Wire authserver DCR resolver and add structured logs (#5044)

* Wire authserver DCR resolver and add structured logs

Implements Phase 2 steps 2d/2g of the DCR story (#5039):

- EmbeddedAuthServer now owns an in-memory DCRCredentialStore and calls
  resolveDCRCredentials for any OAuth2 upstream with DCRConfig. The
  resolved ClientSecret is overlaid on the built upstream.OAuth2Config
  after buildPureOAuth2Config (whose signature and body remain
  intentionally unchanged) so that RFC 7591-obtained credentials flow
  through the same execution path as file/env-resolved secrets.
- Each UpstreamRunConfig element is shallow-copied and its OAuth2
  sub-config is deep-copied before DCR resolution, preserving the
  caller's RunConfig.Upstreams slice per .claude/rules/go-style.md
  "Copy Before Mutating Caller Input".
- resolveDCRCredentials emits structured logs: Debug on cache hit with
  dcr_age_days, an additional Warn when the cached registration exceeds
  dcrStaleAgeThreshold (90 days), and Error with a "step" attribute
  identifying which phase failed on every error path.
- The /oauth/register handler upgrades its success log to Info with
  upstream, issuer, client_id, software_id, token_endpoint_auth_method,
  and scopes. SoftwareID is threaded through DCRRequest validation so
  incoming "software_id" is captured. A small helper guards against a
  nil embedded *fosite.Config (a legitimate test-only condition).
- isTransientNetworkError's permanent-4xx branch now emits a Warn with
  a DCR remediation hint before returning false unchanged. The
  MonitoredTokenSource gains an optional SetUpstreamContext setter so
  the upstream and client_id fields can be threaded into the log
  without breaking the existing NewMonitoredTokenSource contract.
- Integration tests exercise the full DCR boot path against a mock AS,
  verify the cache-hit short-circuit issues zero additional HTTP
  requests, and assert the caller's original RunConfig.Upstreams slice
  element is unchanged across both calls.

Address authserver DCR review feedback

Fixes from the CODE_REVIEW_ISSUES.md review of commit 71c4f43:

Critical
- Wire upstream/client_id into MonitoredTokenSource so the DCR remediation
  warning carries meaningful correlation fields. Promote the fields to
  constructor parameters (replacing SetUpstreamContext) to remove the
  unsynchronized writer and force callers to supply them at construction.
- Runner populates the new fields from the RemoteAuthConfig, preferring
  the DCR-cached client_id over the statically configured one.

High
- /oauth/register handler drops the redundant upstream attribute that
  mirrored issuer, and omits issuer when empty rather than emitting a
  bare issuer="".
- Resolver no longer logs each error branch and then returns; it now
  wraps failures in a DCRStepError and the boundary caller
  (buildUpstreamConfigs) emits a single slog.Error via LogDCRStepError.
- The DCR-resolved ClientSecret is applied through a new
  applyResolutionToOAuth2Config helper paired with applyResolution, so
  the DCR application sites live side-by-side and future call sites
  cannot silently drop the secret.

Medium
- Remove the Type==OAuth2 guard that duplicated needsDCR's nil check.
- Cap software_id to 256 characters and require printable ASCII in
  ValidateDCRRequest; expose MaxSoftwareIDLength.
- Add TestNewEmbeddedAuthServer_DCRBoot to drive the full constructor
  and assert EmbeddedAuthServer.dcrStore is populated after boot.
- Remove the nil-guard in Handler.issuer() and add TestHandler_issuer
  so a real wiring bug fails loudly instead of logging issuer="".
- Sanitize error strings before logging to strip URL query parameters
  that could plausibly carry tokens in a future refactor.

Preserve URL-trailing punctuation in DCR log sanitiser

The query-stripping regex in sanitizeErrorForLog matches `[^\s"']+`, so a
URL ending with sentence punctuation (`.`, `,`, `)`, `]`, etc.) pulls
that punctuation into the URL match. url.Parse then absorbs it into the
raw query, and the Strip + Reassemble step drops it along with the rest
of the query — mangling the surrounding prose.

