Skip to content

feat(auth): implement proxied /.well-known/oauth-authorization-server #244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 6, 2025
Merged

feat(auth): implement proxied /.well-known/oauth-authorization-server #244

merged 1 commit into from
Aug 6, 2025

Conversation

manusa
Copy link
Member

@manusa manusa commented Aug 6, 2025

No description provided.

@manusa manusa added this to the 0.1.0 milestone Aug 6, 2025
@manusa manusa force-pushed the feat/oauth-authorization-server-endpoint branch from 9abb8df to 0da5b5b Compare August 6, 2025 11:43
@manusa manusa force-pushed the feat/oauth-authorization-server-endpoint branch from 0da5b5b to 3d23d94 Compare August 6, 2025 11:59
@manusa manusa merged commit aba5f54 into containers:main Aug 6, 2025
7 of 8 checks passed
@manusa manusa deleted the feat/oauth-authorization-server-endpoint branch August 6, 2025 12:51
ardaguclu
ardaguclu reviewed Aug 7, 2025
View reviewed changes
pkg/http/http.go
@@ -44,6 +44,7 @@ func Serve(ctx context.Context, mcpServer *mcp.Server, staticConfig *config.Stat
mux.HandleFunc(healthEndpoint, func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(http.StatusOK)
})
mux.HandleFunc(oauthAuthorizationServerEndpoint, OAuthAuthorizationServerHandler(staticConfig))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@manusa this endpoint is served by oidc providers not mcp servers. Is there any reason for this?. If you implemented based on my suggestion on Slack, sorry it seems that I wasn't clear.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think, you implemented this because mcp/inspector looks for this endpoint which is served by Keycloak in a different endpoint?.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Exactly, this is looked for by the MCP clients, I'm currently working on an implementation to proxy the following endpoints:

	oauthAuthorizationServerEndpoint = "/.well-known/oauth-authorization-server"
	oauthProtectedResourceEndpoint   = "/.well-known/oauth-protected-resource"
	openIDConfigurationEndpoint      = "/.well-known/openid-configuration"

This delegates everything to the auth server (Keycloak).
This seems to work with the inspector and very likely with VSCode.

I'll create a PR shortly

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ardaguclu ardaguclu ardaguclu left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.1.0
Development

Successfully merging this pull request may close these issues.
2 participants
@manusa @ardaguclu