Wire CIMD config through embedded AS and enable storage decorator (#5348)

* Wire CIMD config through embedded AS and enable storage decorator

Phase 2 PR 3 — config threading and server wiring.

Config chain: RunConfig.CIMD → Config.CIMD* → AuthorizationServerParams
→ AuthorizationServerConfig → discovery handler.

Changes:
- config.go: add CIMDRunConfig struct and CIMD* fields to Config;
  defaults (256 entries, 5 min fallback TTL) applied in applyDefaults();
  validation (cacheMaxSize >= 1 when enabled) in Validate()
- runner/embeddedauthserver.go: add resolveCIMDConfig helper to unpack
  nullable *CIMDRunConfig; populate Config.CIMD* from RunConfig.CIMD
- server/provider.go: add CIMDEnabled to AuthorizationServerParams and
  AuthorizationServerConfig; wire through NewAuthorizationServerConfig
- server_impl.go: wrap storage with CIMDStorageDecorator when enabled
  (after legacy migration, before createProvider — decorator must be in
  place before fosite holds a reference to the storage instance);
  pass CIMDEnabled to AuthorizationServerParams
- server/handlers/discovery.go: set ClientIDMetadataDocumentSupported
  in buildOAuthMetadata() — both OAuth AS and OIDC discovery endpoints
  advertise CIMD support when enabled

CIMD is opt-in (disabled by default) to avoid introducing outbound
HTTPS fetching in existing deployments without explicit operator action.

Relates to #4825

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Address PR review feedback on CIMD wiring and add missing tests

- Fix CacheFallbackTTL comment to say it is a fixed TTL (not fallback);
  matches the fix already applied in PR #5343
- Add TODO(cimd) comment above CIMDRunConfig noting the CRD exposure gap
- Add discovery handler tests: CIMDEnabled=true advertises the flag,
  CIMDEnabled=false omits it, for both AS metadata and OIDC endpoints
- Add config defaults tests: CIMDEnabled=true fills in cache size/TTL
  defaults; CIMDEnabled=false leaves zero fields unchanged
- Add resolveCIMDConfig nil-guard test: nil input returns zero values,
  non-nil passes all fields through

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Extend IsClientIDMetadataDocumentURL to accept http://localhost URLs

The embedded AS must resolve CIMD client_ids for local development and
testing the same way FetchClientMetadataDocument does — accepting
http://localhost and http://127.x.x.x in addition to https://. This
brings IsClientIDMetadataDocumentURL in line with validateCIMDClientURL
in pkg/oauthproto/cimd/fetch.go which already permits these schemes.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Regenerate swagger docs to include CIMDRunConfig

Run task docs to pick up the new CIMDRunConfig struct added in this PR.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Default to registration.DefaultScopes when CIMD doc omits scope field

When a CIMD document does not include a scope field, buildFositeClient
was producing a client with no allowed scopes. Any authorization request
specifying openid, profile, or offline_access would then fail with
"scope not allowed". DCR registration applies DefaultScopes in the same
situation, so CIMD clients should behave identically.

Found during manual testing with VS Code as a CIMD client.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Trigger CI re-run

* Address PR review feedback on CIMD wiring

- Fix IsClientIDMetadataDocumentURL comment: accepted loopbacks are
  localhost/127.0.0.1/[::1], not the full 127.x.x.x range
- Fix hostFromURL doc: returns host+port, not host without port
- Add loopback and subdomain-bypass test cases to
  TestIsClientIDMetadataDocumentURL (Claude blocking issue)
- Fix Config.CIMDCacheFallbackTTL comment: Cache-Control is not parsed
- Add validation: CIMDCacheFallbackTTL must be non-negative when enabled
- Clone registration.DefaultScopes in buildFositeClient to prevent
  aliasing the package-level slice
- Fix CIMDDisabled discovery test to decode to map[string]interface{}
  so it verifies the field is truly absent (omitempty) not just false

The DefaultScopes change in cimd_decorator.go was introduced here
(rather than in PR #5343) because the gap was discovered during manual
testing of the wiring: VS Code's CIMD document omits scope and the nil
scopes caused an auth failure.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Use net/url to extract host in IsClientIDMetadataDocumentURL

net/url is already imported by four other files in pkg/oauthproto, so
the previous comment about keeping the package "import-free" was
incorrect. url.Parse handles IPv6 brackets and other edge cases
correctly without manual string manipulation.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