Split the trailing run of terminal punctuation off the match before
parsing, and re-append it verbatim after the query is stripped. URL
matches without a query are returned untouched so the pass is
idempotent for URLs that are already clean. New test cases cover commas,
periods, closing parens, mixed runs, and a Go http.Client-style quoted
URL.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Bound upstream DCR /register error body before logging

A misbehaving or malicious authorization server could echo arbitrary
content into the upstream's /register error response. handleHTTPResponse
read that body via io.ReadAll with no LimitReader, then embedded it
verbatim in the returned error — which downstream callers log. Cap the
read at 8 KiB (far larger than any conformant RFC 7591 error response)
so operator log volume cannot be inflated by a non-conformant upstream.

Addresses #5044 review finding F2 (HIGH).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Mirror CIMD precedence in remoteAuthLogContext

The doc comment claimed remoteAuthLogContext mirrored the precedence of
remote.Handler.resolveClientCredentials, but the implementation skipped
the CachedCIMDClientID check entirely. For CIMD-authenticated workloads
the new DCR remediation Warn would have reported a stale or empty
client_id rather than the CIMD URL actually being sent on token refresh,
defeating the operator-correlation the field exists for.

Restore the documented precedence (CachedCIMDClientID >
CachedClientID > ClientID) and add a TestRemoteAuthLogContext case
covering the CIMD-wins path.

Addresses #5044 review findings F3 (HIGH) and F26
(MEDIUM, closed by the new test case).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Hoist DCR remediation Warn out of network-error classifier

isTransientNetworkError previously emitted the cached-DCR-client
remediation Warn from inside its classifier on every permanent 4xx.
A tight Token() loop hitting the same condition would spam the same
record on every call before the workload's Unauthenticated status
propagated. The same branch also fired for non-DCR workloads, which
saw a remediation telling them to "delete cached credentials" they
never had.

Strip the side effect from the classifier and emit the Warn from
markAsUnauthenticated, which already gates the close-monitoring
transition through stopOnce. The Warn now fires at most once per
state transition, is suppressed when no client_id context is
available, and reads honestly about the variability ("if this
workload uses cached DCR or CIMD credentials they may be stale").

Addresses #5044 review finding F5 (MEDIUM).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Validate handler config eagerly and demote DCR success log

Two related polish items in the authserver handlers package:

NewHandler did not validate that AuthorizationServerConfig (or its
embedded *fosite.Config) was non-nil. issuer() reached into the
config at request time, so a misconfigured caller would panic deep
inside an HTTP handler instead of failing at startup. Add the nil
check to the constructor and simplify issuer() to rely on the
constructor invariant. Pin the new invariant with
TestNewHandler_ErrorsOnNilConfig.

The /oauth/register success log was promoted to Info even though the
operation is neither long-running nor exceptional. Demote back to
Debug; an audit-log path is the right home for the audit signal if
that becomes a requirement.

Addresses #5044 review findings F6 and F7.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Tighten DCR resolver internals and clarify cache lifetimes

Bundles ten review-feedback items in pkg/authserver/runner; each
addresses internal-API hygiene or doc-comment drift in the DCR
resolver, no behaviour change for callers.

Sanitizer hardening (F1, F19, F18, F23): sanitizeErrorForLog now
strips userinfo and fragment in addition to the query, since either
can carry credentials or tokens (https://user:pass@host,
implicit-flow #access_token=...). queryStrippingPattern matches
http/https case-insensitively per RFC 3986 §3.1 so HTTPS://...
cannot escape sanitisation. trimURLTrailingPunctuation switches to
strings.IndexByte to match the ASCII-only terminator set without
the rune-decoding overhead. Test cases added for each.

Resolver error API (F4, F13, F20): the dcrStepRegister panic-recovery
branch no longer emits a duplicate slog.Error; the captured stack
travels with the wrapped *dcrStepError to the boundary log so a
single panic produces a single record. DCRStepError /
LogDCRStepError lowercased to dcrStepError / logDCRStepError since
no caller lives outside the package. logDCRStepError now no-ops on
nil err so the unknown-step branch cannot fire on a missing failure.

