From 877c4c91e00701b7c636285604388a09778bcfc8 Mon Sep 17 00:00:00 2001 From: Chris Coutinho Date: Wed, 5 Nov 2025 19:18:10 +0100 Subject: [PATCH] fix: Use Keycloak client ID for NEXTCLOUD_RESOURCE_URI in token exchange MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix external IdP token exchange by using the correct audience identifier for Keycloak. Keycloak uses client IDs as audience identifiers, not URLs. The token exchange was failing with "Audience not found" because it was requesting audience "http://localhost:8080" but Keycloak only knows about the "nextcloud" client ID. Changes: - Update mcp-keycloak service NEXTCLOUD_RESOURCE_URI from "http://localhost:8080" to "nextcloud" - Matches Keycloak's client ID convention for resource identifiers - Token exchange now requests audience "nextcloud" which matches the Keycloak resource server client configuration Note: mcp-oauth service keeps URL-based resource URI because Nextcloud's integrated OIDC app expects URLs, not client IDs. Different IdPs have different conventions for audience/resource identifiers. Test result: test_external_idp_token_validation now passes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 07ba22a..4109b2c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -161,7 +161,7 @@ services: # Nextcloud API endpoint (for accessing APIs with validated token) - NEXTCLOUD_HOST=http://app:80 - NEXTCLOUD_MCP_SERVER_URL=http://localhost:8002 - - NEXTCLOUD_RESOURCE_URI=http://localhost:8080 # ADR-005: Nextcloud resource identifier for audience validation + - NEXTCLOUD_RESOURCE_URI=nextcloud # ADR-005: Keycloak uses client IDs as audiences, not URLs - NEXTCLOUD_PUBLIC_ISSUER_URL=http://localhost:8888/realms/nextcloud-mcp # Refresh token storage (ADR-002 Tier 1 & 2)