* Address tgrunnagle feedback on CIMD wiring

C1 - Fix CacheFallbackTTL to string in CIMDRunConfig so YAML/JSON
     operators can write "5m" instead of nanoseconds. resolveCIMDConfig
     parses it with time.ParseDuration at runtime.
C6 - Add slog.Debug when applyDefaults substitutes CIMD defaults,
     matching the pattern used by the sibling token-lifespan defaults.
C7 - Add CIMDRunConfig.Validate() and call it from RunConfig.Validate()
     so CIMD misconfiguration fails at the wire-format boundary before
     the runner resolves secrets.
C10 - Add test cases to TestConfigValidate and TestRunConfigValidate
      covering all new CIMD validation paths.
C11 - Add TestNewServer_CIMDEnabled_WrapsStorage: verifies the CIMD
      decorator is actually installed in the storage chain when
      CIMDEnabled=true.
C12 - Add comment in discovery.go explaining why
      client_id_metadata_document_supported is in OIDC discovery.
C13 - Add doc comment on server.storage noting it may be decorated.
C14 - Add note to IsClientIDMetadataDocumentURL about pkg/auth/remote
      callers and why the loopback widening is safe there.

Regenerate swagger docs: CacheFallbackTTL now serialises as string.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

Author: amirejaz

docs/server/docs.go

@@ -90,13 +90,23 @@ type RunConfig struct {
 	// Storage configures the storage backend for the auth server.
 	// If nil, defaults to in-memory storage.
 	Storage *storage.RunConfig `json:"storage,omitempty" yaml:"storage,omitempty"`
+
+	// CIMD controls client_id metadata document support. When enabled, the
+	// embedded authorization server accepts HTTPS URLs as client_id values
+	// and resolves them via the CIMD protocol instead of requiring DCR.
+	CIMD *CIMDRunConfig `json:"cimd,omitempty" yaml:"cimd,omitempty"`
 }
 
 // Validate checks that the on-disk RunConfig is internally consistent. Called
 // by the runner before resolving secrets and building the runtime Config; it
 // catches operator-supplied misconfiguration early so server startup fails
 // loudly instead of degrading silently at runtime.
 func (c *RunConfig) Validate() error {
+	if c.CIMD != nil {
+		if err := c.CIMD.Validate(); err != nil {
+			return fmt.Errorf("cimd: %w", err)
+		}
+	}
 	return c.validateBaselineClientScopes()
 }
 
@@ -118,6 +128,46 @@ func (c *RunConfig) validateBaselineClientScopes() error {
 	return registration.ValidateScopeSubset(c.BaselineClientScopes, effective, "baseline_client_scopes")
 }
 