Resolution helpers (F11, F12, F25): applyResolution renamed to
consumeResolution to communicate that it is a one-shot state
transition (clearing DCRConfig is unconditional), not an idempotent
defaulting step. The applyResolutionToOAuth2Config doc now states
the paired-call invariant explicitly without referencing a specific
test.

Lifecycle docs (F21, F22): the per-instance dcrStore vs.
process-wide dcrFlight asymmetry is now stated on both sides, and
EmbeddedAuthServer.Close documents the future-Close hook for a
backend with handles.

Inline rules-file rationale (F24): production comments no longer
cite .claude/rules/... by path; the principle is inlined.

Addresses #5044 review findings F1, F4, F11, F12,
F13, F18, F19, F20, F21, F22, F23, F24, F25.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Tighten DCR remediation hint and drain capped error body

Three follow-up items from review:

isPermanentTokenEndpointError used to treat every non-5xx
RetrieveError as permanent, which meant the DCR remediation Warn
fired on transient back-pressure (408 Request Timeout, 429 Too Many
Requests). Narrow the classifier to an explicit 400 / 401 / 403
allowlist so the "delete the cached credentials and restart" hint
fires only on responses where stale cached client credentials are a
plausible cause. Retry behaviour is unaffected — the retry decision
is gated entirely by isTransientNetworkError, which already returns
false for the whole RetrieveError branch.

handleHTTPResponse in pkg/oauthproto/dcr.go now drains the response
body after the LimitReader-bounded ReadAll. Without this, an upstream
returning more than 8 KiB on /register error left the connection mid-
stream when the deferred Close fired, preventing TCP connection
reuse. Mirrors what the non-JSON content-type branch a few lines
down already does.

remoteAuthLogContext moved out of pkg/runner into pkg/auth/remote as
*Config.LogContext(), collocating it with resolveClientCredentials
so the cached-CIMD > cached-DCR > static precedence has one home.
Adding a fourth cached field in future updates both call sites in
one place. Tests moved to pkg/auth/remote/config_test.go.

Addresses #5044 review #4212656411 comments
3174540081, 3174540082, and 3174540086.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: tgrunnagle

pkg/auth/monitored_token_source.go

@@ -9,6 +9,7 @@ import (
 	"fmt"
 	"log/slog"
 	"net"
+	"net/http"
 	"os"
 	"strconv"
 	"strings"
@@ -129,6 +130,15 @@ type transientRefresher struct {
 	source   oauth2.TokenSource
 	workload string
 
+	// upstream identifies the upstream authorization server that issued the
+	// token, and clientID is the OAuth 2.0 client_id used by this workload.
+	// Both are optional and are only surfaced in structured logs (notably the
+	// DCR/CIMD remediation warning emitted from MonitoredTokenSource on the
+	// transition to Unauthenticated). Empty strings are acceptable and are
+	// omitted from log output by the slog handler.
+	upstream string
+	clientID string
+
 	// newBackOff is a factory for the backoff used during retries.
 	// Nil in production; overridable in tests for fast execution.
 	newBackOff func() backoff.BackOff
@@ -212,6 +222,8 @@ func (r *transientRefresher) getBackOff() backoff.BackOff {
 type MonitoredTokenSource struct {
 	tokenSource    oauth2.TokenSource
 	workloadName   string
+	upstream       string
+	clientID       string
 	statusUpdater  StatusUpdater
 	monitoringCtx  context.Context
 	stopMonitoring chan struct{}
@@ -226,20 +238,42 @@ type MonitoredTokenSource struct {
 
