Do not force to pass client id and secret for token exchange (#2531)

Those are optional for some endpoints such as sts, so no need to enforce them

Co-authored-by: taskbot <[email protected]>

Author: yrobla

cmd/thv-operator/api/v1alpha1/mcpexternalauthconfig_types.go

@@ -35,12 +35,14 @@ type TokenExchangeConfig struct {
 	TokenURL string `json:"tokenUrl"`
 
 	// ClientID is the OAuth 2.0 client identifier
-	// +kubebuilder:validation:Required
-	ClientID string `json:"clientId"`
+	// Optional for some token exchange flows (e.g., Google Cloud Workforce Identity)
+	// +optional
+	ClientID string `json:"clientId,omitempty"`
 
 	// ClientSecretRef is a reference to a secret containing the OAuth 2.0 client secret
-	// +kubebuilder:validation:Required
-	ClientSecretRef SecretKeyRef `json:"clientSecretRef"`
+	// Optional for some token exchange flows (e.g., Google Cloud Workforce Identity)
+	// +optional
+	ClientSecretRef *SecretKeyRef `json:"clientSecretRef,omitempty"`
 
 	// Audience is the target audience for the exchanged token
 	// +kubebuilder:validation:Required

cmd/thv-operator/api/v1alpha1/zz_generated.deepcopy.go

@@ -37,7 +37,7 @@ func TestMCPExternalAuthConfigReconciler_calculateConfigHash(t *testing.T) {
 				TokenExchange: &mcpv1alpha1.TokenExchangeConfig{
 					TokenURL: "https://oauth.example.com/token",
 					ClientID: "test-client-id",
-					ClientSecretRef: mcpv1alpha1.SecretKeyRef{
+					ClientSecretRef: &mcpv1alpha1.SecretKeyRef{
 						Name: "test-secret",
 						Key:  "client-secret",
 					},
@@ -53,7 +53,7 @@ func TestMCPExternalAuthConfigReconciler_calculateConfigHash(t *testing.T) {
 				TokenExchange: &mcpv1alpha1.TokenExchangeConfig{
 					TokenURL: "https://oauth.example.com/token",
 					ClientID: "test-client-id",
-					ClientSecretRef: mcpv1alpha1.SecretKeyRef{
+					ClientSecretRef: &mcpv1alpha1.SecretKeyRef{
 						Name: "test-secret",
 						Key:  "client-secret",
 					},
@@ -88,7 +88,7 @@ func TestMCPExternalAuthConfigReconciler_calculateConfigHash(t *testing.T) {
 			TokenExchange: &mcpv1alpha1.TokenExchangeConfig{
 				TokenURL: "https://oauth.example.com/token",
 				ClientID: "client1",
-				ClientSecretRef: mcpv1alpha1.SecretKeyRef{
+				ClientSecretRef: &mcpv1alpha1.SecretKeyRef{
 					Name: "secret1",
 					Key:  "key1",
 				},
@@ -100,7 +100,7 @@ func TestMCPExternalAuthConfigReconciler_calculateConfigHash(t *testing.T) {
 			TokenExchange: &mcpv1alpha1.TokenExchangeConfig{
 				TokenURL: "https://oauth.example.com/token",
 				ClientID: "client2",
-				ClientSecretRef: mcpv1alpha1.SecretKeyRef{
+				ClientSecretRef: &mcpv1alpha1.SecretKeyRef{
 					Name: "secret2",
 					Key:  "key2",
 				},
@@ -137,7 +137,7 @@ func TestMCPExternalAuthConfigReconciler_Reconcile(t *testing.T) {
 					TokenExchange: &mcpv1alpha1.TokenExchangeConfig{
 						TokenURL: "https://oauth.example.com/token",
 						ClientID: "test-client",
-						ClientSecretRef: mcpv1alpha1.SecretKeyRef{
+						ClientSecretRef: &mcpv1alpha1.SecretKeyRef{
 							Name: "test-secret",
 							Key:  "client-secret",
 						},
@@ -160,7 +160,7 @@ func TestMCPExternalAuthConfigReconciler_Reconcile(t *testing.T) {
 					TokenExchange: &mcpv1alpha1.TokenExchangeConfig{
 						TokenURL: "https://oauth.example.com/token",
 						ClientID: "test-client",
-						ClientSecretRef: mcpv1alpha1.SecretKeyRef{
+						ClientSecretRef: &mcpv1alpha1.SecretKeyRef{
 							Name: "test-secret",
 							Key:  "client-secret",
 						},
@@ -268,7 +268,7 @@ func TestMCPExternalAuthConfigReconciler_findReferencingMCPServers(t *testing.T)
 			TokenExchange: &mcpv1alpha1.TokenExchangeConfig{
 				TokenURL: "https://oauth.example.com/token",
 				ClientID: "test-client",
-				ClientSecretRef: mcpv1alpha1.SecretKeyRef{
+				ClientSecretRef: &mcpv1alpha1.SecretKeyRef{
 					Name: "test-secret",
 					Key:  "client-secret",
 				},
@@ -387,7 +387,7 @@ func TestGetExternalAuthConfigForMCPServer(t *testing.T) {
 					TokenExchange: &mcpv1alpha1.TokenExchangeConfig{
 						TokenURL: "https://oauth.example.com/token",
 						ClientID: "test-client",
-						ClientSecretRef: mcpv1alpha1.SecretKeyRef{
+						ClientSecretRef: &mcpv1alpha1.SecretKeyRef{
 							Name: "test-secret",
 							Key:  "client-secret",
 						},
@@ -480,7 +480,7 @@ func TestMCPExternalAuthConfigReconciler_handleDeletion(t *testing.T) {
 					TokenExchange: &mcpv1alpha1.TokenExchangeConfig{
 						TokenURL: "https://oauth.example.com/token",
 						ClientID: "test-client",
-						ClientSecretRef: mcpv1alpha1.SecretKeyRef{
+						ClientSecretRef: &mcpv1alpha1.SecretKeyRef{
 							Name: "test-secret",
 							Key:  "client-secret",
 						},
@@ -507,7 +507,7 @@ func TestMCPExternalAuthConfigReconciler_handleDeletion(t *testing.T) {
 					TokenExchange: &mcpv1alpha1.TokenExchangeConfig{
 						TokenURL: "https://oauth.example.com/token",
 						ClientID: "test-client",
-						ClientSecretRef: mcpv1alpha1.SecretKeyRef{
+						ClientSecretRef: &mcpv1alpha1.SecretKeyRef{
 							Name: "test-secret",
 							Key:  "client-secret",
 						},
@@ -603,7 +603,7 @@ func TestMCPExternalAuthConfigReconciler_ConfigChangeTriggersReconciliation(t *t
 			TokenExchange: &mcpv1alpha1.TokenExchangeConfig{
 				TokenURL: "https://oauth.example.com/token",
 				ClientID: "test-client",
-				ClientSecretRef: mcpv1alpha1.SecretKeyRef{
+				ClientSecretRef: &mcpv1alpha1.SecretKeyRef{
 					Name: "test-secret",
 					Key:  "client-secret",
 				},

