfig_types.go

@@ -331,6 +331,40 @@ type OAuth2UpstreamConfig struct {
 	// Scopes are the OAuth scopes to request from the upstream IDP.
 	// +optional
 	Scopes []string `json:"scopes,omitempty"`
+
+	// TokenResponseMapping configures custom field extraction from non-standard token responses.
+	// Some OAuth providers (e.g., GovSlack) nest token fields under non-standard paths
+	// instead of returning them at the top level. When set, ToolHive performs the token
+	// exchange HTTP call directly and extracts fields using the configured dot-notation paths.
+	// If nil, standard OAuth 2.0 token response parsing is used.
+	// +optional
+	TokenResponseMapping *TokenResponseMapping `json:"tokenResponseMapping,omitempty"`
+}
+
+// TokenResponseMapping maps non-standard token response fields to standard OAuth 2.0 fields
+// using dot-notation JSON paths. This supports upstream providers like GovSlack that nest
+// the access token under paths like "authed_user.access_token".
+type TokenResponseMapping struct {
+	// AccessTokenPath is the dot-notation path to the access token in the response.
+	// Example: "authed_user.access_token"
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinLength=1
+	AccessTokenPath string `json:"accessTokenPath"`
+
+	// ScopePath is the dot-notation path to the scope string in the response.
+	// If not specified, defaults to "scope".
+	// +optional
+	ScopePath string `json:"scopePath,omitempty"`
+
+	// RefreshTokenPath is the dot-notation path to the refresh token in the response.
+	// If not specified, defaults to "refresh_token".
+	// +optional
+	RefreshTokenPath string `json:"refreshTokenPath,omitempty"`
+
+	// ExpiresInPath is the dot-notation path to the expires_in value (in seconds).
+	// If not specified, defaults to "expires_in".
+	// +optional
+	ExpiresInPath string `json:"expiresInPath,omitempty"`
 }
 
 // UserInfoConfig contains configuration for fetching user information from an upstream provider.

cmd/thv-operator/api/v1alpha1/zz_generated.deepcopy.go

@@ -519,6 +519,15 @@ func buildUpstreamRunConfig(
 			if provider.OAuth2Config.UserInfo != nil {
 				config.OAuth2Config.UserInfo = buildUserInfoRunConfig(provider.OAuth2Config.UserInfo)
 			}
+			if provider.OAuth2Config.TokenResponseMapping != nil {
+				m := provider.OAuth2Config.TokenResponseMapping
+				config.OAuth2Config.TokenResponseMapping = &authserver.TokenResponseMappingRunConfig{
+					AccessTokenPath:  m.AccessTokenPath,
+					ScopePath:        m.ScopePath,
+					RefreshTokenPath: m.RefreshTokenPath,
+					ExpiresInPath:    m.ExpiresInPath,
+				}
+			}
 		}
 	}
 

cmd/thv-operator/pkg/controllerutil/authserver.go

@@ -15,6 +15,13 @@ import (
 )
 
 func main() {
+	// Bind TOOLHIVE_DEBUG env var early, before logger initialization.
+	// This must happen before viper.GetBool("debug") so the env var
+	// is available when configuring the log level.
+	if err := viper.BindEnv("debug", "TOOLHIVE_DEBUG"); err != nil {
+		slog.Error("failed to bind TOOLHIVE_DEBUG env var", "error", err)
+	}
+
 	// Initialize the logger
 	var opts []logging.Option
 	if viper.GetBool("debug") {

cmd/thv-proxyrunner/main.go

@@ -23,6 +23,13 @@ import (
 )
 
 func main() {
+	// Bind TOOLHIVE_DEBUG env var early, before logger initialization.
+	// This must happen before viper.GetBool("debug") so the env var
+	// is available when configuring the log level.
+	if err := viper.BindEnv("debug", "TOOLHIVE_DEBUG"); err != nil {
+		slog.Error("failed to bind TOOLHIVE_DEBUG env var", "error", err)
+	}
+
 	// Initialize the logger
 	var opts []logging.Option
 	if viper.GetBool("debug") {

cmd/thv/main.go

@@ -441,6 +441,38 @@ spec:
                                 token endpoint.
                               pattern: ^https?://.*$
                               type: string
+                            tokenResponseMapping:
+                              description: |-
+                                TokenResponseMapping configures custom field extraction from non-standard token responses.
+                                Some OAuth providers (e.g., GovSlack) nest token fields under non-standard paths
+                                instead of returning them at the top level. When set, ToolHive performs the token
+                                exchange HTTP call directly and extracts fields using the configured dot-notation paths.
+                                If nil, standard OAuth 2.0 token response parsing is used.
+                              properties:
+                                accessTokenPath:
+                                  description: |-
+                                    AccessTokenPath is the dot-notation path to the access token in the response.
+                                    Example: "authed_user.access_token"
+                                  minLength: 1
+                                  type: string
+                                expiresInPath:
+                                  description: |-
+                                    ExpiresInPath is the dot-notation path to the expires_in value (in seconds).
+                                    If not specified, defaults to "expires_in".
+                                  type: string
+                                refreshTokenPath:
+                                  description: |-
+                                    RefreshTokenPath is the dot-notation path to the refresh token in the response.
+                                    If not specified, defaults to "refresh_token".
+                                  type: string
+                                scopePath:
+                                  description: |-
+                                    ScopePath is the dot-notation path to the scope string in the response.
+                                    If not specified, defaults to "scope".
+                                  type: string
+                              required:
+                              - accessTokenPath
+                              type: object
                             userInfo:
                               description: |-
                                 UserInfo contains configuration for fetching user information from the upstream provider.

deploy/charts/operator-crds/files/crds/toolhive.stacklok.dev_mcpexternalauthconfigs.yaml

@@ -444,6 +444,38 @@ spec:
                                 token endpoint.
                               pattern: ^https?://.*$
                               type: string
+                            tokenResponseMapping:
+                              description: |-
+                                TokenResponseMapping configures custom field extraction from non-standard token responses.
+                                Some OAuth providers (e.g., GovSlack) nest token fields under non-standard paths
+                                instead of returning them at the top level. When set, ToolHive performs the token
+                                exchange HTTP call directly and extracts fields using the configured dot-notation paths.
+                                If nil, standard OAuth 2.0 token response parsing is used.
+                              properties:
+                                accessTokenPath:
+                                  description: |-
+                                    AccessTokenPath is the dot-notation path to the access token in the response.
+                                    Example: "authed_user.access_token"
+                                  minLength: 1
+                                  type: string
+                                expiresInPath:
+                                  description: |-
+                                    ExpiresInPath is the dot-notation path to the expires_in value (in seconds).
+                                    If not specified, defaults to "expires_in".
+                                  type: string
+                                refreshTokenPath:
+                                  description: |-
+                                    RefreshTokenPath is the dot-notation path to the refresh token in the response.
+                                    If not specified, defaults to "refresh_token".
+                                  type: string
+                                scopePath:
+                                  description: |-
+                                    ScopePath is the dot-notation path to the scope string in the response.
+                                    If not specified, defaults to "scope".
+                                  type: string
+                              required:
+                              - accessTokenPath
+                              type: object
                             userInfo:
                               description: |-
                                 UserInfo contains configuration for fetching user information from the upstream provider.