 // NewMonitoredTokenSource creates a new MonitoredTokenSource that wraps the provided
 // oauth2.TokenSource and monitors it for authentication failures.
+//
+// upstream and clientID annotate structured logs emitted by the token source,
+// most importantly the DCR/CIMD remediation warning fired on the transition
+// to Unauthenticated when the token endpoint returns a permanent 4xx (which
+// frequently indicates stale cached credentials). Pass empty strings when
+// the workload does not use DCR/CIMD or the upstream issuer is unknown; the
+// remediation log will be suppressed when clientID is empty since its
+// operator-correlation field would be blank.
+//
+// The fields are fixed at construction time rather than exposed via a setter
+// so there is no data race between a late writer and the readers in Token()
+// / transientRefresher.retry() — both of which may run on the background
+// monitor goroutine started by StartBackgroundMonitoring.
 func NewMonitoredTokenSource(
 	ctx context.Context,
 	tokenSource oauth2.TokenSource,
 	workloadName string,
+	upstream string,
+	clientID string,
 	statusUpdater StatusUpdater,
 ) *MonitoredTokenSource {
 	return &MonitoredTokenSource{
 		tokenSource:    tokenSource,
 		workloadName:   workloadName,
+		upstream:       upstream,
+		clientID:       clientID,
 		statusUpdater:  statusUpdater,
 		monitoringCtx:  ctx,
 		stopMonitoring: make(chan struct{}),
 		stopped:        make(chan struct{}),
-		refresher:      &transientRefresher{source: tokenSource, workload: workloadName},
+		refresher: &transientRefresher{
+			source:   tokenSource,
+			workload: workloadName,
+			upstream: upstream,
+			clientID: clientID,
+		},
 	}
 }
 
@@ -264,7 +298,10 @@ func (mts *MonitoredTokenSource) Token() (*oauth2.Token, error) {
 	}
 
 	if !isTransientNetworkError(err) {
-		mts.markAsUnauthenticated(fmt.Sprintf("Token retrieval failed: %v", err))
+		mts.markAsUnauthenticated(
+			fmt.Sprintf("Token retrieval failed: %v", err),
+			isPermanentTokenEndpointError(err),
+		)
 		return nil, err
 	}
 
@@ -273,7 +310,10 @@ func (mts *MonitoredTokenSource) Token() (*oauth2.Token, error) {
 	tok, err = mts.refresher.Refresh(mts.monitoringCtx, err)
 	if err != nil {
 		if !errors.Is(err, context.Canceled) && !errors.Is(err, context.DeadlineExceeded) {
-			mts.markAsUnauthenticated(fmt.Sprintf("Token refresh failed after retries: %v", err))
+			mts.markAsUnauthenticated(
+				fmt.Sprintf("Token refresh failed after retries: %v", err),
+				isPermanentTokenEndpointError(err),
+			)
 		}
 		return nil, err
 	}
@@ -349,6 +389,11 @@ func (mts *MonitoredTokenSource) onTick() (bool, time.Duration) {
 // OAuth2 client-level auth failures (invalid_grant, 401, 400) and TLS errors
 // (certificate verification, handshake failure) are NOT considered transient and
 // return false so the workload is marked unauthenticated immediately.
+//
+// The function is side-effect free; callers that want to emit a DCR
+// remediation hint on a permanent 4xx must do so themselves at the
+// state-transition boundary using isPermanentTokenEndpointError to
+// classify, so a tight Token() loop does not spam the same record.
 func isTransientNetworkError(err error) bool {
 	if err == nil ||
 		errors.Is(err, context.Canceled) || errors.Is(err, context.DeadlineExceeded) {
@@ -399,6 +444,36 @@ func isTransientNetworkError(err error) bool {
 	return false
 }
 
+// isPermanentTokenEndpointError reports whether err is an *oauth2.RetrieveError
+// whose status implies the cached client credentials are themselves the
+// problem — specifically 400 (invalid_grant / invalid_client), 401, or
+// 403. Used at state-transition boundaries to decide whether to emit a
+// DCR/CIMD remediation hint alongside the unauthentication.
+//
+// Other 4xx codes are intentionally NOT treated as permanent here even
+// though isTransientNetworkError classifies the whole RetrieveError
+// branch as non-transient. 408 (Request Timeout) and 429 (Too Many
+// Requests) are typically transient back-pressure that the operator
+// cannot remediate by deleting cached credentials; firing the
+// "delete the cached credentials and restart" Warn on those would
+// mislead operators chasing a transient hiccup. The narrower allowlist
+// keeps the remediation hint truthful.
+func isPermanentTokenEndpointError(err error) bool {
+	retrieveErr, ok := errors.AsType[*oauth2.RetrieveError](err)
+	if !ok {
+		return false
+	}
+	if retrieveErr.Response == nil {
+		return false
+	}
+	switch retrieveErr.Response.StatusCode {
+	case http.StatusBadRequest, http.StatusUnauthorized, http.StatusForbidden:
+		return true
+	default:
+		return false
+	}
+}
+
 // isOAuthParseError detects errors from the oauth2 library that indicate the
 // token endpoint returned an unparsable response body on a 2xx status. This
 // typically happens when a load balancer, CDN, or reverse proxy intercepts the
@@ -414,13 +489,39 @@ func isOAuthParseError(err error) bool {
 		strings.Contains(msg, "oauth2: cannot parse response")
 }
 
