feat(transport): add ClaimInjectionMiddleware for backend header injection

fkztw · claude · fkztw · commit 01f0513f7dd0 · 2026-05-25T12:08:49.000+08:00
Refactor user identity injection to use proper HTTP middleware in the
transport layer, replacing the earlier round tripper implementation.

The ClaimInjectionMiddleware extracts the authenticated user's identity
from request context (populated by auth middleware) and injects it as
HTTP headers into requests forwarded to backend MCP servers:

  X-User-Sub:   the 'sub' claim (Google/OIDC user ID)
  X-User-Email: the 'email' claim (when present)
  X-User-Name:  the 'name' claim (when present)

This allows backend MCP servers to identify the calling user without
implementing their own OAuth token validation or /introspect calls.

The middleware is wired into the HTTP transport chain in http.go, after
the existing oauth-token-injection middleware. When no identity is present
in context (anonymous request), the middleware is a no-op — no headers
are injected.

Also includes poc-dockerfile/Dockerfile.vmcp for building the vmcp image
with this patch applied via Google Cloud Build.

Signed-off-by: Frank Zheng &lt;frank@tagtoo.com&gt;
Co-Authored-By: Claude Sonnet 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/pkg/transport/http.go b/pkg/transport/http.go
@@ -330,6 +330,14 @@ func (t *HTTPTransport) Start(ctx context.Context) error {
 		})
 	}
 
+	// Always inject user identity claims (sub, email, name) as headers so backend MCP servers
+	// can identify the authenticated user without needing to call /introspect themselves.
+	// When no identity is in context (anonymous request), this middleware is a no-op.
+	middlewares = append(middlewares, types.NamedMiddleware{
+		Name:     "claim-injection",
+		Function: middleware.NewClaimInjectionMiddleware(),
+	})
+
 	// Determine whether to enable health checks based on workload type
 	enableHealthCheck := shouldEnableHealthCheck(isRemote)
 
diff --git a/pkg/transport/middleware/claim_injection.go b/pkg/transport/middleware/claim_injection.go
@@ -0,0 +1,54 @@
+// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package middleware
+
+import (
+	"net/http"
+
+	"github.com/stacklok/toolhive/pkg/auth"
+)
+
+const (
+	// HeaderUserSub is the HTTP header name for forwarding the authenticated user's subject claim.
+	// Backend MCP servers can read this header to identify the user without calling /introspect.
+	HeaderUserSub = "X-User-Sub"
+	// HeaderUserEmail is the HTTP header name for forwarding the authenticated user's email claim.
+	HeaderUserEmail = "X-User-Email"
+	// HeaderUserName is the HTTP header name for forwarding the authenticated user's name claim.
+	HeaderUserName = "X-User-Name"
+)
+
+// NewClaimInjectionMiddleware returns a middleware that extracts user identity from the
+// request context (populated by auth middleware) and injects it as HTTP headers into the
+// forwarded request. This allows backend MCP servers to receive user identity without
+// needing to implement their own OAuth token validation or /introspect calls.
+//
+// Headers injected (when identity is present):
+//   - X-User-Sub:   the 'sub' claim (Google/OIDC user ID, always present)
+//   - X-User-Email: the 'email' claim (if available in token)
+//   - X-User-Name:  the 'name' claim (if available in token)
+//
+// This middleware is safe to add unconditionally: if no identity is present in context
+// (e.g., anonymous request), no headers are injected.
+func NewClaimInjectionMiddleware() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			identity, ok := auth.IdentityFromContext(r.Context())
+			if ok && identity != nil {
+				// Clone request to avoid modifying the original
+				r = r.Clone(r.Context())
+				if identity.Subject != "" {
+					r.Header.Set(HeaderUserSub, identity.Subject)
+				}
+				if identity.Email != "" {
+					r.Header.Set(HeaderUserEmail, identity.Email)
+				}
+				if identity.Name != "" {
+					r.Header.Set(HeaderUserName, identity.Name)
+				}
+			}
+			next.ServeHTTP(w, r)
+		})
+	}
+}
diff --git a/poc-dockerfile/Dockerfile.vmcp b/poc-dockerfile/Dockerfile.vmcp
@@ -0,0 +1,30 @@
+# Build toolhive vmcp with our ClaimInjectionMiddleware patch
+# Context: ~/github/toolhive (must be built from toolhive root)
+#
+# Build command:
+#   docker build -f poc/toolhive-poc/Dockerfile.vmcp -t vmcp-poc:latest ~/github/toolhive
+
+FROM golang:1.26-alpine AS builder
+RUN apk add --no-cache git ca-certificates
+
+WORKDIR /build
+# Copy entire toolhive repo (including our ClaimInjectionMiddleware)
+COPY . .
+
+# Build vmcp binary
+RUN CGO_ENABLED=0 GOOS=linux go build \
+    -ldflags="-s -w -X main.version=poc-dev" \
+    -o /vmcp ./cmd/vmcp
+
+# ---- Runtime image ----
+FROM alpine:3.20
+RUN apk add --no-cache ca-certificates tzdata
+
+COPY --from=builder /vmcp /usr/local/bin/vmcp
+
+# Cloud Run / Docker: accept PORT env var
+EXPOSE 4483
+ENV PORT=4483
+
+ENTRYPOINT ["vmcp"]
+CMD ["serve", "--host", "0.0.0.0", "--port", "4483"]
