Wire CIMD config through embedded AS and enable storage decorator

Phase 2 PR 3 — config threading and server wiring.

Config chain: RunConfig.CIMD → Config.CIMD* → AuthorizationServerParams
→ AuthorizationServerConfig → discovery handler.

Changes:
- config.go: add CIMDRunConfig struct and CIMD* fields to Config;
  defaults (256 entries, 5 min fallback TTL) applied in applyDefaults();
  validation (cacheMaxSize >= 1 when enabled) in Validate()
- runner/embeddedauthserver.go: add resolveCIMDConfig helper to unpack
  nullable *CIMDRunConfig; populate Config.CIMD* from RunConfig.CIMD
- server/provider.go: add CIMDEnabled to AuthorizationServerParams and
  AuthorizationServerConfig; wire through NewAuthorizationServerConfig
- server_impl.go: wrap storage with CIMDStorageDecorator when enabled
  (after legacy migration, before createProvider — decorator must be in
  place before fosite holds a reference to the storage instance);
  pass CIMDEnabled to AuthorizationServerParams
- server/handlers/discovery.go: set ClientIDMetadataDocumentSupported
  in buildOAuthMetadata() — both OAuth AS and OIDC discovery endpoints
  advertise CIMD support when enabled

CIMD is opt-in (disabled by default) to avoid introducing outbound
HTTPS fetching in existing deployments without explicit operator action.

Relates to #4825

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

Author: amirejaz

pkg/authserver/config.go

@@ -90,6 +90,11 @@ type RunConfig struct {
 	// Storage configures the storage backend for the auth server.
 	// If nil, defaults to in-memory storage.
 	Storage *storage.RunConfig `json:"storage,omitempty" yaml:"storage,omitempty"`
+
+	// CIMD controls client_id metadata document support. When enabled, the
+	// embedded authorization server accepts HTTPS URLs as client_id values
+	// and resolves them via the CIMD protocol instead of requiring DCR.
+	CIMD *CIMDRunConfig `json:"cimd,omitempty" yaml:"cimd,omitempty"`
 }
 
 // Validate checks that the on-disk RunConfig is internally consistent. Called
@@ -118,6 +123,22 @@ func (c *RunConfig) validateBaselineClientScopes() error {
 	return registration.ValidateScopeSubset(c.BaselineClientScopes, effective, "baseline_client_scopes")
 }
 
+// CIMDRunConfig controls client_id metadata document (CIMD) support.
+type CIMDRunConfig struct {
+	// Enabled activates CIMD client lookup when true.
+	Enabled bool `json:"enabled" yaml:"enabled"`
+
+	// CacheMaxSize is the maximum number of CIMD documents held in the LRU cache.
+	// Defaults to 256 when Enabled is true and this field is zero.
+	CacheMaxSize int `json:"cache_max_size,omitempty" yaml:"cache_max_size,omitempty"`
+
+	// CacheFallbackTTL is how long a cached CIMD document is considered valid when
+	// the fetched document carries no Cache-Control header.
+	// Defaults to 5 minutes when Enabled is true and this field is zero.
+	//nolint:lll // field tags require full JSON+YAML names
+	CacheFallbackTTL time.Duration `json:"cache_fallback_ttl,omitempty" yaml:"cache_fallback_ttl,omitempty" swaggertype:"string" example:"5m"`
+}
+
 // SigningKeyRunConfig configures where to load signing keys from.
 // Keys are loaded from PEM-encoded files on disk (typically mounted from secrets).
 type SigningKeyRunConfig struct {
@@ -537,6 +558,20 @@ type Config struct {
 	// When empty, any request with a "resource" parameter will be rejected with
 	// "invalid_target". Configure this for proper MCP specification compliance.
 	AllowedAudiences []string
+
+	// CIMDEnabled enables the CIMD storage decorator so the authorization server
+	// accepts HTTPS URLs as client_id values without prior DCR registration.
+	CIMDEnabled bool
+
+	// CIMDCacheMaxSize is the maximum number of CIMD documents held in the LRU
+	// cache. Zero is replaced by a default (256) in applyDefaults when CIMDEnabled
+	// is true.
+	CIMDCacheMaxSize int
+
+	// CIMDCacheFallbackTTL is the TTL applied to cached CIMD documents that carry
+	// no Cache-Control header. Zero is replaced by a default (5 minutes) in
+	// applyDefaults when CIMDEnabled is true.
+	CIMDCacheFallbackTTL time.Duration
 }
 