-// markAsUnauthenticated marks the workload as unauthenticated and stops background monitoring.
-func (mts *MonitoredTokenSource) markAsUnauthenticated(reason string) {
+// markAsUnauthenticated marks the workload as unauthenticated and stops
+// background monitoring. If permanent4xx is true and the workload was
+// constructed with a non-empty client_id, a one-shot DCR/CIMD remediation
+// hint is emitted alongside the stop transition. The hint and the close
+// of stopMonitoring share stopOnce, so a caller (e.g. a tight Token()
+// loop) cannot spam the record on every call after the workload has
+// already transitioned to Unauthenticated.
+func (mts *MonitoredTokenSource) markAsUnauthenticated(reason string, permanent4xx bool) {
 	_ = mts.statusUpdater.SetWorkloadStatus(
 		context.Background(),
 		mts.workloadName,
 		runtime.WorkloadStatusUnauthenticated,
 		reason,
 	)
-	mts.stopOnce.Do(func() { close(mts.stopMonitoring) })
+	mts.stopOnce.Do(func() {
+		// A permanent 4xx from the token endpoint commonly indicates the
+		// cached client (DCR or CIMD) is no longer recognised — but the
+		// same branch fires for revoked consent, disabled accounts, and
+		// statically configured clients, so the message has to be honest
+		// about the variability. Gating on clientID != "" suppresses the
+		// log entirely for workloads where no client_id context is
+		// available; the operator-correlation it provides would be empty.
+		if permanent4xx && mts.clientID != "" {
+			//nolint:gosec // G706: client_id is public metadata per RFC 7591.
+			slog.Warn(
+				"token endpoint returned a permanent error; if this workload uses "+
+					"cached DCR or CIMD credentials they may be stale — delete the "+
+					"cached credentials and restart to re-register.",
+				"workload", mts.workloadName,
+				"upstream", mts.upstream,
+				"client_id", mts.clientID,
+			)
+		}
+		close(mts.stopMonitoring)
+	})
 }

pkg/auth/monitored_token_source_test.go

@@ -118,7 +118,7 @@ func TestMonitoredTokenSource_SuccessfulTokenRetrieval(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", statusUpdater)
+	ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", "", "", statusUpdater)
 
 	// Test successful token retrieval
 	token, err := ats.Token()
@@ -151,7 +151,7 @@ func TestMonitoredTokenSource_AuthenticationErrorMarksUnauthenticated(t *testing
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", statusUpdater)
+	ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", "", "", statusUpdater)
 
 	// Expect SetWorkloadStatus to be called with unauthenticated status
 	statusManager.EXPECT().
@@ -195,7 +195,7 @@ func TestMonitoredTokenSource_ErrorMarksUnauthenticated(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", statusUpdater)
+	ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", "", "", statusUpdater)
 
 	// Expect SetWorkloadStatus to be called for any error
 	statusManager.EXPECT().
@@ -245,7 +245,7 @@ func TestMonitoredTokenSource_BackgroundMonitoring(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", statusUpdater)
+	ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", "", "", statusUpdater)
 
 	// Expect SetWorkloadStatus to be called when auth error occurs
 	statusManager.EXPECT().
@@ -297,7 +297,7 @@ func TestMonitoredTokenSource_BackgroundMonitoringStopsOnAnyError(t *testing.T)
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", statusUpdater)
+	ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", "", "", statusUpdater)
 
