Document Cedar primary upstream provider selection#849
Draft
tgrunnagle wants to merge 1 commit intomainfrom
Draft
Document Cedar primary upstream provider selection#849tgrunnagle wants to merge 1 commit intomainfrom
tgrunnagle wants to merge 1 commit intomainfrom
Conversation
Clarify how Cedar resolves its claim source when the embedded auth server is active: it reads upstream IDP claims only when the runtime config sets primary_upstream_provider, otherwise it falls back to claims on the original client request. Document the operator's default-to-first-upstream behavior on VirtualMCPServer, the new primaryUpstreamProvider override, and the rejection conditions that guard misconfiguration. Note that the field is a no-op on MCPServer and MCPRemoteProxy and surfaces an advisory condition. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
Author
|
Will amend the next generated updates. |
Contributor
Author
|
Will merge after generated updates for |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Documents how Cedar resolves its claim source when authorizing requests, with
particular focus on the multi-upstream embedded auth server case on
VirtualMCPServer.Three doc surfaces updated:
rewrites the "How it works" steps under "Upstream identity provider claims"
to enumerate the three claim-source cases:
primaryUpstreamProviderset;unset with an embedded auth server (first upstream); unset with no embedded
auth server (client request token). Adds a new "How the upstream provider is
chosen" subsection that splits behavior between
VirtualMCPServerandMCPServer/MCPRemoteProxy.adds a "Cedar authorization claim source" subsection in the embedded auth
server section, documenting the default-to-first-upstream binding, the
AuthzUpstreamSelectionWarningadvisory condition, theprimaryUpstreamProvideroverride syntax, and the two admission rejectionconditions (
AuthzUpstreamUnknown,AuthzPrimaryProviderRequiresAuthServer).note clarifying that the field is a no-op on
MCPServerandMCPRemoteProxy(single-upstream model) and surfaces anAuthzPrimaryUpstreamProviderIgnoredadvisory.Type of change
Related issues/PRs
Documents the new
incomingAuth.authzConfig.inline.primaryUpstreamProviderfield added by stacklok/toolhive#5199 and the existing operator-side
default-to-first-upstream behavior that was previously undocumented.
Submitter checklist
Content and formatting
🤖 Generated with Claude Code