Skip to content

Improve OIDC env var validation: fail-fast during config validation instead of deferred launch error #3364

Description

@lpcox

Summary

When an HTTP MCP server uses auth.type: "github-oidc", the gateway currently validates the config structure during validateAuthConfig() (type is non-empty, type is "github-oidc"), but defers checking whether the required environment variables (ACTIONS_ID_TOKEN_REQUEST_URL, ACTIONS_ID_TOKEN_REQUEST_TOKEN) are actually present until launcher.New() startup time — or worse, until the first GetOrLaunch() call for that server.

This leads to a confusing failure mode: the gateway starts successfully, reports healthy, but then returns an error when the first request hits the OIDC server.

Related: github/gh-aw#25224 — the compiler does not forward these env vars into the gateway Docker container. Even after that compiler fix lands, the gateway should still validate early to catch misconfigurations.

Current Behavior

  1. Config validation (validateAuthConfig): Checks auth.type is "github-oidc" ✅, but does NOT check env vars
  2. launcher.New(): Logs an error if env vars missing, but does NOT fail startup — the server just won't work
  3. GetOrLaunch(): Returns fmt.Errorf("server %q requires OIDC authentication but ACTIONS_ID_TOKEN_REQUEST_URL is not set") on first request

The error only surfaces when a client tries to use the server, not at startup.

Proposed Improvement

1. Add env var check in validateAuthConfig

After validating auth.type == "github-oidc", check that the required env vars exist:

func validateAuthConfig(auth *AuthConfig, serverName, jsonPath string) error {
    // ... existing type validation ...

    if auth.Type == "github-oidc" {
        if os.Getenv("ACTIONS_ID_TOKEN_REQUEST_URL") == "" {
            return rules.MissingRequired(
                "ACTIONS_ID_TOKEN_REQUEST_URL", "environment", authPath,
                "Server requires OIDC authentication but ACTIONS_ID_TOKEN_REQUEST_URL is not set. "+
                    "OIDC auth requires running in GitHub Actions with `permissions: { id-token: write }`")
        }
    }
    return nil
}

This gives a fail-fast validation error at config load time, consistent with how the gateway validates other environment dependencies (e.g., ${VAR} expansion).

2. Improve the launcher.New() startup error

The current code logs an error but continues:

// Current: logs error but does NOT fail
logger.LogError("startup", "Server %q requires OIDC authentication but ...")

Consider making this a startup failure (return error from New()) so the gateway does not start in a partially-broken state. At minimum, record the error in serverErrors so the /health endpoint reflects it immediately.

3. Update health endpoint

Ensure /health reports servers with missing OIDC as "status": "error" at startup, not only after the first failed request. The serverErrors map in the launcher should be populated during New() for OIDC-misconfigured servers.

Files to Change

  • internal/config/validation.go — Add OIDC env var check in validateAuthConfig()
  • internal/launcher/launcher.go — Record server error during New() for health reporting
  • internal/config/validation_test.go — Add test cases for missing OIDC env vars
  • internal/launcher/launcher_test.go — Update tests for early error recording

References

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions