Translate identityFromToken from CRD to runtime config

[jhrozek]

Summary

• Phase 4 of the Snowflake / identityFromToken story (Cannot run a Snowflake MCP server behind ToolHive's MCPRemoteProxy #5150). The CRD field (Add identityFromToken to MCPExternalAuthConfig CRD #5269) and the OAuth2 provider integration (Wire identityFromToken into the OAuth2 upstream provider #5222) are both in main; this PR wires them together by threading the field through the two operator-side translation points that sit between them.
• cmd/thv-operator/pkg/controllerutil/ translates the v1beta1 OAuth2UpstreamConfig.IdentityFromToken block into the authserver run-config. Mirrors the existing tokenResponseMapping plumbing exactly.
• pkg/authserver/runner/'s embedded-auth-server bootstrapper translates the run-config field into the pkg/authserver/upstream.OAuth2Config the provider consumes. Same mechanical mirror.
• upstream.RegisterModifiers() is called once in NewEmbeddedAuthServer so @upstreamjwt gjson paths actually resolve in production deployments. Without this, modifier-bearing paths silently returned empty strings at runtime.

Closes #5157

Type of change

• New feature

Test plan

• Unit tests (task test)
• Linting (task lint-fix)

New tests cover the all-fields and nil cases for both translation points. The embeddedauthserver_test.go additions verify the runner-layer translation; authserver_test.go covers the operator-side builder.

API Compatibility

• This PR does not break the v1beta1 API, OR the api-break-allowed label is applied and the migration guidance is described above.

Additive only — threads an existing CRD field through two translation layers.

Does this introduce a user-facing change?

Yes. Operators who configure identityFromToken on an OAuth2 upstream in a VirtualMCPServer can now deploy to a real cluster and have the embedded auth server honour the field. Previously, the CRD accepted the config but it was silently discarded before reaching the provider.

Implementation plan

Approved implementation plan

Phase 4 of the Snowflake / identityFromToken story (#5150):

• Phase 1 (Add identity extractor for OAuth2 token responses #5200, merged): pure helper extractIdentityFromTokenResponse and the @upstreamjwt gjson modifier.
• Phase 2 (Add identityFromToken to MCPExternalAuthConfig CRD #5269, merged): IdentityFromTokenConfig CRD type on MCPExternalAuthConfig v1beta1.
• Phase 3 (Wire identityFromToken into the OAuth2 upstream provider #5222, merged): Wire the helper into BaseOAuth2Provider.ExchangeCodeForIdentity. New priority chain.
• Phase 4 (this PR, Translate identityFromToken from CRD to runtime config #5157): Operator-side translation from CRD to runtime config; RegisterModifiers() bootstrap call.
• Phase 5 (thv llm setup doesn't append provider path prefix for Envoy AI Gateway #5158): YAML examples.
• Phase 6 (Recognise identityFromToken in synthesis-mode detection #5159): Synthesis-mode-detection refinement.

Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.34%. Comparing base (8c84c05) to head (3d7f96b).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5280      +/-   ##
==========================================
+ Coverage   68.33%   68.34%   +0.01%     
==========================================
  Files         619      619              
  Lines       63325    63339      +14     
==========================================
+ Hits        43274    43290      +16     
+ Misses      16816    16815       -1     
+ Partials     3235     3234       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jhrozek]

sorry claude got PR horny