+// CIMDRunConfig controls client_id metadata document (CIMD) support.
+//
+// TODO(cimd): expose these fields in the MCPExternalAuthConfig CRD so Kubernetes
+// operators can configure CIMD through the normal CRD workflow instead of
+// writing RunConfig YAML directly.
+type CIMDRunConfig struct {
+	// Enabled activates CIMD client lookup when true.
+	Enabled bool `json:"enabled" yaml:"enabled"`
+
+	// CacheMaxSize is the maximum number of CIMD documents held in the LRU cache.
+	// Defaults to 256 when Enabled is true and this field is zero.
+	CacheMaxSize int `json:"cache_max_size,omitempty" yaml:"cache_max_size,omitempty"`
+
+	// CacheFallbackTTL is the fixed TTL applied to every cached CIMD document.
+	// Cache-Control header parsing is not yet implemented; all entries use this value.
+	// Format: Go duration string (e.g. "5m", "10m", "1h").
+	// Defaults to 5 minutes when Enabled is true and this field is omitted.
+	CacheFallbackTTL string `json:"cache_fallback_ttl,omitempty" yaml:"cache_fallback_ttl,omitempty" example:"5m"`
+}
+
+// Validate checks that the CIMDRunConfig fields are internally consistent.
+func (c *CIMDRunConfig) Validate() error {
+	if !c.Enabled {
+		return nil
+	}
+	if c.CacheMaxSize < 0 {
+		return fmt.Errorf("cache_max_size must be non-negative when CIMD is enabled, got %d", c.CacheMaxSize)
+	}
+	if c.CacheFallbackTTL != "" {
+		d, err := time.ParseDuration(c.CacheFallbackTTL)
+		if err != nil {
+			return fmt.Errorf("cache_fallback_ttl: %w", err)
+		}
+		if d < 0 {
+			return fmt.Errorf("cache_fallback_ttl must be non-negative when CIMD is enabled, got %s", c.CacheFallbackTTL)
+		}
+	}
+	return nil
+}
+
 // SigningKeyRunConfig configures where to load signing keys from.
 // Keys are loaded from PEM-encoded files on disk (typically mounted from secrets).
 type SigningKeyRunConfig struct {
@@ -537,6 +587,20 @@ type Config struct {
 	// When empty, any request with a "resource" parameter will be rejected with
 	// "invalid_target". Configure this for proper MCP specification compliance.
 	AllowedAudiences []string
+
+	// CIMDEnabled enables the CIMD storage decorator so the authorization server
+	// accepts HTTPS URLs as client_id values without prior DCR registration.
+	CIMDEnabled bool
+
+	// CIMDCacheMaxSize is the maximum number of CIMD documents held in the LRU
+	// cache. Zero is replaced by a default (256) in applyDefaults when CIMDEnabled
+	// is true.
+	CIMDCacheMaxSize int
+
+	// CIMDCacheFallbackTTL is the fixed TTL applied to all cached CIMD documents
+	// (Cache-Control header parsing is not yet implemented). Zero is replaced by
+	// a default (5 minutes) in applyDefaults when CIMDEnabled is true.
+	CIMDCacheFallbackTTL time.Duration
 }
 
 // Validate checks that the Config is valid.
@@ -589,6 +653,13 @@ func (c *Config) Validate() error {
 		}
 	}
 
+	if c.CIMDEnabled && c.CIMDCacheMaxSize < 1 {
+		return fmt.Errorf("cimd.cache_max_size must be >= 1 when CIMD is enabled")
+	}
+	if c.CIMDEnabled && c.CIMDCacheFallbackTTL < 0 {
+		return fmt.Errorf("cimd.cache_fallback_ttl must be non-negative when CIMD is enabled")
+	}
+
 	slog.Debug("authserver config validation passed",
 		"issuer", c.Issuer,
 		"upstream_count", len(c.Upstreams),
@@ -819,6 +890,14 @@ func (c *Config) applyDefaults() error {
 		c.ScopesSupported = registration.DefaultScopes
 		slog.Debug("applied default scopes_supported", "scopes", c.ScopesSupported)
 	}
+	if c.CIMDEnabled && c.CIMDCacheMaxSize == 0 {
+		c.CIMDCacheMaxSize = 256
+		slog.Debug("applied default cimd cache_max_size", "size", c.CIMDCacheMaxSize)
+	}
+	if c.CIMDEnabled && c.CIMDCacheFallbackTTL == 0 {
+		c.CIMDCacheFallbackTTL = 5 * time.Minute
+		slog.Debug("applied default cimd cache_fallback_ttl", "ttl", c.CIMDCacheFallbackTTL)
+	}
 	return nil
 }
 

docs/server/swagger.json

@@ -114,6 +114,13 @@ func TestConfigValidate(t *testing.T) {
 		{name: "baseline scope not in scopes_supported", config: Config{Issuer: "https://example.com", KeyProvider: validKeyProvider, HMACSecrets: validHMAC, Upstreams: validUpstreams, AllowedAudiences: []string{"https://mcp.example.com"}, ScopesSupported: []string{"openid"}, BaselineClientScopes: []string{"offline_access"}}, wantErr: true, errMsg: `baseline_client_scopes contains "offline_access"`},
 		{name: "nil supported with baseline in DefaultScopes passes", config: Config{Issuer: "https://example.com", KeyProvider: validKeyProvider, HMACSecrets: validHMAC, Upstreams: validUpstreams, AllowedAudiences: []string{"https://mcp.example.com"}, ScopesSupported: nil, BaselineClientScopes: []string{"offline_access"}}},
 
