Add AuthServerConfig validation condition to VirtualMCPServer reconciler

cmd/thv-operator/controllers/virtualmcpserver_controller.go

@@ -268,7 +268,7 @@ func (r *VirtualMCPServerReconciler) applyStatusUpdates(
 }
 
 // runValidations runs all pre-reconciliation validations (PodTemplateSpec, GroupRef,
-// CompositeToolRefs, EmbeddingServerRef).
+// CompositeToolRefs, EmbeddingServerRef, AuthServerConfig).
 // Returns (true, nil) to continue reconciliation.
 // Returns (false, nil) for spec validation errors that should NOT trigger requeue
 // (user must fix the spec; next reconciliation is triggered by spec changes).
@@ -321,6 +321,16 @@ func (r *VirtualMCPServerReconciler) runValidations(
 		}
 	}
 
+	// Validate inline AuthServerConfig (when specified).
+	// Structural validation is handled by CRD Validate() — just set the success condition.
+	if vmcp.Spec.AuthServerConfig != nil {
+		statusManager.SetAuthServerConfigValidatedCondition(
+			mcpv1alpha1.ConditionReasonAuthServerConfigValid,
+			"AuthServerConfig is valid",
+			metav1.ConditionTrue,
+		)
+	}
+
 	return true, nil
 }
 
@@ -2243,12 +2253,16 @@ func (*VirtualMCPServerReconciler) vmcpReferencesToolConfig(vmcp *mcpv1alpha1.Vi
 }
 
 // vmcpReferencesExternalAuthConfig checks if a VirtualMCPServer references the given MCPExternalAuthConfig.
-// It checks both inline references (in outgoingAuth spec) and discovered references (via MCPServers in the group).
+// It checks authServerConfigRef, inline references (in outgoingAuth spec), and discovered references
+// (via MCPServers in the group).
 func (r *VirtualMCPServerReconciler) vmcpReferencesExternalAuthConfig(
 	ctx context.Context,
 	vmcp *mcpv1alpha1.VirtualMCPServer,
 	authConfigName string,
 ) bool {
+	// Note: AuthServerConfig is inline (not a ref), so it doesn't reference
+	// MCPExternalAuthConfig resources. Only outgoing auth refs are checked here.
+
 	if vmcp.Spec.OutgoingAuth == nil {
 		return false
 	}

cmd/thv-operator/pkg/virtualmcpserverstatus/collector.go

@@ -132,6 +132,11 @@ func (s *StatusCollector) SetEmbeddingServerReadyCondition(reason, message strin
 	s.SetCondition(mcpv1alpha1.ConditionTypeEmbeddingServerReady, reason, message, status)
 }
 
+// SetAuthServerConfigValidatedCondition sets the AuthServerConfigValidated condition.
+func (s *StatusCollector) SetAuthServerConfigValidatedCondition(reason, message string, status metav1.ConditionStatus) {
+	s.SetCondition(mcpv1alpha1.ConditionTypeAuthServerConfigValidated, reason, message, status)
+}
+
 // SetDiscoveredBackends sets the discovered backends list to be updated.
 func (s *StatusCollector) SetDiscoveredBackends(backends []mcpv1alpha1.DiscoveredBackend) {
 	s.discoveredBackends = backends

cmd/thv-operator/pkg/virtualmcpserverstatus/types.go

@@ -59,6 +59,9 @@ type StatusManager interface {
 	// SetEmbeddingServerReadyCondition sets the EmbeddingServerReady condition
 	SetEmbeddingServerReadyCondition(reason, message string, status metav1.ConditionStatus)
 
+	// SetAuthServerConfigValidatedCondition sets the AuthServerConfigValidated condition
+	SetAuthServerConfigValidatedCondition(reason, message string, status metav1.ConditionStatus)
+
 	// SetDiscoveredBackends sets the discovered backends list
 	SetDiscoveredBackends(backends []mcpv1alpha1.DiscoveredBackend)
 

deploy/charts/operator-crds/files/crds/toolhive.stacklok.dev_virtualmcpservers.yaml

