Add guide for Keycloak integration

config.yaml

@@ -37,6 +37,7 @@ cors:
   allowed_headers:
     - "Authorization"
     - "Content-Type"
+    - "mcp-protocol-version"
   allow_credentials: true
 
 # Demo configuration for Asgardeo

docs/integrations/Auth0.md

@@ -4,7 +4,7 @@ This guide will help you configure Open MCP Auth Proxy to use Auth0 as your iden
 
 ### Prerequisites
 
-- An Auth0 organization (sign up here if you don't have one)
+- An Auth0 organization (sign up [here](https://auth0.com) if you don't have one)
 - Open MCP Auth Proxy installed
 
 ### Setting Up Auth0

docs/integrations/keycloak.md

@@ -0,0 +1,92 @@
+## Integrating Open MCP Auth Proxy with Keycloak
+
+This guide walks you through configuring the Open MCP Auth Proxy to authenticate using Keycloak as the identity provider.
+
+---
+
+### Prerequisites
+
+Before you begin, ensure you have the following:
+
+- A running Keycloak instance
+- Open MCP Auth Proxy installed and accessible
+
+---
+
+### Step 1: Configure Keycloak for Client Registration
+
+Set up dynamic client registration in your Keycloak realm by following the [Keycloak client registration guide](https://www.keycloak.org/securing-apps/client-registration).
+
+---
+
+### Step 2: Configure Open MCP Auth Proxy
+
+Update the `config.yaml` file in your Open MCP Auth Proxy setup using your Keycloak realm's [OIDC settings](https://www.keycloak.org/securing-apps/oidc-layers). Below is an example configuration:
+
+```yaml
+# Proxy server configuration
+listen_port: 8081              # Port for the auth proxy
+base_url: "http://localhost:8000" # Base URL of the MCP server
+port: 8000                     # MCP server port
+
+# Define path mappings
+paths:
+  sse: "/sse"
+  messages: "/messages/"
+
+# Set the transport mode
+transport_mode: "sse"
+
+# CORS settings
+cors:
+  allowed_origins:
+    - "http://localhost:5173"  # Origin of your frontend/client app
+  allowed_methods:
+    - "GET"
+    - "POST"
+    - "PUT"
+    - "DELETE"
+  allowed_headers:
+    - "Authorization"
+    - "Content-Type"
+    - "mcp-protocol-version"
+  allow_credentials: true
+
+# Keycloak endpoint path mappings
+path_mapping:
+  /token: /realms/master/protocol/openid-connect/token
+  /register: /realms/master/clients-registrations/openid-connect
+
+# Keycloak configuration block
+default:
+  base_url: "http://localhost:8080"
+  jwks_url: "http://localhost:8080/realms/master/protocol/openid-connect/certs"
+  path:
+    /.well-known/oauth-authorization-server:
+      response:
+        issuer: "http://localhost:8080/realms/master"
+        jwks_uri: "http://localhost:8080/realms/master/protocol/openid-connect/certs"
+        authorization_endpoint: "http://localhost:8080/realms/master/protocol/openid-connect/auth"
+        response_types_supported: 
+          - "code"
+        grant_types_supported:
+          - "authorization_code"
+          - "refresh_token"
+        code_challenge_methods_supported:
+          - "S256"
+          - "plain"
+    /token:
+      addBodyParams:
+        - name: "audience"
+          value: "mcp_proxy"
+```
+
+### Step 3: Start the Auth Proxy
+
+Launch the proxy with the updated Keycloak configuration:
+
+```bash
+./openmcpauthproxy
+```
+
+Once running, the proxy will handle authentication requests through your configured Keycloak realm.