 // Validate checks that the Config is valid.
@@ -589,6 +624,10 @@ func (c *Config) Validate() error {
 		}
 	}
 
+	if c.CIMDEnabled && c.CIMDCacheMaxSize < 1 {
+		return fmt.Errorf("cimd.cache_max_size must be >= 1 when CIMD is enabled")
+	}
+
 	slog.Debug("authserver config validation passed",
 		"issuer", c.Issuer,
 		"upstream_count", len(c.Upstreams),
@@ -819,6 +858,12 @@ func (c *Config) applyDefaults() error {
 		c.ScopesSupported = registration.DefaultScopes
 		slog.Debug("applied default scopes_supported", "scopes", c.ScopesSupported)
 	}
+	if c.CIMDEnabled && c.CIMDCacheMaxSize == 0 {
+		c.CIMDCacheMaxSize = 256
+	}
+	if c.CIMDEnabled && c.CIMDCacheFallbackTTL == 0 {
+		c.CIMDCacheFallbackTTL = 5 * time.Minute
+	}
 	return nil
 }
 

pkg/authserver/runner/embeddedauthserver.go

@@ -176,6 +176,8 @@ func newEmbeddedAuthServerWithStorage(
 	// here once at the boundary lets all downstream stages share by reference
 	// safely. Cost is negligible — each slice is bounded by validation (≤10
 	// for BaselineClientScopes, low cardinality in practice for the others).
+	cimdEnabled, cimdCacheMaxSize, cimdCacheFallbackTTL := resolveCIMDConfig(cfg.CIMD)
+
 	resolvedCfg := authserver.Config{
 		Issuer:                       cfg.Issuer,
 		AuthorizationEndpointBaseURL: cfg.AuthorizationEndpointBaseURL,
@@ -188,6 +190,9 @@ func newEmbeddedAuthServerWithStorage(
 		ScopesSupported:              slices.Clone(cfg.ScopesSupported),
 		BaselineClientScopes:         slices.Clone(cfg.BaselineClientScopes),
 		AllowedAudiences:             slices.Clone(cfg.AllowedAudiences),
+		CIMDEnabled:                  cimdEnabled,
+		CIMDCacheMaxSize:             cimdCacheMaxSize,
+		CIMDCacheFallbackTTL:         cimdCacheFallbackTTL,
 	}
 
 	// 7. Create the auth server. authserver.New also asserts the DCR
@@ -782,6 +787,15 @@ func convertRedisTLSRunConfig(rc *storage.RedisTLSRunConfig) (*tcredis.TLSConfig
 	return cfg, nil
 }
 
+// resolveCIMDConfig extracts CIMD settings from a CIMDRunConfig.
+// Returns zero values when cfg is nil (CIMD disabled).
+func resolveCIMDConfig(cfg *authserver.CIMDRunConfig) (enabled bool, cacheMaxSize int, cacheFallbackTTL time.Duration) {
+	if cfg == nil {
+		return false, 0, 0
+	}
+	return cfg.Enabled, cfg.CacheMaxSize, cfg.CacheFallbackTTL
+}
+
 // resolveEnvVar reads a value from the named environment variable.
 func resolveEnvVar(envVar string) (string, error) {
 	if envVar == "" {

pkg/authserver/server/handlers/discovery.go

@@ -114,6 +114,8 @@ func (h *Handler) buildOAuthMetadata() sharedobauth.AuthorizationServerMetadata
 		},
 		CodeChallengeMethodsSupported:     []string{crypto.PKCEChallengeMethodS256},
 		TokenEndpointAuthMethodsSupported: []string{sharedobauth.TokenEndpointAuthMethodNone},
+
+		ClientIDMetadataDocumentSupported: h.config.CIMDEnabled,
 	}
 }
 