@@ -1405,6 +1405,13 @@ spec:
                                   items:
                                     type: string
                                   type: array
+                                subjectProviderName:
+                                  description: |-
+                                    SubjectProviderName is the upstream provider name whose token is used as the
+                                    RFC 8693 subject token instead of identity.Token when performing token exchange.
+                                    When set, the strategy looks up the provider's access token from
+                                    identity.UpstreamTokens rather than using the incoming bearer token.
+                                  type: string
                                 subjectTokenType:
                                   description: |-
                                     SubjectTokenType is the token type of the incoming subject token.
@@ -1419,8 +1426,21 @@ spec:
                               type: object
                             type:
                               description: 'Type is the auth strategy: "unauthenticated",
-                                "header_injection", "token_exchange"'
+                                "header_injection", "token_exchange", "upstream_inject"'
                               type: string
+                            upstreamInject:
+                              description: |-
+                                UpstreamInject contains configuration for upstream inject auth strategy.
+                                Used when Type = "upstream_inject".
+                              properties:
+                                providerName:
+                                  description: |-
+                                    ProviderName is the name of the upstream provider configured in the
+                                    embedded authorization server. Must match an entry in AuthServer.Upstreams.
+                                  type: string
+                              required:
+                              - providerName
+                              type: object
                           required:
                           - type
                           type: object
@@ -1481,6 +1501,13 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              subjectProviderName:
+                                description: |-
+                                  SubjectProviderName is the upstream provider name whose token is used as the
+                                  RFC 8693 subject token instead of identity.Token when performing token exchange.
+                                  When set, the strategy looks up the provider's access token from
+                                  identity.UpstreamTokens rather than using the incoming bearer token.
+                                type: string
                               subjectTokenType:
                                 description: |-
                                   SubjectTokenType is the token type of the incoming subject token.
@@ -1495,8 +1522,21 @@ spec:
                             type: object
                           type:
                             description: 'Type is the auth strategy: "unauthenticated",
-                              "header_injection", "token_exchange"'
+                              "header_injection", "token_exchange", "upstream_inject"'
                             type: string
+                          upstreamInject:
+                            description: |-
+                              UpstreamInject contains configuration for upstream inject auth strategy.
+                              Used when Type = "upstream_inject".
+                            properties:
+                              providerName:
+                                description: |-
+                                  ProviderName is the name of the upstream provider configured in the
+                                  embedded authorization server. Must match an entry in AuthServer.Upstreams.
+                                type: string
+                            required:
+                            - providerName
+                            type: object
                         required:
                         - type
                         type: object

deploy/charts/operator-crds/templates/toolhive.stacklok.dev_virtualmcpservers.yaml

@@ -1408,6 +1408,13 @@ spec:
                                   items:
                                     type: string
                                   type: array
+                                subjectProviderName:
+                                  description: |-
+                                    SubjectProviderName is the upstream provider name whose token is used as the
+                                    RFC 8693 subject token instead of identity.Token when performing token exchange.
+                                    When set, the strategy looks up the provider's access token from
+                                    identity.UpstreamTokens rather than using the incoming bearer token.
+                                  type: string
                                 subjectTokenType:
                                   description: |-
                                     SubjectTokenType is the token type of the incoming subject token.
@@ -1422,8 +1429,21 @@ spec:
                               type: object
                             type:
                               description: 'Type is the auth strategy: "unauthenticated",
-                                "header_injection", "token_exchange"'
+                                "header_injection", "token_exchange", "upstream_inject"'
                               type: string
+                            upstreamInject:
+                              description: |-
+                                UpstreamInject contains configuration for upstream inject auth strategy.
+                                Used when Type = "upstream_inject".
+                              properties:
+                                providerName:
+                                  description: |-
+                                    ProviderName is the name of the upstream provider configured in the
+                                    embedded authorization server. Must match an entry in AuthServer.Upstreams.
+                                  type: string
+                              required:
+                              - providerName
+                              type: object
                           required:
                           - type
                           type: object
@@ -1484,6 +1504,13 @@ spec:
                                 items:
                                   type: string
                                 type: array
+                              subjectProviderName:
+                                description: |-
+                                  SubjectProviderName is the upstream provider name whose token is used as the
+                                  RFC 8693 subject token instead of identity.Token when performing token exchange.
+                                  When set, the strategy looks up the provider's access token from
+                                  identity.UpstreamTokens rather than using the incoming bearer token.
+                                type: string
                               subjectTokenType:
                                 description: |-
                                   SubjectTokenType is the token type of the incoming subject token.
@@ -1498,8 +1525,21 @@ spec:
                             type: object
                           type:
                             description: 'Type is the auth strategy: "unauthenticated",
-                              "header_injection", "token_exchange"'
+                              "header_injection", "token_exchange", "upstream_inject"'
                             type: string
+                          upstreamInject:
+                            description: |-
+                              UpstreamInject contains configuration for upstream inject auth strategy.
+                              Used when Type = "upstream_inject".
+                            properties:
+                              providerName:
+                                description: |-
+                                  ProviderName is the name of the upstream provider configured in the
+                                  embedded authorization server. Must match an entry in AuthServer.Upstreams.
+                                type: string
+                            required:
+                            - providerName
+                            type: object
                         required:
                         - type
                         type: object

pkg/authserver/runner/embeddedauthserver.go

@@ -141,6 +141,17 @@ func (e *EmbeddedAuthServer) UpstreamTokenRefresher() storage.UpstreamTokenRefre
 	return e.server.UpstreamTokenRefresher()
 }
 
