Skip to content

Add generic PrefixHandlers to transport config #3524

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tgrunnagle merged 2 commits into from
Jan 30, 2026
Merged

Add generic PrefixHandlers to transport config #3524

tgrunnagle merged 2 commits into from
Jan 30, 2026
+503 −29

Conversation

@tgrunnagle
Copy link
Contributor

@tgrunnagle tgrunnagle commented Jan 29, 2026

Summary

This PR adds a generic PrefixHandlers capability to the transport layer, enabling components to mount HTTP handlers at specific path prefixes on the proxy's HTTP server. This is a foundational change that enables the embedded authorization server (RFC-0031) to register OAuth2/OIDC endpoints alongside MCP proxy traffic without requiring transport-specific code changes.

Why

The embedded authorization server integration requires mounting OAuth endpoints (e.g., /oauth/*, /.well-known/oauth-authorization-server) on the same HTTP server that handles MCP proxy traffic. Rather than coupling the transport layer to the auth server, this PR introduces a generic route-mounting mechanism that keeps the transport package agnostic to handler types while enabling flexible route composition.

Changes

  • New PrefixHandlers field in types.Config - a map of path prefixes to HTTP handlers
  • Transport plumbing - PrefixHandlers flows through Factory.Create()HTTPTransportTransparentProxy
  • Proper handler mounting order in TransparentProxy.Start() - prefix handlers are mounted before the catch-all proxy handler, relying on Go's ServeMux longest-match routing for correct precedence
  • Narrowed well-known paths - RFC 9728 handler now mounts at specific paths (/.well-known/oauth-protected-resource) instead of the entire /.well-known/ prefix, allowing prefix handlers to register other well-known endpoints
  • Fixed /health endpoint - Returns 404 when health checker is disabled (previously could be proxied to backend)

Related

  • Implements: stacklok-epics#227
  • Parent: RFC-0031 (Embedded Authorization Server)
  • Blocks: Proxy Runner Integration (TASK-005)

@tgrunnagle
Add prefix handlers to transparent proxy
c72df40 
Add support for mounting custom HTTP handlers at specific path prefixes
on the transparent proxy. This enables integrating additional endpoints
(like OAuth authorization server routes) alongside the MCP proxy.

Key changes:
- Add PrefixHandlers field to transport Config struct
- Update HTTPTransport and TransparentProxy to accept and mount prefix handlers
- Refactor Start() handler mounting order for clarity:
  1. Prefix handlers (user-specified, most specific)
  2. Health check endpoint
  3. Prometheus metrics endpoint
  4. RFC 9728 OAuth discovery endpoint (now at specific paths)
  5. Catch-all proxy handler

The RFC 9728 .well-known endpoint is now mounted at specific paths
(/.well-known/oauth-protected-resource) instead of a wildcard, allowing
prefix handlers to register other well-known paths like
/.well-known/oauth-authorization-server for auth server integration.

Add comprehensive tests for prefix handler mounting and routing.
@tgrunnagle
Fix /health endpoint
4000c94
@github-actions github-actions bot added the size/M Medium PR: 300-599 lines changed label Jan 29, 2026
@codecov
Copy link

codecov bot commented Jan 29, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 60.00000% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 65.34%. Comparing base (8d30e0a) to head (4000c94).
⚠️ Report is 12 commits behind head on main.

Files with missing lines Patch % Lines
pkg/transport/factory.go 0.00% 2 Missing ⚠️
pkg/transport/http.go 0.00% 2 Missing ⚠️
...g/transport/proxy/transparent/transparent_proxy.go 81.81% 1 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3524      +/-   ##
==========================================
+ Coverage   65.30%   65.34%   +0.04%     
==========================================
  Files         401      401              
  Lines       39103    39111       +8     
==========================================
+ Hits        25535    25558      +23     
+ Misses      11584    11575       -9     
+ Partials     1984     1978       -6

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@tgrunnagle tgrunnagle merged commit 0192c35 into main Jan 30, 2026
47 of 48 checks passed
@tgrunnagle tgrunnagle deleted the auth-server_issue-227_2026-01-29 branch January 30, 2026 19:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhrozek jhrozek jhrozek approved these changes

@JAORMX JAORMX Awaiting requested review from JAORMX JAORMX is a code owner

@dmjb dmjb Awaiting requested review from dmjb dmjb is a code owner

@blkt blkt Awaiting requested review from blkt blkt is a code owner

@amirejaz amirejaz Awaiting requested review from amirejaz amirejaz is a code owner

@ChrisJBurns ChrisJBurns Awaiting requested review from ChrisJBurns ChrisJBurns is a code owner

@yrobla yrobla Awaiting requested review from yrobla yrobla is a code owner

@eleftherias eleftherias Awaiting requested review from eleftherias eleftherias is a code owner

@lujunsan lujunsan Awaiting requested review from lujunsan lujunsan is a code owner

@rdimitrov rdimitrov Awaiting requested review from rdimitrov rdimitrov is a code owner

Assignees

No one assigned

Labels

size/M Medium PR: 300-599 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tgrunnagle @jhrozek