 	// Expect SetWorkloadStatus to be called when any error occurs
 	statusManager.EXPECT().
@@ -341,7 +341,7 @@ func TestMonitoredTokenSource_ExpiredTokenHandling(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", statusUpdater)
+	ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", "", "", statusUpdater)
 
 	// Should not mark as unauthenticated just for expired token
 	// (oauth2 library should handle refresh; we only mark on actual auth errors)
@@ -374,7 +374,7 @@ func TestMonitoredTokenSource_StopMonitoring(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", statusUpdater)
+	ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", "", "", statusUpdater)
 	ats.StartBackgroundMonitoring()
 
 	// Wait a bit to ensure monitoring started
@@ -407,7 +407,7 @@ func TestMonitoredTokenSource_MultipleCallsToToken(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", statusUpdater)
+	ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", "", "", statusUpdater)
 
 	statusManager.EXPECT().
 		SetWorkloadStatus(
@@ -627,7 +627,7 @@ func TestMonitoredTokenSource_BackgroundMonitor_ErrorClassification(t *testing.T
 				statusUpdater, _ := newMockStatusUpdater(ctrl)
 				retrying := tokenSource.notifyOnCall(2)
 
-				ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", statusUpdater)
+				ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", "", "", statusUpdater)
 				ats.refresher.newBackOff = fastBackOff
 				ats.StartBackgroundMonitoring()
 
@@ -647,7 +647,7 @@ func TestMonitoredTokenSource_BackgroundMonitor_ErrorClassification(t *testing.T
 					Return(nil).
 					Times(1)
 
-				ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", statusUpdater)
+				ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", "", "", statusUpdater)
 				ats.refresher.newBackOff = fastBackOff
 				ats.StartBackgroundMonitoring()
 
@@ -698,7 +698,7 @@ func TestMonitoredTokenSource_TransientErrorRetriesAndSucceeds(t *testing.T) {
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", statusUpdater)
+	ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", "", "", statusUpdater)
 	ats.refresher.newBackOff = fastBackOff
 	ats.StartBackgroundMonitoring()
 
@@ -738,7 +738,7 @@ func TestMonitoredTokenSource_TransientErrorContextCancellation(t *testing.T) {
 
 	ctx, cancel := context.WithCancel(context.Background())
 
-	ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", statusUpdater)
+	ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", "", "", statusUpdater)
 	ats.refresher.newBackOff = fastBackOff
 	ats.StartBackgroundMonitoring()
 
@@ -793,7 +793,7 @@ func TestMonitoredTokenSource_TransientThenNonTransientMarksUnauthenticated(t *t
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()
 
-	ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", statusUpdater)
+	ats := NewMonitoredTokenSource(ctx, tokenSource, "test-workload", "", "", statusUpdater)
 	ats.refresher.newBackOff = fastBackOff
 	ats.StartBackgroundMonitoring()
 

pkg/auth/remote/config.go

@@ -186,6 +186,30 @@ func (c *Config) ClearCachedClientCredentials() {
 	c.CachedRegTokenRef = ""
 }
 
+// LogContext returns the upstream issuer and resolved client_id for use as
+// log-correlation fields on the MonitoredTokenSource. Returns ("", "")
+// when c is nil so callers do not need to guard the call. Mirrors the
+// precedence applied at runtime when sending the client_id on token
+// refresh: cached CIMD URL > cached DCR client_id > statically configured
+// client_id. Lives next to resolveClientCredentials so the precedence has
+// a single home — adding a fourth cached field updates both call sites
+// in one place.
+func (c *Config) LogContext() (upstream, clientID string) {
+	if c == nil {
+		return "", ""
+	}
+	clientID = func() string {
+		if c.CachedCIMDClientID != "" {
+			return c.CachedCIMDClientID
+		}
+		if c.CachedClientID != "" {
+			return c.CachedClientID
+		}
+		return c.ClientID
+	}()
+	return c.Issuer, clientID
+}
+
 // DefaultResourceIndicator derives the resource indicator (RFC 8707) from the remote server URL.
 // This function should only be called when the user has not explicitly provided a resource indicator.
 // If the resource indicator cannot be derived, it returns an empty string.