+		// CIMD validation
+		{name: "CIMD enabled zero cache_max_size rejected", config: Config{Issuer: "https://example.com", KeyProvider: validKeyProvider, HMACSecrets: validHMAC, Upstreams: validUpstreams, AllowedAudiences: []string{"https://mcp.example.com"}, CIMDEnabled: true, CIMDCacheMaxSize: 0}, wantErr: true, errMsg: "cache_max_size must be >= 1"},
+		{name: "CIMD enabled negative cache_max_size rejected", config: Config{Issuer: "https://example.com", KeyProvider: validKeyProvider, HMACSecrets: validHMAC, Upstreams: validUpstreams, AllowedAudiences: []string{"https://mcp.example.com"}, CIMDEnabled: true, CIMDCacheMaxSize: -1}, wantErr: true, errMsg: "cache_max_size must be >= 1"},
+		{name: "CIMD enabled negative cache_fallback_ttl rejected", config: Config{Issuer: "https://example.com", KeyProvider: validKeyProvider, HMACSecrets: validHMAC, Upstreams: validUpstreams, AllowedAudiences: []string{"https://mcp.example.com"}, CIMDEnabled: true, CIMDCacheMaxSize: 256, CIMDCacheFallbackTTL: -time.Second}, wantErr: true, errMsg: "cache_fallback_ttl must be non-negative"},
+		{name: "CIMD disabled ignores invalid cache fields", config: Config{Issuer: "https://example.com", KeyProvider: validKeyProvider, HMACSecrets: validHMAC, Upstreams: validUpstreams, AllowedAudiences: []string{"https://mcp.example.com"}, CIMDEnabled: false, CIMDCacheMaxSize: -1, CIMDCacheFallbackTTL: -time.Second}},
+		{name: "CIMD enabled with valid bounds passes", config: Config{Issuer: "https://example.com", KeyProvider: validKeyProvider, HMACSecrets: validHMAC, Upstreams: validUpstreams, AllowedAudiences: []string{"https://mcp.example.com"}, CIMDEnabled: true, CIMDCacheMaxSize: 256, CIMDCacheFallbackTTL: 5 * time.Minute}},
+
 		// Valid configs
 		{name: "valid minimal", config: Config{Issuer: "https://example.com", KeyProvider: validKeyProvider, HMACSecrets: validHMAC, Upstreams: validUpstreams, AllowedAudiences: []string{"https://mcp.example.com"}}},
 		{name: "valid nil key provider", config: Config{Issuer: "https://example.com", HMACSecrets: validHMAC, Upstreams: validUpstreams, AllowedAudiences: []string{"https://mcp.example.com"}}},
@@ -431,6 +438,14 @@ func TestRunConfigValidate(t *testing.T) {
 			wantErr: true,
 			errMsg:  "foo",
 		},
+		// CIMD RunConfig validation
+		{name: "CIMD nil passes", config: RunConfig{CIMD: nil}},
+		{name: "CIMD disabled passes even with invalid fields", config: RunConfig{CIMD: &CIMDRunConfig{Enabled: false, CacheMaxSize: -1, CacheFallbackTTL: "-1s"}}},
+		{name: "CIMD enabled negative cache_max_size rejected", config: RunConfig{CIMD: &CIMDRunConfig{Enabled: true, CacheMaxSize: -1}}, wantErr: true, errMsg: "cache_max_size"},
+		{name: "CIMD enabled invalid TTL string rejected", config: RunConfig{CIMD: &CIMDRunConfig{Enabled: true, CacheFallbackTTL: "not-a-duration"}}, wantErr: true, errMsg: "cache_fallback_ttl"},
+		{name: "CIMD enabled negative TTL rejected", config: RunConfig{CIMD: &CIMDRunConfig{Enabled: true, CacheFallbackTTL: "-5m"}}, wantErr: true, errMsg: "cache_fallback_ttl"},
+		{name: "CIMD enabled valid passes", config: RunConfig{CIMD: &CIMDRunConfig{Enabled: true, CacheMaxSize: 64, CacheFallbackTTL: "5m"}}},
+		{name: "CIMD enabled omitted optional fields pass", config: RunConfig{CIMD: &CIMDRunConfig{Enabled: true}}},
 	}
 
