Service API layer with OAuth2 client credentials for service APIs. Onboarding dummy tool, LFX Lens prod tool

[josep-reyero]

Summary

Replace shared API keys with OAuth2 client credentials (M2M JWTs) for service API authentication (LFX Lens, Member Onboarding). Each service gets its own Auth0 resource server — no more shared secrets.

See docs/service-api-architecture.md for the full design: token flows, diagrams, tool inventory, and API schemas.

What changed

• Auth layer: ClientCredentialsClient for OAuth2 client credentials with token caching; TokenSource interface replaces APIKey in the service API client
• LFX Lens tool: lfx_lens_query now calls the real Lens backend with user and session tracking. Lens backend not yet deployed — the tool is ready but will fail until the backend is live.
• Onboarding tool: onboarding_list_memberships registered with correct args/types but returns dummy response (actual API call commented out inline)
• Config: LFXMCP_LF_AI_API_KEY replaced with per-service LFXMCP_LENS_API_AUDIENCE and LFXMCP_ONBOARDING_API_AUDIENCE

Dependencies

This PR depends on two auth0-terraform PRs:

1. auth0-terraform#249 — Creates the Auth0 resource servers for LFX Lens and Member Onboarding. Required before the MCP server can obtain client credentials tokens, and before the services can validate them.

2. auth0-terraform#248 — Adds the lf_staff custom claim to MCP API access tokens. Required for lfx_lens_query specifically — this tool checks the lf_staff JWT claim to enforce staff-only access. Until #248 is deployed, the Lens tool will reject all requests with "this tool is available to Linux Foundation staff only".

onboarding_list_memberships does not depend on #248 (no staff check).

No new env vars needed to deploy this PR

The service tools only activate when both URL and audience are configured. With current deployment config unchanged, everything works as before.

Test plan

• go build ./... passes
• go test ./... passes
• No remaining references to ApiKey / LF_AI_API_KEY
• Existing V2 tools unaffected
• LFX Lens end-to-end tested locally against live Lens backend

🤖 Generated with Claude Code

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review.

_{Tip: disable this comment in your organization's Code Review settings.}

[Copilot]

Pull request overview

This PR migrates internal service API authentication from shared API keys to Auth0-issued OAuth2 client-credentials tokens, and introduces shared service-tool authorization plumbing (slug→UUID resolution + V2 access-check) to enforce project-level authorization before proxying to Lens/Onboarding.

Changes:

• Added OAuth2 client-credentials token client (cached) and a generic service API HTTP client (TokenSource-based).
• Added V2 authorization helpers: access-check client, slug resolver (cached), and a ServiceAuth flow used by new service tools.
• Wired new tools/config into main.go, plus added architecture + env var documentation.

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
internal/tools/service.go	Shared service-tool infra (ServiceAuth, access relations, staff-claim helpers).
internal/tools/onboarding.go	New onboarding tool (currently returns stubbed/dummy response).
internal/tools/lens.go	New Lens tool (staff-gated; currently returns stubbed/dummy response).
internal/serviceapi/client.go	Generic HTTP client for service APIs using bearer tokens + optional debug wire logging.
internal/serviceapi/client_test.go	Tests for GET/POST JSON/multipart behavior and auth header handling.
internal/lfxv2/token_exchange.go	Extracted shared generateClientAssertion() helper for reuse.
internal/lfxv2/client_credentials.go	New client-credentials grant client with token caching.
internal/lfxv2/access_check.go	New access-check client for project relation checks.
internal/lfxv2/access_check_test.go	Tests for access-check request/response handling and edge cases.
internal/lfxv2/slug_resolver.go	New in-memory slug→UUID resolver for V2 query service.
internal/lfxv2/client.go	Added helper to retrieve exchanged V2 token as a string (GetExchangedToken).
cmd/lfx-mcp-server/main.go	Config + wiring for per-service audiences/URLs and new tool registration; copies lf_staff claim into TokenInfo.Extra.
docs/service-api-architecture.md	Architecture doc describing the 3-token model and authorization flow.
AGENTS.md	Documented new environment variables for Lens/Onboarding service configuration.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Token cache expiry subtracts a fixed 5-minute buffer from expires_in. If expires_in is less than 300 seconds (or is 0/negative due to an upstream issue), this sets c.expiry in the past and can cause repeated token fetches in a tight loop. Consider clamping the buffer (e.g., min(5m, expiresIn/2) or max(expiresIn-buffer, 0)) and validating expires_in > 0 before caching.

Suggested change

	c.cachedToken = token
	// Cache with 5-minute buffer before actual expiry.
	c.expiry = time.Now().Add(time.Duration(expiresIn)*time.Second - 5*time.Minute)
	if expiresIn <= 0 {
	return "", fmt.Errorf("token endpoint returned non-positive expires_in: %d", expiresIn)
	}
	c.cachedToken = token
	lifetime := time.Duration(expiresIn) * time.Second
	// Use a buffer before actual expiry to proactively refresh the token.
	// Clamp the buffer to avoid setting expiry in the past for short-lived tokens.
	maxBuffer := 5 * time.Minute
	buffer := maxBuffer
	if lifetime < maxBuffer {
	buffer = lifetime / 2
	}
	c.expiry = time.Now().Add(lifetime - buffer)

[Copilot]

The doc comment here still says service APIs use shared API keys, but this PR replaces them with OAuth2 client credentials (M2M bearer tokens). Updating this bullet would avoid confusion for future readers and keep the in-code documentation aligned with the new auth model.

[Copilot]

RequireLFStaff currently only denies access when TokenInfo is present AND IsLFStaff returns false. If TokenInfo/Extra is missing (e.g., auth misconfiguration or unauthenticated calls), this returns nil and allows access to a staff-only tool. This should deny by default when the staff claim cannot be verified (i.e., require TokenInfo+claim=true).

Suggested change

	if req.Extra != nil && req.Extra.TokenInfo != nil && !IsLFStaff(req.Extra.TokenInfo) {
	// Deny by default: require a token and a true lf_staff claim.
	if req.Extra == nil || req.Extra.TokenInfo == nil || !IsLFStaff(req.Extra.TokenInfo) {

[Copilot]

The debug transport logs full request/response dumps via httputil.DumpRequestOut/DumpResponse. This will include the Authorization header (M2M bearer token) and potentially sensitive payloads, which is risky even behind a debug flag because logs often end up in centralized systems. Consider redacting Authorization (and other secrets) before dumping, or logging only safe metadata (method, URL, status, duration) with an opt-in body dump that explicitly strips credentials.

[emsearcy]

largest changes would be the access_check response payload, and of course implementing the upstream calls that are currently commented out.

Also, I didn't flag it, but I assume we'll need to change the custom-claim prefix (per my comment in the Auth0 Action to adopt our newer, more-terse domain prefix).

[josep-reyero]

Also changed the custom-claim prefix lfxPrefix namespace as per the Auth0 Action comment.