Skip to content

RFC: Embedded Authorization Server in Proxy Runner#31

Merged
tgrunnagle merged 6 commits intomainfrom
auth-server-integration_2026-01-27
Jan 28, 2026
Merged

RFC: Embedded Authorization Server in Proxy Runner#31
tgrunnagle merged 6 commits intomainfrom
auth-server-integration_2026-01-27

Conversation

@tgrunnagle
Copy link
Contributor

@tgrunnagle tgrunnagle commented Jan 27, 2026

Summary

This RFC proposes integrating ToolHive's authorization server (pkg/authserver/) directly into the proxy runner process for Kubernetes deployments. This enables MCP servers to authenticate users via upstream identity providers (Okta, Azure AD, etc.) and issue tokens for MCP access.

Key Changes

  • New CRD type: embeddedAuthServer added to MCPExternalAuthConfig
  • Volume-based secrets: Signing keys and HMAC secrets mounted as files (not env vars)
  • Key rotation support: Multiple signing keys and HMAC secrets for graceful rotation
  • Upstream IDP integration: OIDC (with discovery) and OAuth2 (explicit endpoints)

Design Highlights

Aspect Decision
Deployment model In-process with proxy runner (not standalone)
Secrets handling Volume mounts with 0400 permissions
Key rotation List-based (first = active, rest = fallback)
Storage Memory-only (single replica limitation)

Security Benefits

  • Per-workload isolation: Compromised proxy affects only one MCP server
  • No centralized auth: Avoids single point of compromise for all workloads
  • Ephemeral tokens: Lost on pod restart, no persistent state

Implementation Phases

  1. CRD type additions and webhook validation
  2. Controller volume generation helpers
  3. RunConfig extension for auth server config
  4. Proxy runner integration with auth server lifecycle
  5. Transport layer route mounting

Files Changed

  • cmd/thv-operator/api/v1alpha1/mcpexternalauthconfig_types.go - New CRD types
  • cmd/thv-operator/pkg/controllerutil/authserver.go - Volume generation (new)
  • pkg/runner/config.go - RunConfig extension
  • pkg/runner/authserver.go - Auth server wrapper (new)
  • pkg/runner/runner.go - Integration
  • pkg/transport/http.go - Route mounting

jhrozek
jhrozek reviewed Jan 27, 2026
View reviewed changes
yrobla
yrobla reviewed Jan 28, 2026
View reviewed changes
yrobla
yrobla reviewed Jan 28, 2026
View reviewed changes
yrobla
yrobla reviewed Jan 28, 2026
View reviewed changes
@tgrunnagle
Update THV-0031-auth-server-integration.md
8e69fcf 
Refine auth server integration design

- Move embedded auth server wrapper to pkg/authserver/runner/ for better
  dependency ordering (proxy runner consumes authserver APIs)
- Replace auth-server-specific transport changes with generic PrefixHandlers
  mechanism (map[string]http.Handler) to keep transport package agnostic
- Add Alternative 3: Auth Server Sidecar Container to alternatives considered,
  noting tradeoffs vs embedded approach (secret/process isolation vs
  implementation complexity and operational overhead)
@tgrunnagle tgrunnagle requested review from jhrozek and yrobla January 28, 2026 15:39
jhrozek
jhrozek previously approved these changes Jan 28, 2026
View reviewed changes
Copy link
Contributor

@jhrozek jhrozek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good!

@tgrunnagle tgrunnagle merged commit 895f8eb into main Jan 28, 2026
1 check passed
@tgrunnagle tgrunnagle deleted the auth-server-integration_2026-01-27 branch January 28, 2026 16:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhrozek jhrozek jhrozek approved these changes

@JAORMX JAORMX Awaiting requested review from JAORMX

@yrobla yrobla Awaiting requested review from yrobla

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tgrunnagle @jhrozek @yrobla