Add guide for Keycloak integration

2025-06-27 17:13:31 +00:00 · 2025-04-15 08:53:53 +05:30 · 2025-04-15 08:53:53 +05:30 · ecee345f9c
commit ecee345f9c
parent aa7f76a548
3 changed files with 94 additions and 1 deletions
--- a/docs/integrations/Auth0.md
+++ b/docs/integrations/Auth0.md
@ -0,0 +1,93 @@
+## Integrating with Auth0
+
+This guide will help you configure Open MCP Auth Proxy to use Auth0 as your identity provider.
+
+### Prerequisites
+
+- An Auth0 organization (sign up [here](https://auth0.com) if you don't have one)
+- Open MCP Auth Proxy installed
+
+### Setting Up Auth0
+1. [Enable Dynamic Client Registration](https://auth0.com/docs/get-started/applications/dynamic-client-registration)
+    - Go to your Auth0 dashboard
+    - Navigate to Settings > Advanced
+    - Enable "OIDC Dynamic Application Registration"
+2. In order to setup connections in dynamically created clients [promote Connections to Domain Level](https://auth0.com/docs/authenticate/identity-providers/promote-connections-to-domain-level)
+3. Create an API in Auth0:
+   - Go to your Auth0 dashboard
+   - Navigate to Applications > APIs
+   - Click on "Create API"
+   - Set a Name (e.g., "MCP API")
+   - Set an Identifier (e.g., "mcp_proxy")
+   - Keep the default signing algorithm (RS256)
+   - Click "Create"
+
+### Configuring the Open MCP Auth Proxy
+
+Update your `config.yaml` with Auth0 settings:
+
+```yaml
+# Basic proxy configuration
+listen_port: 8080
+base_url: "http://localhost:8000"
+port: 8000
+
+# Path configuration
+paths:
+  sse: "/sse"
+  messages: "/messages/"
+
+# Transport mode
+transport_mode: "sse"
+
+# CORS configuration
+cors:
+  allowed_origins:
+    - "http://localhost:5173"  # Your client application origin
+  allowed_methods:
+    - "GET"
+    - "POST"
+    - "PUT"
+    - "DELETE"
+  allowed_headers:
+    - "Authorization"
+    - "Content-Type"
+  allow_credentials: true
+
+# Path mappings for Auth0 endpoints
+path_mapping:
+  /token: /oauth/token
+  /register: /oidc/register
+
+# Auth0 configuration
+default:
+  base_url: "https://YOUR_AUTH0_DOMAIN"  # e.g., https://dev-123456.us.auth0.com
+  jwks_url: "https://YOUR_AUTH0_DOMAIN/.well-known/jwks.json"
+  path:
+    /.well-known/oauth-authorization-server:
+      response:
+        issuer: "https://YOUR_AUTH0_DOMAIN/"
+        jwks_uri: "https://YOUR_AUTH0_DOMAIN/.well-known/jwks.json"
+        authorization_endpoint: "https://YOUR_AUTH0_DOMAIN/authorize?audience=mcp_proxy" # Only if you created an API with this identifier
+        response_types_supported: 
+          - "code"
+        grant_types_supported:
+          - "authorization_code"
+          - "refresh_token"
+        code_challenge_methods_supported:
+          - "S256"
+          - "plain"
+    /token:
+      addBodyParams:
+        - name: "audience"
+          value: "mcp_proxy"  # Only if you created an API with this identifier
+```
+
+Replace YOUR_AUTH0_DOMAIN with your Auth0 domain (e.g., dev-abc123.us.auth0.com).
+
+## Starting the Proxy with Auth0 Integration
+Start the proxy in default mode (which will use Auth0 based on your configuration):
+
+```bash
+./openmcpauthproxy
+```
--- a/docs/integrations/keycloak.md
+++ b/docs/integrations/keycloak.md
@ -0,0 +1,92 @@
+## Integrating Open MCP Auth Proxy with Keycloak
+
+This guide walks you through configuring the Open MCP Auth Proxy to authenticate using Keycloak as the identity provider.
+
+---
+
+### Prerequisites
+
+Before you begin, ensure you have the following:
+
+- A running Keycloak instance
+- Open MCP Auth Proxy installed and accessible
+
+---
+
+### Step 1: Configure Keycloak for Client Registration
+
+Set up dynamic client registration in your Keycloak realm by following the [Keycloak client registration guide](https://www.keycloak.org/securing-apps/client-registration).
+
+---
+
+### Step 2: Configure Open MCP Auth Proxy
+
+Update the `config.yaml` file in your Open MCP Auth Proxy setup using your Keycloak realm's [OIDC settings](https://www.keycloak.org/securing-apps/oidc-layers). Below is an example configuration:
+
+```yaml
+# Proxy server configuration
+listen_port: 8081              # Port for the auth proxy
+base_url: "http://localhost:8000" # Base URL of the MCP server
+port: 8000                     # MCP server port
+
+# Define path mappings
+paths:
+  sse: "/sse"
+  messages: "/messages/"
+
+# Set the transport mode
+transport_mode: "sse"
+
+# CORS settings
+cors:
+  allowed_origins:
+    - "http://localhost:5173"  # Origin of your frontend/client app
+  allowed_methods:
+    - "GET"
+    - "POST"
+    - "PUT"
+    - "DELETE"
+  allowed_headers:
+    - "Authorization"
+    - "Content-Type"
+    - "mcp-protocol-version"
+  allow_credentials: true
+
+# Keycloak endpoint path mappings
+path_mapping:
+  /token: /realms/master/protocol/openid-connect/token
+  /register: /realms/master/clients-registrations/openid-connect
+
+# Keycloak configuration block
+default:
+  base_url: "http://localhost:8080"
+  jwks_url: "http://localhost:8080/realms/master/protocol/openid-connect/certs"
+  path:
+    /.well-known/oauth-authorization-server:
+      response:
+        issuer: "http://localhost:8080/realms/master"
+        jwks_uri: "http://localhost:8080/realms/master/protocol/openid-connect/certs"
+        authorization_endpoint: "http://localhost:8080/realms/master/protocol/openid-connect/auth"
+        response_types_supported: 
+          - "code"
+        grant_types_supported:
+          - "authorization_code"
+          - "refresh_token"
+        code_challenge_methods_supported:
+          - "S256"
+          - "plain"
+    /token:
+      addBodyParams:
+        - name: "audience"
+          value: "mcp_proxy"
+```
+
+### Step 3: Start the Auth Proxy
+
+Launch the proxy with the updated Keycloak configuration:
+
+```bash
+./openmcpauthproxy
+```
+
+Once running, the proxy will handle authentication requests through your configured Keycloak realm.