pkg/authserver/server/provider.go

@@ -67,6 +67,9 @@ type AuthorizationServerConfig struct {
 	// AuthorizationEndpointBaseURL overrides the base URL for the authorization_endpoint
 	// in the discovery document. When empty, defaults to the issuer (AccessTokenIssuer).
 	AuthorizationEndpointBaseURL string
+	// CIMDEnabled indicates that the CIMD storage decorator is active. When true,
+	// the discovery document advertises client_id_metadata_document_supported.
+	CIMDEnabled bool
 }
 
 // Factory is a constructor which is used to create an OAuth2 endpoint handler.
@@ -102,6 +105,9 @@ type AuthorizationServerParams struct {
 	// AuthorizationEndpointBaseURL overrides the base URL for the authorization_endpoint
 	// in the discovery document. When empty, defaults to Issuer.
 	AuthorizationEndpointBaseURL string
+	// CIMDEnabled indicates that the CIMD storage decorator is active. When true,
+	// the discovery document advertises client_id_metadata_document_supported.
+	CIMDEnabled bool
 }
 
 // validateIssuerURL validates that the issuer is a valid URL with http or https scheme
@@ -256,6 +262,7 @@ func NewAuthorizationServerConfig(cfg *AuthorizationServerParams) (*Authorizatio
 		ScopesSupported:              cfg.ScopesSupported,
 		BaselineClientScopes:         cfg.BaselineClientScopes,
 		AuthorizationEndpointBaseURL: cfg.AuthorizationEndpointBaseURL,
+		CIMDEnabled:                  cfg.CIMDEnabled,
 	}, nil
 }
 

pkg/authserver/server_impl.go

@@ -135,6 +135,7 @@ func newServer(ctx context.Context, cfg Config, stor storage.Storage, opts ...se
 		BaselineClientScopes:         cfg.BaselineClientScopes,
 		AllowedAudiences:             cfg.AllowedAudiences,
 		AuthorizationEndpointBaseURL: cfg.AuthorizationEndpointBaseURL,
+		CIMDEnabled:                  cfg.CIMDEnabled,
 	}
 	authServerConfig, err := oauthserver.NewAuthorizationServerConfig(oauthParams)
 	if err != nil {
@@ -147,10 +148,6 @@ func newServer(ctx context.Context, cfg Config, stor storage.Storage, opts ...se
 		"auth_code_lifespan", cfg.AuthCodeLifespan,
 	)
 
-	// Create fosite provider
-	slog.Debug("creating fosite OAuth2 provider")
-	fositeProvider := createProvider(authServerConfig, stor)
-
 	// Build ordered upstream provider list from all configured upstreams.
 	upstreams := make([]handlers.NamedUpstream, 0, len(cfg.Upstreams))
 	for i := range cfg.Upstreams {
@@ -173,6 +170,20 @@ func newServer(ctx context.Context, cfg Config, stor storage.Storage, opts ...se
 		return nil, err
 	}
 
+	// Wrap storage with the CIMD decorator before constructing the fosite provider
+	// so that GetClient calls for HTTPS client_id values are intercepted at the
+	// fosite level (not just the handler level).
+	if cfg.CIMDEnabled {
+		stor, err = storage.NewCIMDStorageDecorator(stor, true, cfg.CIMDCacheMaxSize, cfg.CIMDCacheFallbackTTL)
+		if err != nil {
+			return nil, fmt.Errorf("failed to initialize CIMD storage decorator: %w", err)
+		}
+	}
+
+	// Create fosite provider with the (possibly decorated) storage.
+	slog.Debug("creating fosite OAuth2 provider")
+	fositeProvider := createProvider(authServerConfig, stor)
+
 	handlerInstance, err := handlers.NewHandler(fositeProvider, authServerConfig, stor, upstreams)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create handler: %w", err)