 	for _, tt := range tests {
@@ -589,3 +604,49 @@ func TestConfigApplyDefaults_BaselineClientScopes(t *testing.T) {
 		})
 	}
 }
+
+func TestConfigApplyDefaults_CIMD(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name            string
+		cfg             Config
+		wantMaxSize     int
+		wantFallbackTTL time.Duration
+	}{
+		{
+			name:            "CIMD enabled with zero fields applies defaults",
+			cfg:             Config{Issuer: "https://example.com", CIMDEnabled: true},
+			wantMaxSize:     256,
+			wantFallbackTTL: 5 * time.Minute,
+		},
+		{
+			name: "CIMD enabled preserves non-zero values",
+			cfg: Config{
+				Issuer:               "https://example.com",
+				CIMDEnabled:          true,
+				CIMDCacheMaxSize:     128,
+				CIMDCacheFallbackTTL: 10 * time.Minute,
+			},
+			wantMaxSize:     128,
+			wantFallbackTTL: 10 * time.Minute,
+		},
+		{
+			name:            "CIMD disabled leaves zero fields unchanged",
+			cfg:             Config{Issuer: "https://example.com", CIMDEnabled: false},
+			wantMaxSize:     0,
+			wantFallbackTTL: 0,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			cfg := tt.cfg
+			err := cfg.applyDefaults()
+			require.NoError(t, err)
+			require.Equal(t, tt.wantMaxSize, cfg.CIMDCacheMaxSize)
+			require.Equal(t, tt.wantFallbackTTL, cfg.CIMDCacheFallbackTTL)
+		})
+	}
+}

docs/server/swagger.yaml

@@ -176,6 +176,8 @@ func newEmbeddedAuthServerWithStorage(
 	// here once at the boundary lets all downstream stages share by reference
 	// safely. Cost is negligible — each slice is bounded by validation (≤10
 	// for BaselineClientScopes, low cardinality in practice for the others).
+	cimdEnabled, cimdCacheMaxSize, cimdCacheFallbackTTL := resolveCIMDConfig(cfg.CIMD)
+
 	resolvedCfg := authserver.Config{
 		Issuer:                       cfg.Issuer,
 		AuthorizationEndpointBaseURL: cfg.AuthorizationEndpointBaseURL,
@@ -188,6 +190,9 @@ func newEmbeddedAuthServerWithStorage(
 		ScopesSupported:              slices.Clone(cfg.ScopesSupported),
 		BaselineClientScopes:         slices.Clone(cfg.BaselineClientScopes),
 		AllowedAudiences:             slices.Clone(cfg.AllowedAudiences),
+		CIMDEnabled:                  cimdEnabled,
+		CIMDCacheMaxSize:             cimdCacheMaxSize,
+		CIMDCacheFallbackTTL:         cimdCacheFallbackTTL,
 	}
 
 	// 7. Create the auth server. authserver.New also asserts the DCR
@@ -782,6 +787,27 @@ func convertRedisTLSRunConfig(rc *storage.RedisTLSRunConfig) (*tcredis.TLSConfig
 	return cfg, nil
 }
 
+// resolveCIMDConfig extracts CIMD settings from a CIMDRunConfig.
+// Returns zero values when cfg is nil (CIMD disabled).
+// The CacheFallbackTTL string is parsed to time.Duration; callers must ensure
+// CIMDRunConfig.Validate() has already been called so the string is well-formed.
+func resolveCIMDConfig(cfg *authserver.CIMDRunConfig) (enabled bool, cacheMaxSize int, cacheFallbackTTL time.Duration) {
+	if cfg == nil {
+		return false, 0, 0
+	}
+	var ttl time.Duration
+	if cfg.CacheFallbackTTL != "" {
+		var err error
+		ttl, err = time.ParseDuration(cfg.CacheFallbackTTL)
+		if err != nil {
+			// Should not happen when called after CIMDRunConfig.Validate().
+			slog.Warn("invalid cimd cache_fallback_ttl, zero will be replaced by default",
+				"value", cfg.CacheFallbackTTL, "err", err)
+		}
+	}
+	return cfg.Enabled, cfg.CacheMaxSize, ttl
+}
+
 // resolveEnvVar reads a value from the named environment variable.
 func resolveEnvVar(envVar string) (string, error) {
 	if envVar == "" {