stacklok
diff --git a/‎deploy/charts/operator-crds/files/crds/toolhive.stacklok.dev_mcpexternalauthconfigs.yaml‎
Lines changed: 37 additions & 0 deletions b/‎deploy/charts/operator-crds/files/crds/toolhive.stacklok.dev_mcpexternalauthconfigs.yaml‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎deploy/charts/operator-crds/templates/toolhive.stacklok.dev_mcpexternalauthconfigs.yaml‎
Lines changed: 37 additions & 0 deletions b/‎deploy/charts/operator-crds/templates/toolhive.stacklok.dev_mcpexternalauthconfigs.yaml‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎docs/operator/crd-api.md‎
Lines changed: 23 additions & 0 deletions b/‎docs/operator/crd-api.md‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎pkg/authserver/upstream/oauth2.go‎
Lines changed: 8 additions & 15 deletions b/‎pkg/authserver/upstream/oauth2.go‎
Lines changed: 8 additions & 15 deletions
@@ -441,6 +441,43 @@ spec:
                                 token endpoint.
                               pattern: ^https?://.*$
                               type: string
+                            tokenResponseMapping:
+                              description: |-
+                                TokenResponseMapping configures custom field extraction from non-standard token responses.
+                                Some OAuth providers (e.g., GovSlack) nest token fields under non-standard paths
+                                instead of returning them at the top level. When set, ToolHive performs the token
+                                exchange HTTP call directly and extracts fields using the configured dot-notation paths.
+                                If nil, standard OAuth 2.0 token response parsing is used.
+                              properties:
+                                accessTokenPath:
+                                  description: |-
+                                    AccessTokenPath is the dot-notation path to the access token in the response.
+                                    Example: "authed_user.access_token"
+                                  minLength: 1
+                                  type: string
+                                expiresInPath:
+                                  description: |-
+                                    ExpiresInPath is the dot-notation path to the expires_in value (in seconds).
+                                    If not specified, defaults to "expires_in".
+                                  type: string
+                                refreshTokenPath:
+                                  description: |-
+                                    RefreshTokenPath is the dot-notation path to the refresh token in the response.
+                                    If not specified, defaults to "refresh_token".
+                                  type: string
+                                scopePath:
+                                  description: |-
+                                    ScopePath is the dot-notation path to the scope string in the response.
+                                    If not specified, defaults to "scope".
+                                  type: string
+                                tokenTypePath:
+                                  description: |-
+                                    TokenTypePath is the dot-notation path to the token type in the response.
+                                    If not specified, defaults to "token_type".
+                                  type: string
+                              required:
+                              - accessTokenPath
+                              type: object
                             userInfo:
                               description: |-
                                 UserInfo contains configuration for fetching user information from the upstream provider.
 
@@ -444,6 +444,43 @@ spec:
                                 token endpoint.
                               pattern: ^https?://.*$
                               type: string
+                            tokenResponseMapping:
+                              description: |-
+                                TokenResponseMapping configures custom field extraction from non-standard token responses.
+                                Some OAuth providers (e.g., GovSlack) nest token fields under non-standard paths
+                                instead of returning them at the top level. When set, ToolHive performs the token
+                                exchange HTTP call directly and extracts fields using the configured dot-notation paths.
+                                If nil, standard OAuth 2.0 token response parsing is used.
+                              properties:
+                                accessTokenPath:
+                                  description: |-
+                                    AccessTokenPath is the dot-notation path to the access token in the response.
+                                    Example: "authed_user.access_token"
+                                  minLength: 1
+                                  type: string
+                                expiresInPath:
+                                  description: |-
+                                    ExpiresInPath is the dot-notation path to the expires_in value (in seconds).
+                                    If not specified, defaults to "expires_in".
+                                  type: string
+                                refreshTokenPath:
+                                  description: |-
+                                    RefreshTokenPath is the dot-notation path to the refresh token in the response.
+                                    If not specified, defaults to "refresh_token".
+                                  type: string
+                                scopePath:
+                                  description: |-
+                                    ScopePath is the dot-notation path to the scope string in the response.
+                                    If not specified, defaults to "scope".
+                                  type: string
+                                tokenTypePath:
+                                  description: |-
+                                    TokenTypePath is the dot-notation path to the token type in the response.
+                                    If not specified, defaults to "token_type".
+                                  type: string
+                              required:
+                              - accessTokenPath
+                              type: object
                             userInfo:
                               description: |-
                                 UserInfo contains configuration for fetching user information from the upstream provider.
 
@@ -420,16 +420,13 @@ func (p *BaseOAuth2Provider) exchangeCodeForTokens(ctx context.Context, code, co
 	slog.Info("exchanging authorization code for tokens",
 		"token_endpoint", p.config.TokenEndpoint,
 		"has_pkce_verifier", codeVerifier != "",
-		"custom_mapping", p.config.TokenResponseMapping != nil,
 	)
 
-	// If custom token response mapping is configured, bypass oauth2 library
-	if p.config.TokenResponseMapping != nil {
-		return p.customExchangeCodeForTokens(ctx, code, codeVerifier)
-	}
-
-	// Inject our custom HTTP client into the context for oauth2 to use
-	ctx = context.WithValue(ctx, oauth2.HTTPClient, p.httpClient)
+	// Wrap HTTP client with token response rewriter if mapping is configured.
+	// This normalizes non-standard responses (e.g., GovSlack's nested fields)
+	// before the oauth2 library parses them, keeping the standard exchange flow.
+	httpClient := wrapHTTPClientWithMapping(p.httpClient, p.config.TokenResponseMapping, p.config.TokenEndpoint)
+	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
 
 	// Build exchange options
 	var opts []oauth2.AuthCodeOption
@@ -465,13 +462,9 @@ func (p *BaseOAuth2Provider) RefreshTokens(ctx context.Context, refreshToken, _
 		"token_endpoint", p.config.TokenEndpoint,
 	)
 
-	// If custom token response mapping is configured, bypass oauth2 library
-	if p.config.TokenResponseMapping != nil {
-		return p.customRefreshTokens(ctx, refreshToken)
-	}
-
-	// Inject our custom HTTP client into the context for oauth2 to use
-	ctx = context.WithValue(ctx, oauth2.HTTPClient, p.httpClient)
+	// Wrap HTTP client with token response rewriter if mapping is configured.
+	httpClient := wrapHTTPClientWithMapping(p.httpClient, p.config.TokenResponseMapping, p.config.TokenEndpoint)
+	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)
 
 	// Create an expired token with the refresh token to trigger refresh
 	expiredToken := &oauth2.Token{