From 1c8e10723623b2a722d3227701396bfe87132f75 Mon Sep 17 00:00:00 2001 From: Anthony Lukach Date: Mon, 6 Apr 2026 22:31:34 -0700 Subject: [PATCH 1/4] feat: enable custom STS endpoint URL --- crates/sts/src/route_handler.rs | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/crates/sts/src/route_handler.rs b/crates/sts/src/route_handler.rs index 7aae62e..298e57f 100644 --- a/crates/sts/src/route_handler.rs +++ b/crates/sts/src/route_handler.rs @@ -27,13 +27,14 @@ impl RouteHandler for StsHandler { /// Extension trait for registering STS routes on a [`Router`]. pub trait StsRouterExt { - /// Register the STS handler on the root path (`/`). + /// Register the STS handler on the given `path`. /// /// STS requests are identified by query parameters - /// (`Action=AssumeRoleWithWebIdentity`), not by path, and clients - /// always send them to `/`. + /// (`Action=AssumeRoleWithWebIdentity`), not by path, so any path + /// can be used (e.g. `"/"` or `"/.sts"`). fn with_sts( self, + path: &str, config: C, cache: JwksCache, key: Option, @@ -43,11 +44,12 @@ pub trait StsRouterExt { impl StsRouterExt for Router { fn with_sts( self, + path: &str, config: C, cache: JwksCache, key: Option, ) -> Self { - self.route("/", StsHandler { config, cache, key }) + self.route(path, StsHandler { config, cache, key }) } } @@ -75,7 +77,7 @@ mod tests { fn test_router() -> Router { let cache = JwksCache::new(reqwest::Client::new(), std::time::Duration::from_secs(60)); - Router::new().with_sts(EmptyRegistry, cache, None) + Router::new().with_sts("/", EmptyRegistry, cache, None) } #[tokio::test] From 9f5e64ce12f77fdd7c13bf25ac80e46dfd31a6e5 Mon Sep 17 00:00:00 2001 From: Anthony Lukach Date: Mon, 6 Apr 2026 22:41:04 -0700 Subject: [PATCH 2/4] chore: update examples --- examples/cf-workers/src/lib.rs | 2 +- examples/lambda/src/main.rs | 2 +- examples/server/src/server.rs | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/cf-workers/src/lib.rs b/examples/cf-workers/src/lib.rs index f53bf3c..162d0d8 100644 --- a/examples/cf-workers/src/lib.rs +++ b/examples/cf-workers/src/lib.rs @@ -77,7 +77,7 @@ async fn fetch(req: web_sys::Request, env: Env, _ctx: Context) -> Result Result<(), Error> { if let (Some(signer), Some(issuer)) = (oidc_signer, oidc_issuer) { router = router.with_oidc_discovery(issuer, vec![signer]); } - router = router.with_sts(sts_creds, jwks_cache, token_key.clone()); + router = router.with_sts("/.sts", sts_creds, jwks_cache, token_key.clone()); // Build the gateway with the router. let mut handler = ProxyGateway::new(backend, config.clone(), config, domain) diff --git a/examples/server/src/server.rs b/examples/server/src/server.rs index 5ca6c97..5d671e0 100644 --- a/examples/server/src/server.rs +++ b/examples/server/src/server.rs @@ -115,7 +115,7 @@ where if let (Some(signer), Some(issuer)) = (oidc_signer, oidc_issuer) { proxy_router = proxy_router.with_oidc_discovery(issuer, vec![signer]); } - proxy_router = proxy_router.with_sts(sts_creds, jwks_cache, token_key.clone()); + proxy_router = proxy_router.with_sts("/.sts", sts_creds, jwks_cache, token_key.clone()); // Build the gateway with the router. let mut handler = ProxyGateway::new( From e51299ff68cd52d514416eaad9ed6f9eea2515d1 Mon Sep 17 00:00:00 2001 From: Anthony Lukach Date: Mon, 6 Apr 2026 22:57:41 -0700 Subject: [PATCH 3/4] chore: fix smoketests --- crates/sts/src/lib.rs | 2 +- tests/smoke/test_smoke.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/crates/sts/src/lib.rs b/crates/sts/src/lib.rs index 9b3e54d..d2911a4 100644 --- a/crates/sts/src/lib.rs +++ b/crates/sts/src/lib.rs @@ -12,7 +12,7 @@ //! use multistore_sts::route_handler::StsRouterExt; //! //! let router = Router::new() -//! .with_sts(config, jwks_cache, token_key); +//! .with_sts("/.sts", config, jwks_cache, token_key); //! ``` //! //! # Flow diff --git a/tests/smoke/test_smoke.py b/tests/smoke/test_smoke.py index a683942..dc9735b 100644 --- a/tests/smoke/test_smoke.py +++ b/tests/smoke/test_smoke.py @@ -21,7 +21,7 @@ def assume_role(role_arn: str, oidc_token: str) -> dict: """Assume a role via the STS proxy and return parsed credentials.""" resp = requests.get( - DEPLOY_URL, + f"{DEPLOY_URL}/.sts", params={ "Action": "AssumeRoleWithWebIdentity", "RoleArn": role_arn, From cc46cb1b9e691d72e8d2d611e8e52294f23c0cc4 Mon Sep 17 00:00:00 2001 From: Anthony Lukach Date: Mon, 6 Apr 2026 23:01:07 -0700 Subject: [PATCH 4/4] chore: fix integration tests --- tests/integration/test_integration.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/integration/test_integration.py b/tests/integration/test_integration.py index c412362..01071b3 100644 --- a/tests/integration/test_integration.py +++ b/tests/integration/test_integration.py @@ -29,7 +29,7 @@ def assume_role(role_arn: str, oidc_token: str) -> dict: """Assume a role via the STS proxy and return parsed credentials.""" resp = requests.get( - PROXY_URL, + f"{PROXY_URL}/.sts", params={ "Action": "AssumeRoleWithWebIdentity", "RoleArn": role_arn,