Conversation
…ation - Make 7 hardcoded timeouts configurable via CLI flags and env vars with graceful fallback to defaults on invalid input - Integrate OIDC Discovery to auto-resolve OAuth endpoints from .well-known/openid-configuration with hardcoded path fallback - Add server-side token revocation (RFC 7009) to `token delete` with --local-only flag to skip remote revocation - Add getDurationConfig and getInt64Config config resolution helpers - Add ResolvedEndpoints struct and resolveEndpoints function - Add discovery_test.go with success and fallback scenario tests - Add revocation tests covering success, graceful degradation, and local-only mode Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
There was a problem hiding this comment.
Pull request overview
This PR enhances the CLI’s OAuth behavior by making network timeouts configurable, resolving OAuth/OIDC endpoints via OIDC Discovery (with fallback), and revoking tokens on the server during token delete before deleting them locally.
Changes:
- Added CLI flag + env-var configuration for multiple request timeouts and maximum response body size, with parsing helpers and tests.
- Introduced endpoint resolution via OIDC Discovery (
/.well-known/openid-configuration) with fallback to hardcoded/oauth/*paths, and updated flows to use resolved endpoints. - Updated
token deleteto attempt RFC 7009 token revocation (with--local-onlyto skip), and added revocation-focused tests.
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| config.go | Adds configurable timeouts/body size, endpoint structs, and OIDC discovery-based endpoint resolution with fallback. |
| config_test.go | Adds unit tests for duration/int64 config parsing helpers. |
| main.go | Resolves endpoints at startup before running flows that rely on endpoint URLs. |
| main_test.go | Updates test config construction to include resolved endpoints and new config fields. |
| discovery_test.go | Adds tests for default endpoints and discovery success/fallback scenarios. |
| browser_flow.go | Switches browser flow URLs to cfg.Endpoints.* and uses configurable callback/token-exchange timeouts. |
| callback.go | Makes callback server timeout configurable via parameter (used by browser flow). |
| callback_test.go | Updates callback server helper to pass the callback timeout parameter. |
| device_flow.go | Switches device flow URLs to cfg.Endpoints.* and uses configurable timeouts/body size. |
| auth.go | Switches token verification/token exchange to resolved endpoints and configurable timeouts/body size. |
| userinfo.go | Uses cfg.Endpoints.UserinfoURL, configurable UserInfo timeout, and response body size limit. |
| tokens.go | Makes readResponseBody accept a configurable max size and updates call sites. |
| token_cmd.go | Adds server-side token revocation to token delete with --local-only option. |
| token_cmd_test.go | Updates existing delete tests and adds revocation behavior tests. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…outs - Replace ResolvedEndpoints with oauth.Endpoints from SDK - Simplify resolveEndpoints to assign meta.Endpoints directly - Parallelize refresh and access token revocation with WaitGroup.Go - Drain response body in doRevoke for proper HTTP connection reuse - Accept 2xx status range in doRevoke instead of only 200 - Cap user-supplied timeout durations at 10 minutes - Add configurable --discovery-timeout and --revocation-timeout flags Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Include client_id and client_secret in RFC 7009 revocation requests - Return error from revokeTokenOnServer on refresh-only failure to prevent misleading "Token revoked on server." message - Wire test server into local-only test config for meaningful assertion - Assert TokenInfoURL in OIDC discovery success test Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 14 out of 14 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 14 out of 14 changed files in this pull request and generated 4 comments.
Comments suppressed due to low confidence (1)
tokens.go:50
readResponseBodyusesio.LimitReader, but it doesn’t detect when the response is truncated atmaxSize. That can turn an oversized response into a confusing JSON parse/format error later. Consider readingmaxSize+1and returning a clear "response body too large" error when the limit is exceeded.
// readResponseBody reads the response body with a size limit to guard against oversized responses.
func readResponseBody(resp *http.Response, maxSize int64) ([]byte, error) {
body, err := io.ReadAll(io.LimitReader(resp.Body, maxSize))
if err != nil {
return nil, fmt.Errorf("failed to read response body: %w", err)
}
return body, nil
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Limit io.Copy drain in doRevoke to 4KB to prevent unbounded reads - Cap MAX_RESPONSE_BODY_SIZE at 100MB to prevent OOM via io.ReadAll Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 14 out of 14 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
--callback-timeout 5m) and environment variables (e.g.CALLBACK_TIMEOUT=5m), with graceful fallback to defaults on invalid input/.well-known/openid-configurationusing the SDK'sdiscoverypackage, with transparent fallback to hardcoded paths for servers that don't support OIDC Discoverytoken deletenow revokes tokens on the server before local deletion, with--local-onlyflag to skip server revocation and graceful degradation when the server is unreachableDetails
Configurable Timeouts
TOKEN_EXCHANGE_TIMEOUT--token-exchange-timeout10sTOKEN_VERIFICATION_TIMEOUT--token-verification-timeout10sREFRESH_TOKEN_TIMEOUT--refresh-token-timeout10sDEVICE_CODE_REQUEST_TIMEOUT--device-code-request-timeout10sCALLBACK_TIMEOUT--callback-timeout2mUSERINFO_TIMEOUT--userinfo-timeout10sMAX_RESPONSE_BODY_SIZE--max-response-body-size1048576OIDC Discovery
/.well-known/openid-configurationon startup/oauth/authorize,/oauth/token, etc.) if discovery failsToken Revocation
--local-onlyflag skips network calls entirelyTest plan
make test— all existing + new tests passmake lint— 0 issuesgetDurationConfig/getInt64Confighelpersdiscovery_test.gowith success + 3 fallback scenarios (404, timeout, network error)🤖 Generated with Claude Code