stacklok
diff --git a/‎cmd/thv-operator/api/v1beta1/mcpexternalauthconfig_types.go‎
Lines changed: 29 additions & 0 deletions b/‎cmd/thv-operator/api/v1beta1/mcpexternalauthconfig_types.go‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎cmd/thv-operator/api/v1beta1/zz_generated.deepcopy.go‎
Lines changed: 20 additions & 0 deletions b/‎cmd/thv-operator/api/v1beta1/zz_generated.deepcopy.go‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎cmd/thv-operator/pkg/controllerutil/authserver.go‎
Lines changed: 17 additions & 0 deletions b/‎cmd/thv-operator/pkg/controllerutil/authserver.go‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎cmd/thv-operator/pkg/controllerutil/authserver_test.go‎
Lines changed: 125 additions & 0 deletions b/‎cmd/thv-operator/pkg/controllerutil/authserver_test.go‎
Lines changed: 125 additions & 0 deletions
diff --git a/‎deploy/charts/operator-crds/files/crds/toolhive.stacklok.dev_mcpexternalauthconfigs.yaml‎
Lines changed: 54 additions & 0 deletions b/‎deploy/charts/operator-crds/files/crds/toolhive.stacklok.dev_mcpexternalauthconfigs.yaml‎
Lines changed: 54 additions & 0 deletions
diff --git a/‎deploy/charts/operator-crds/files/crds/toolhive.stacklok.dev_virtualmcpservers.yaml‎
Lines changed: 54 additions & 0 deletions b/‎deploy/charts/operator-crds/files/crds/toolhive.stacklok.dev_virtualmcpservers.yaml‎
Lines changed: 54 additions & 0 deletions
@@ -299,6 +299,10 @@ type EmbeddedAuthServerConfig struct {
 	// +listType=atomic
 	// +optional
 	BaselineClientScopes []string `json:"baselineClientScopes,omitempty"`
+
+	// CIMD configures Client ID Metadata Document support. When omitted, CIMD is disabled.
+	// +optional
+	CIMD *EmbeddedAuthServerCIMDConfig `json:"cimd,omitempty"`
 }
 
 // TokenLifespanConfig holds configuration for token lifetimes.
@@ -325,6 +329,31 @@ type TokenLifespanConfig struct {
 	AuthCodeLifespan string `json:"authCodeLifespan,omitempty"`
 }
 
+// EmbeddedAuthServerCIMDConfig configures Client ID Metadata Document (CIMD) support
+// on the embedded authorization server. When enabled, the AS accepts HTTPS URLs as
+// client_id values and resolves them via the CIMD protocol, allowing clients such as
+// VS Code to authenticate without prior Dynamic Client Registration.
+type EmbeddedAuthServerCIMDConfig struct {
+	// Enabled activates CIMD client lookup. When false (the default), the AS only
+	// accepts client_id values that were registered via DCR.
+	// +kubebuilder:default=false
+	Enabled bool `json:"enabled"`
+
+	// CacheMaxSize is the maximum number of CIMD documents held in the LRU cache.
+	// Defaults to 256 when Enabled is true and this field is omitted.
+	// +kubebuilder:validation:Minimum=1
+	// +optional
+	CacheMaxSize int `json:"cacheMaxSize,omitempty"`
+
+	// CacheFallbackTTL is the fixed TTL applied to every cached CIMD document.
+	// Cache-Control header parsing is not yet implemented; all entries use this value.
+	// Format: Go duration string (e.g. "5m", "10m", "1h").
+	// Defaults to 5 minutes when Enabled is true and this field is omitted.
+	// +kubebuilder:validation:Pattern=`^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$`
+	// +optional
+	CacheFallbackTTL string `json:"cacheFallbackTtl,omitempty"`
+}
+
 // UpstreamProviderType identifies the type of upstream Identity Provider.
 type UpstreamProviderType string
 
 
@@ -7,6 +7,7 @@ import (
 	"context"
 	"fmt"
 	"strings"
+	"time"
 
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -582,6 +583,22 @@ func BuildAuthServerRunConfig(
 	}
 	config.Storage = storageCfg
 
+	// Build CIMD configuration
+	if authConfig.CIMD != nil && authConfig.CIMD.Enabled {
+		cimdCfg := &authserver.CIMDRunConfig{
+			Enabled:      authConfig.CIMD.Enabled,
+			CacheMaxSize: authConfig.CIMD.CacheMaxSize,
+		}
+		if authConfig.CIMD.CacheFallbackTTL != "" {
+			ttl, err := time.ParseDuration(authConfig.CIMD.CacheFallbackTTL)
+			if err != nil {
+				return nil, fmt.Errorf("cimd.cacheFallbackTtl: %w", err)
+			}
+			cimdCfg.CacheFallbackTTL = ttl
+		}
+		config.CIMD = cimdCfg
+	}
+
 	return config, nil
 }
 
