Commit 560164b
RFC: vMCP session binding by identity tuple
The current HMAC-of-bearer-token binding rejects legitimate OAuth
refreshes — the access-token bytes change on each refresh, so users
get logged out once per access-token TTL. Pin the binding to the
(iss, sub) identity tuple instead, so the invariant matches what
is actually stable across a session.
Drops the per-deployment HMAC secret and the operator-side plumbing
that distributed it. Closes a prior LocalUserMiddleware gap where
every local user fell into the anonymous equivalence class.
Supersedes the session-binding portion of THV-0038; preserves the
cross-pod persistence design of THV-0047 with the new key. Tracks
toolhive#5306.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>1 parent 414931f commit 560164b
1 file changed
Lines changed: 294 additions & 0 deletions
0 commit comments