fix: Use Keycloak client ID for NEXTCLOUD_RESOURCE_URI in token exchange
Fix external IdP token exchange by using the correct audience identifier for Keycloak. Keycloak uses client IDs as audience identifiers, not URLs. The token exchange was failing with "Audience not found" because it was requesting audience "http://localhost:8080" but Keycloak only knows about the "nextcloud" client ID. Changes: - Update mcp-keycloak service NEXTCLOUD_RESOURCE_URI from "http://localhost:8080" to "nextcloud" - Matches Keycloak's client ID convention for resource identifiers - Token exchange now requests audience "nextcloud" which matches the Keycloak resource server client configuration Note: mcp-oauth service keeps URL-based resource URI because Nextcloud's integrated OIDC app expects URLs, not client IDs. Different IdPs have different conventions for audience/resource identifiers. Test result: test_external_idp_token_validation now passes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Chris Coutinho
+1
-1
@@ -161,7 +161,7 @@ services:
|
||||
# Nextcloud API endpoint (for accessing APIs with validated token)
|
||||
- NEXTCLOUD_HOST=http://app:80
|
||||
- NEXTCLOUD_MCP_SERVER_URL=http://localhost:8002
|
||||
- NEXTCLOUD_RESOURCE_URI=http://localhost:8080 # ADR-005: Nextcloud resource identifier for audience validation
|
||||
- NEXTCLOUD_RESOURCE_URI=nextcloud # ADR-005: Keycloak uses client IDs as audiences, not URLs
|
||||
- NEXTCLOUD_PUBLIC_ISSUER_URL=http://localhost:8888/realms/nextcloud-mcp
|
||||
|
||||
# Refresh token storage (ADR-002 Tier 1 & 2)
|
||||
|
||||
Reference in New Issue
Block a user