 
@@ -8,6 +8,7 @@ import (
 	"fmt"
 	"strings"
 	"testing"
+	"time"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -2645,3 +2646,127 @@ func TestValidateAndAddAuthServerRefOptions(t *testing.T) {
 		})
 	}
 }
+
+// TestBuildAuthServerRunConfig_CIMD verifies that BuildAuthServerRunConfig
+// correctly converts the CRD EmbeddedAuthServerCIMDConfig into
+// authserver.CIMDRunConfig. The four cases cover the nil path (CIMD off
+// by default), explicit values (fields are mapped and TTL is parsed), zero
+// optional fields (authserver applies its own defaults at startup), and an
+// invalid TTL string (returns a parse error).
+func TestBuildAuthServerRunConfig_CIMD(t *testing.T) {
+	t.Parallel()
+
+	// baseAuthConfig returns a minimal EmbeddedAuthServerConfig that is valid
+	// enough for BuildAuthServerRunConfig to proceed past signing-key and
+	// upstream validation without requiring real secrets.
+	baseAuthConfig := func(cimd *mcpv1beta1.EmbeddedAuthServerCIMDConfig) *mcpv1beta1.EmbeddedAuthServerConfig {
+		return &mcpv1beta1.EmbeddedAuthServerConfig{
+			Issuer: "https://auth.example.com",
+			SigningKeySecretRefs: []mcpv1beta1.SecretKeyRef{
+				{Name: "signing-key", Key: "private.pem"},
+			},
+			HMACSecretRefs: []mcpv1beta1.SecretKeyRef{
+				{Name: "hmac-secret", Key: "hmac"},
+			},
+			CIMD: cimd,
+		}
+	}
+
+	defaultAudiences := []string{"https://mcp.example.com"}
+	defaultScopes := []string{"openid", "offline_access"}
+
+	tests := []struct {
+		name        string
+		cimd        *mcpv1beta1.EmbeddedAuthServerCIMDConfig
+		wantCIMD    bool
+		wantErr     bool
+		errContains string
+		checkFunc   func(t *testing.T, got *authserver.CIMDRunConfig)
+	}{
+		{
+			name:     "nil CIMD leaves config.CIMD nil",
+			cimd:     nil,
+			wantCIMD: false,
+		},
+		{
+			name: "CIMD disabled leaves config.CIMD nil",
+			cimd: &mcpv1beta1.EmbeddedAuthServerCIMDConfig{
+				Enabled:          false,
+				CacheMaxSize:     100,
+				CacheFallbackTTL: "10m",
+			},
+			wantCIMD: false,
+		},
+		{
+			name: "CIMD enabled with explicit values maps all fields",
+			cimd: &mcpv1beta1.EmbeddedAuthServerCIMDConfig{
+				Enabled:          true,
+				CacheMaxSize:     512,
+				CacheFallbackTTL: "10m",
+			},
+			wantCIMD: true,
+			checkFunc: func(t *testing.T, got *authserver.CIMDRunConfig) {
+				t.Helper()
+				assert.True(t, got.Enabled)
+				assert.Equal(t, 512, got.CacheMaxSize)
+				assert.Equal(t, 10*time.Minute, got.CacheFallbackTTL)
+			},
+		},
+		{
+			name: "CIMD enabled with zero optional fields leaves defaults to authserver",
+			cimd: &mcpv1beta1.EmbeddedAuthServerCIMDConfig{
+				Enabled: true,
+			},
+			wantCIMD: true,
+			checkFunc: func(t *testing.T, got *authserver.CIMDRunConfig) {
+				t.Helper()
+				assert.True(t, got.Enabled)
+				assert.Zero(t, got.CacheMaxSize, "zero means authserver applies its own default at startup")
+				assert.Zero(t, got.CacheFallbackTTL, "zero means authserver applies its own default at startup")
+			},
+		},
+		{
+			name: "invalid CacheFallbackTTL returns parse error",
+			cimd: &mcpv1beta1.EmbeddedAuthServerCIMDConfig{
+				Enabled:          true,
+				CacheFallbackTTL: "not-a-duration",
+			},
+			wantErr:     true,
+			errContains: "cimd.cacheFallbackTtl",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			cfg, err := BuildAuthServerRunConfig(
+				"default", "test-server",
+				baseAuthConfig(tt.cimd),
+				defaultAudiences, defaultScopes,
+				"https://mcp.example.com",
+			)
+
+			if tt.wantErr {
+				require.Error(t, err)
+				if tt.errContains != "" {
+					assert.Contains(t, err.Error(), tt.errContains)
+				}
+				return
+			}
+
+			require.NoError(t, err)
+			require.NotNil(t, cfg)
+
+			if !tt.wantCIMD {
+				assert.Nil(t, cfg.CIMD, "expected config.CIMD to be nil")
+				return
+			}
+
+			require.NotNil(t, cfg.CIMD, "expected config.CIMD to be set")
+			if tt.checkFunc != nil {
+				tt.checkFunc(t, cfg.CIMD)
+			}
+		})
+	}
+}
@@ -237,6 +237,33 @@ spec:
                     maxItems: 10
                     type: array
                     x-kubernetes-list-type: atomic
+                  cimd:
+                    description: CIMD configures Client ID Metadata Document support.
+                      When omitted, CIMD is disabled.
+                    properties:
+                      cacheFallbackTtl:
+                        description: |-
+                          CacheFallbackTTL is the fixed TTL applied to every cached CIMD document.
+                          Cache-Control header parsing is not yet implemented; all entries use this value.
+                          Format: Go duration string (e.g. "5m", "10m", "1h").
+                          Defaults to 5 minutes when Enabled is true and this field is omitted.
+                        pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$
+                        type: string
+                      cacheMaxSize:
+                        description: |-
+                          CacheMaxSize is the maximum number of CIMD documents held in the LRU cache.
+                          Defaults to 256 when Enabled is true and this field is omitted.
+                        minimum: 1
+                        type: integer
+                      enabled:
+                        default: false
+                        description: |-
+                          Enabled activates CIMD client lookup. When false (the default), the AS only
+                          accepts client_id values that were registered via DCR.
+                        type: boolean
+                    required:
+                    - enabled
+                    type: object
                   hmacSecretRefs:
                     description: |-
                       HMACSecretRefs references Kubernetes Secrets containing symmetric secrets for signing
@@ -1516,6 +1543,33 @@ spec:
                     maxItems: 10
                     type: array
                     x-kubernetes-list-type: atomic
+                  cimd:
+                    description: CIMD configures Client ID Metadata Document support.
+                      When omitted, CIMD is disabled.
+                    properties:
+                      cacheFallbackTtl:
+                        description: |-
+                          CacheFallbackTTL is the fixed TTL applied to every cached CIMD document.
+                          Cache-Control header parsing is not yet implemented; all entries use this value.
+                          Format: Go duration string (e.g. "5m", "10m", "1h").
+                          Defaults to 5 minutes when Enabled is true and this field is omitted.
+                        pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$
+                        type: string
+                      cacheMaxSize:
+                        description: |-
+                          CacheMaxSize is the maximum number of CIMD documents held in the LRU cache.
+                          Defaults to 256 when Enabled is true and this field is omitted.
+                        minimum: 1
+                        type: integer
+                      enabled:
+                        default: false
+                        description: |-
+                          Enabled activates CIMD client lookup. When false (the default), the AS only
+                          accepts client_id values that were registered via DCR.
+                        type: boolean
+                    required:
+                    - enabled
+                    type: object
                   hmacSecretRefs:
                     description: |-
                       HMACSecretRefs references Kubernetes Secrets containing symmetric secrets for signing
 
