fix: oauth issues and add tokenResponseMapping for non-standard providers

[aron-muon]

Summary

Fixes for OAuth-related issues discovered while deploying MCPRemoteProxy with embeddedAuthServer against Asana, Atlassian, and GovSlack, plus a new feature for non-standard token response formats.

Changes

Bug Fixes

1. Fix TOOLHIVE_DEBUG env var not enabling debug logging (cmd/thv-proxyrunner/main.go, cmd/thv/main.go)

The logger was initialized in main.go before viper.BindEnv("debug", "TOOLHIVE_DEBUG") was called in commands.go, so the env var had no effect on log level. Moved the env var binding before logger initialization. Applied the same fix to the main thv binary which was also missing the env var binding.

2. Propagate upstream user name and email into JWT claims (pkg/authserver/)

The embedded auth server resolved user identity (name, email) from the upstream IDP via the userInfo endpoint but only stored the subject claim in the JWT. This caused audit logs to show "user":"anonymous" despite successful authentication. Now propagates name and email as standard OIDC claims (per OIDC Core Section 5.1).

Introduced a UserClaims struct to avoid parameter-ordering mistakes in session.New(), and added NameClaimKey/EmailClaimKey constants for consistency with existing claim key constants. Claims extraction from ID tokens now logs a warning on failure instead of silently ignoring the error.

3. Fix remote URL path not forwarded to backend server (pkg/transport/)

When the remote URL has a path (e.g., https://mcp.asana.com/v2/mcp), the proxy stripped it and only used the scheme+host as the target. Client requests to /mcp were forwarded to https://mcp.asana.com/mcp instead of https://mcp.asana.com/v2/mcp, causing 401 errors from Asana and Atlassian because the endpoint doesn't exist at the wrong path.

Added WithRemoteBasePath option to the transparent proxy that rewrites incoming request paths to the remote server's configured path.

Feature

4. Add tokenResponseMapping for non-standard OAuth token responses (pkg/authserver/upstream/)

Some OAuth providers (e.g., GovSlack) nest token fields under non-standard paths. GovSlack returns access_token under authed_user.access_token, causing Go's oauth2 library to fail with "server response missing access_token".

Added a tokenResponseMapping field to OAuth2UpstreamConfig that configures dot-notation paths (via gjson, already a dependency) for extracting token fields from non-standard response formats. Implemented as a response-rewriting http.RoundTripper that normalizes the response JSON before the oauth2 library parses it — keeping all of Go's oauth2 RFC 6749 compliance (error handling, token type validation, refresh via TokenSource). The token_type is always normalized to "Bearer" since non-standard providers may use different values (e.g., GovSlack uses "user").

Example CRD usage:

oauth2Config:
  tokenEndpoint: "https://slack-gov.com/api/oauth.v2.access"
  tokenResponseMapping:
    accessTokenPath: "authed_user.access_token"
    scopePath: "authed_user.scope"

Review feedback addressed

• Introduced session.UserClaims struct to avoid swappable string parameters in session.New()
• Added NameClaimKey/EmailClaimKey constants for consistency with TokenSessionIDClaimKey and ClientIDClaimKey
• Log warning when optional ID token claims extraction fails (instead of silently ignoring)
• Removed unused TokenTypePath field — token_type is always normalized to "Bearer", so the field was dead config
• Fixed pathOrDefault calls to use standard field names as defaults ("refresh_token", "expires_in", "scope") instead of empty strings
• Used io.LimitReader for token response body reads to prevent unbounded memory allocation
• Fixed Content-Length header handling: use Header.Del instead of setting to empty string
• Ran task operator-generate, task operator-manifests, and task crdref-gen to regenerate deepcopy, CRD schemas, and API docs
• Applied the same TOOLHIVE_DEBUG fix to the main thv binary

Test plan

• All existing tests pass
• New tests for remote path forwarding (5 test cases: Asana, Atlassian, GitHub, base path, full path scenarios)
• New tests for token response mapping (rewrite unit tests, RoundTripper integration tests, error passthrough, nil mapping, validation)
• Session tests updated for name/email JWT claims with UserClaims struct
• Verified in production: Asana, Atlassian, and GovSlack all authenticate and forward requests successfully
• Full build clean, golangci-lint clean

Large PR Justification

• This is a large feature

[jhrozek]

This is great work. I left some comments inline, the only that really need to be done is to re-run the generate task target to fix the deepcopy files.

the rest of the comments are mostly nits and questions.

Thanks a lot of for the PR!

[aron-muon]

This is great work. I left some comments inline, the only that really need to be done is to re-run the generate task target to fix the deepcopy files.

the rest of the comments are mostly nits and questions.

Thanks a lot of for the PR!

Thanks for the review! I appreciate the work ya'll have put into this - it works pretty well in our PoC!

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

[jhrozek]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

eh, go away bot

bad bot, no cookie

[jhrozek]

@aron-muon I should have ran CI earlier, sorry would you mind running task docs, submitting the changes it produces and pushing again?

[aron-muon]

@aron-muon I should have ran CI earlier, sorry would you mind running task docs, submitting the changes it produces and pushing again?

All set!

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

dismissed

[codecov]

Codecov Report

❌ Patch coverage is 71.05263% with 33 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.66%. Comparing base (3aefbc8) to head (11e85fd).
⚠️ Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/transport/http.go	0.00%	9 Missing ⚠️
cmd/thv-operator/pkg/controllerutil/authserver.go	0.00%	6 Missing and 1 partial ⚠️
pkg/authserver/runner/embeddedauthserver.go	25.00%	5 Missing and 1 partial ⚠️
pkg/authserver/upstream/token_exchange.go	88.67%	3 Missing and 3 partials ⚠️
pkg/authserver/upstream/oidc.go	55.55%	3 Missing and 1 partial ⚠️
pkg/authserver/server/handlers/callback.go	80.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4009      +/-   ##
==========================================
+ Coverage   68.62%   68.66%   +0.03%     
==========================================
  Files         444      445       +1     
  Lines       45222    45323     +101     
==========================================
+ Hits        31034    31120      +86     
- Misses      11791    11798       +7     
- Partials     2397     2405       +8     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.