cmd/thv-operator/controllers/mcpexternalauthconfig_controller_test.go

@@ -492,7 +492,7 @@ func TestHandleExternalAuthConfig(t *testing.T) {
 					TokenExchange: &mcpv1alpha1.TokenExchangeConfig{
 						TokenURL: "https://keycloak.com/token",
 						ClientID: "client-id",
-						ClientSecretRef: mcpv1alpha1.SecretKeyRef{
+						ClientSecretRef: &mcpv1alpha1.SecretKeyRef{
 							Name: "secret",
 							Key:  "key",
 						},
@@ -532,7 +532,7 @@ func TestHandleExternalAuthConfig(t *testing.T) {
 					TokenExchange: &mcpv1alpha1.TokenExchangeConfig{
 						TokenURL: "https://keycloak.com/token",
 						ClientID: "client-id",
-						ClientSecretRef: mcpv1alpha1.SecretKeyRef{
+						ClientSecretRef: &mcpv1alpha1.SecretKeyRef{
 							Name: "secret",
 							Key:  "key",
 						},

cmd/thv-operator/controllers/mcpremoteproxy_controller_test.go

@@ -595,7 +595,7 @@ func TestBuildEnvVarsForProxy(t *testing.T) {
 					TokenExchange: &mcpv1alpha1.TokenExchangeConfig{
 						TokenURL: "https://oauth.com/token",
 						ClientID: "client",
-						ClientSecretRef: mcpv1alpha1.SecretKeyRef{
+						ClientSecretRef: &mcpv1alpha1.SecretKeyRef{
 							Name: "secret",
 							Key:  "key",
 						},

cmd/thv-operator/controllers/mcpremoteproxy_deployment_test.go

@@ -185,7 +185,7 @@ func TestMCPRemoteProxyFullReconciliation(t *testing.T) {
 					TokenExchange: &mcpv1alpha1.TokenExchangeConfig{
 						TokenURL: "https://oauth.example.com/token",
 						ClientID: "client-id",
-						ClientSecretRef: mcpv1alpha1.SecretKeyRef{
+						ClientSecretRef: &mcpv1alpha1.SecretKeyRef{
 							Name: "oauth-secret",
 							Key:  "client-secret",
 						},
@@ -752,7 +752,7 @@ func TestGenerateTokenExchangeEnvVarsShared(t *testing.T) {
 			TokenExchange: &mcpv1alpha1.TokenExchangeConfig{
 				TokenURL: "https://oauth.com/token",
 				ClientID: "client-id",
-				ClientSecretRef: mcpv1alpha1.SecretKeyRef{
+				ClientSecretRef: &mcpv1alpha1.SecretKeyRef{
 					Name: "secret",
 					Key:  "key",
 				},

cmd/thv-operator/controllers/mcpremoteproxy_reconciler_test.go

@@ -273,7 +273,7 @@ func TestCreateRunConfigFromMCPRemoteProxy_WithTokenExchange(t *testing.T) {
 					TokenExchange: &mcpv1alpha1.TokenExchangeConfig{
 						TokenURL: "https://keycloak.company.com/token",
 						ClientID: "exchange-client",
-						ClientSecretRef: mcpv1alpha1.SecretKeyRef{
+						ClientSecretRef: &mcpv1alpha1.SecretKeyRef{
 							Name: "exchange-creds",
 							Key:  "client-secret",
 						},