@@ -110,6 +110,33 @@ spec:
                     maxItems: 10
                     type: array
                     x-kubernetes-list-type: atomic
+                  cimd:
+                    description: CIMD configures Client ID Metadata Document support.
+                      When omitted, CIMD is disabled.
+                    properties:
+                      cacheFallbackTtl:
+                        description: |-
+                          CacheFallbackTTL is the fixed TTL applied to every cached CIMD document.
+                          Cache-Control header parsing is not yet implemented; all entries use this value.
+                          Format: Go duration string (e.g. "5m", "10m", "1h").
+                          Defaults to 5 minutes when Enabled is true and this field is omitted.
+                        pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$
+                        type: string
+                      cacheMaxSize:
+                        description: |-
+                          CacheMaxSize is the maximum number of CIMD documents held in the LRU cache.
+                          Defaults to 256 when Enabled is true and this field is omitted.
+                        minimum: 1
+                        type: integer
+                      enabled:
+                        default: false
+                        description: |-
+                          Enabled activates CIMD client lookup. When false (the default), the AS only
+                          accepts client_id values that were registered via DCR.
+                        type: boolean
+                    required:
+                    - enabled
+                    type: object
                   hmacSecretRefs:
                     description: |-
                       HMACSecretRefs references Kubernetes Secrets containing symmetric secrets for signing
@@ -3034,6 +3061,33 @@ spec:
                     maxItems: 10
                     type: array
                     x-kubernetes-list-type: atomic
+                  cimd:
+                    description: CIMD configures Client ID Metadata Document support.
+                      When omitted, CIMD is disabled.
+                    properties:
+                      cacheFallbackTtl:
+                        description: |-
+                          CacheFallbackTTL is the fixed TTL applied to every cached CIMD document.
+                          Cache-Control header parsing is not yet implemented; all entries use this value.
+                          Format: Go duration string (e.g. "5m", "10m", "1h").
+                          Defaults to 5 minutes when Enabled is true and this field is omitted.
+                        pattern: ^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$
+                        type: string
+                      cacheMaxSize:
+                        description: |-
+                          CacheMaxSize is the maximum number of CIMD documents held in the LRU cache.
+                          Defaults to 256 when Enabled is true and this field is omitted.
+                        minimum: 1
+                        type: integer
+                      enabled:
+                        default: false
+                        description: |-
+                          Enabled activates CIMD client lookup. When false (the default), the AS only
+                          accepts client_id values that were registered via DCR.
+                        type: boolean
+                    required:
+                    - enabled
+                    type: object
                   hmacSecretRefs:
                     description: |-
                       HMACSecretRefs references Kubernetes Secrets containing symmetric secrets for signing