Add OIDC incoming authenticator for vmcp

Implement IncomingAuthenticator interface using existing TokenValidator from
pkg/auth. This adapter validates JWT tokens from clients connecting to the
Virtual MCP Server and extracts identity information.

Related: #2377

Author: jhrozek

pkg/vmcp/auth/auth.go

@@ -9,9 +9,13 @@
 // registered at runtime.
 package auth
 
+//go:generate mockgen -destination=mocks/mock_token_authenticator.go -package=mocks github.com/stacklok/toolhive/pkg/vmcp/auth TokenAuthenticator
+
 import (
 	"context"
 	"net/http"
+
+	"github.com/golang-jwt/jwt/v5"
 )
 
 // IncomingAuthenticator handles authentication for clients connecting to the virtual MCP server.
@@ -93,6 +97,19 @@ type Identity struct {
 	Metadata map[string]string
 }
 
+// TokenAuthenticator validates JWT tokens and provides HTTP middleware for authentication.
+// This interface abstracts the token validation functionality from pkg/auth to enable
+// testing with mocks while the concrete *auth.TokenValidator implementation satisfies
+// this interface in production.
+type TokenAuthenticator interface {
+	// ValidateToken validates a token string and returns the claims.
+	ValidateToken(ctx context.Context, tokenString string) (jwt.MapClaims, error)
+
+	// Middleware returns an HTTP middleware function that validates tokens
+	// from the Authorization header and injects claims into the request context.
+	Middleware(next http.Handler) http.Handler
+}
+
 // Authorizer handles authorization decisions.
 // This integrates with ToolHive's existing Cedar-based authorization.
 type Authorizer interface {

pkg/vmcp/auth/incoming_oidc.go

@@ -0,0 +1,156 @@
+package auth
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/golang-jwt/jwt/v5"
+
+	"github.com/stacklok/toolhive/pkg/auth"
+)
+
+const (
+	// bearerTokenType is the token type used for Bearer authentication
+	bearerTokenType = "Bearer"
+)
+
+// OIDCIncomingAuthenticator is a minimal adapter that wraps ToolHive's existing
+// TokenValidator to implement the IncomingAuthenticator interface.
+//
+// This adapter provides a clean separation between OIDC token validation
+// (handled by TokenValidator) and the virtual MCP authentication interface.
+type OIDCIncomingAuthenticator struct {
+	validator TokenAuthenticator
+}
+
+// NewOIDCIncomingAuthenticator creates a new OIDC incoming authenticator.
+// Returns an error if the validator is nil.
+func NewOIDCIncomingAuthenticator(validator TokenAuthenticator) (*OIDCIncomingAuthenticator, error) {
+	if validator == nil {
+		return nil, errors.New("token validator cannot be nil")
+	}
+
+	return &OIDCIncomingAuthenticator{
+		validator: validator,
+	}, nil
+}
+
+// Authenticate validates the incoming HTTP request and extracts identity information.
+// It extracts the Bearer token from the Authorization header and validates it using
+// the underlying TokenValidator.
+func (o *OIDCIncomingAuthenticator) Authenticate(ctx context.Context, r *http.Request) (*Identity, error) {
+	// Get the token from the Authorization header
+	authHeader := r.Header.Get("Authorization")
+	if authHeader == "" {
+		return nil, errors.New("authorization header required")
+	}
+
+	// Check if the Authorization header has the Bearer prefix
+	bearerPrefix := bearerTokenType + " "
+	if !strings.HasPrefix(authHeader, bearerPrefix) {
+		return nil, errors.New("invalid authorization header format, expected 'Bearer <token>'")
+	}
+
+	// Extract the token
+	tokenString := strings.TrimPrefix(authHeader, bearerPrefix)
+	if tokenString == "" {
+		return nil, errors.New("empty token in authorization header")
+	}
+
+	// Validate the token using the underlying TokenValidator
+	claims, err := o.validator.ValidateToken(ctx, tokenString)
+	if err != nil {
+		return nil, fmt.Errorf("token validation failed: %w", err)
+	}
+
+	// Convert claims to Identity
+	identity, err := claimsToIdentity(claims)
+	if err != nil {
+		return nil, fmt.Errorf("invalid token claims: %w", err)
+	}
+	identity.Token = tokenString
+	identity.TokenType = bearerTokenType
+
+	return identity, nil
+}
+
+// Middleware returns an HTTP middleware that validates tokens and stores the
+// Identity in the request context. It wraps the TokenValidator's middleware
+// and converts the claims to an Identity.
+func (o *OIDCIncomingAuthenticator) Middleware() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		// Create a handler that processes claims and calls next
+		claimsHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// Extract claims from context (set by TokenValidator middleware)
+			claims, ok := r.Context().Value(auth.ClaimsContextKey{}).(jwt.MapClaims)
+			if !ok {
+				// This should never happen if TokenValidator middleware worked correctly
+				http.Error(w, "internal error: claims not found in context", http.StatusInternalServerError)
+				return
+			}
+
+			// Convert claims to Identity
+			identity, err := claimsToIdentity(claims)
+			if err != nil {
+				http.Error(w, fmt.Sprintf("invalid token claims: %v", err), http.StatusUnauthorized)
+				return
+			}
+
+			// Extract the token from Authorization header for storage
+			authHeader := r.Header.Get("Authorization")
+			bearerPrefix := bearerTokenType + " "
+			if strings.HasPrefix(authHeader, bearerPrefix) {
+				identity.Token = strings.TrimPrefix(authHeader, bearerPrefix)
+				identity.TokenType = bearerTokenType
+			}
+
+			// Store Identity in context
+			ctx := WithIdentity(r.Context(), identity)
+
+			// Continue with the next handler
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+
+		// Wrap with TokenValidator's middleware
+		return o.validator.Middleware(claimsHandler)
+	}
+}
+
+// claimsToIdentity converts JWT claims to an Identity structure.
+// It extracts only the universal JWT fields (sub, name, email) and stores
+// all claims in the Claims map. Groups extraction is left to authorization
+// logic that can interpret provider-specific claim structures.
+//
+// Returns an error if the required 'sub' claim is missing or invalid, as mandated
+// by OpenID Connect Core 1.0 specification section 5.1.
+func claimsToIdentity(claims jwt.MapClaims) (*Identity, error) {
+	identity := &Identity{
+		Claims: make(map[string]any),
+		Groups: []string{}, // Empty slice, groups stay in Claims if present
+	}
+
+	// Store all claims for later use
+	for k, v := range claims {
+		identity.Claims[k] = v
+	}
+
+	// REQUIRED: Extract subject (sub claim is mandatory per OIDC Core 1.0 section 5.1)
+	sub, ok := claims["sub"].(string)
+	if !ok || sub == "" {
+		return nil, errors.New("missing or invalid 'sub' claim (required by OpenID Connect Core 1.0)")
+	}
+	identity.Subject = sub
+
+	if name, ok := claims["name"].(string); ok {
+		identity.Name = name
+	}
+
+	if email, ok := claims["email"].(string); ok {
+		identity.Email = email
+	}
+
+	return identity, nil
+}