+// RegisterHandlers registers the authorization server's HTTP routes on the given mux.
+// The AS owns its route paths — adding new endpoints in the future does not require
+// changes to the caller.
+func (e *EmbeddedAuthServer) RegisterHandlers(mux *http.ServeMux) {
+	handler := e.Handler()
+	mux.Handle("/.well-known/openid-configuration", handler)
+	mux.Handle("/.well-known/oauth-authorization-server", handler)
+	mux.Handle("/.well-known/jwks.json", handler)
+	mux.Handle("/oauth/", handler)
+}
+
 // createKeyProvider creates a KeyProvider from SigningKeyRunConfig.
 // Returns a GeneratingProvider if config is nil or empty (development mode).
 func createKeyProvider(cfg *authserver.SigningKeyRunConfig) (keys.KeyProvider, error) {

pkg/vmcp/auth/types/types.go

@@ -10,8 +10,16 @@
 // Types defined here include:
 //   - Strategy type constants (StrategyTypeUnauthenticated, etc.)
 //   - Backend auth configuration structs (BackendAuthStrategy, etc.)
+//   - Sentinel errors for strategy error handling
 package types
 
+import "errors"
+
+// ErrUpstreamTokenNotFound is returned when an upstream IDP token is not found
+// in identity.UpstreamTokens for the requested provider. Callers should check
+// with errors.Is() and wrap with %w at the call site.
+var ErrUpstreamTokenNotFound = errors.New("upstream token not found")
+
 // Strategy type identifiers used to identify authentication strategies.
 const (
 	// StrategyTypeUnauthenticated identifies the unauthenticated strategy.
@@ -27,6 +35,11 @@ const (
 	// This strategy exchanges an incoming token for a new token to use
 	// when authenticating to the backend service.
 	StrategyTypeTokenExchange = "token_exchange"
+
+	// StrategyTypeUpstreamInject identifies the upstream inject strategy.
+	// This strategy injects an upstream IDP token obtained by the embedded
+	// authorization server into requests to the backend service.
+	StrategyTypeUpstreamInject = "upstream_inject"
 )
 
 // BackendAuthStrategy defines how to authenticate to a specific backend.
@@ -36,7 +49,7 @@ const (
 // +kubebuilder:object:generate=true
 // +gendoc
 type BackendAuthStrategy struct {
-	// Type is the auth strategy: "unauthenticated", "header_injection", "token_exchange"
+	// Type is the auth strategy: "unauthenticated", "header_injection", "token_exchange", "upstream_inject"
 	Type string `json:"type" yaml:"type"`
 
 	// HeaderInjection contains configuration for header injection auth strategy.
@@ -46,6 +59,10 @@ type BackendAuthStrategy struct {
 	// TokenExchange contains configuration for token exchange auth strategy.
 	// Used when Type = "token_exchange".
 	TokenExchange *TokenExchangeConfig `json:"tokenExchange,omitempty" yaml:"tokenExchange,omitempty"`
+
+	// UpstreamInject contains configuration for upstream inject auth strategy.
+	// Used when Type = "upstream_inject".
+	UpstreamInject *UpstreamInjectConfig `json:"upstreamInject,omitempty" yaml:"upstreamInject,omitempty"`
 }
 
 // HeaderInjectionConfig configures the header injection auth strategy.
@@ -94,4 +111,22 @@ type TokenExchangeConfig struct {
 	// SubjectTokenType is the token type of the incoming subject token.
 	// Defaults to "urn:ietf:params:oauth:token-type:access_token" if not specified.
 	SubjectTokenType string `json:"subjectTokenType,omitempty" yaml:"subjectTokenType,omitempty"`
+
+	// SubjectProviderName is the upstream provider name whose token is used as the
+	// RFC 8693 subject token instead of identity.Token when performing token exchange.
+	// When set, the strategy looks up the provider's access token from
+	// identity.UpstreamTokens rather than using the incoming bearer token.
+	// +optional
+	SubjectProviderName string `json:"subjectProviderName,omitempty" yaml:"subjectProviderName,omitempty"`
+}
+
+// UpstreamInjectConfig configures the upstream inject auth strategy.
+// This strategy uses the embedded authorization server to obtain and inject
+// upstream IDP tokens into backend requests.
+// +kubebuilder:object:generate=true
+// +gendoc
+type UpstreamInjectConfig struct {
+	// ProviderName is the name of the upstream provider configured in the
+	// embedded authorization server. Must match an entry in AuthServer.Upstreams.
+	ProviderName string `json:"providerName" yaml:"providerName"`
 }