diff --git a/final_test.sh b/final_test.sh deleted file mode 100755 index 073009e..0000000 --- a/final_test.sh +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/bash - -echo "=== FINAL AUTHENTICATION TEST ===" -echo "" - -# Test Keycloak -echo "1. Testing Keycloak MCP server (port 8002)..." -TOKEN=$(curl -s -X POST 'http://localhost:8888/realms/nextcloud-mcp/protocol/openid-connect/token' \ - -d 'grant_type=password' \ - -d 'client_id=nextcloud-mcp-server' \ - -d 'client_secret=mcp-secret-change-in-production' \ - -d 'username=admin' \ - -d 'password=admin' | jq -r '.access_token') - -echo " Token audiences: $(echo "$TOKEN" | cut -d. -f2 | base64 -d 2>/dev/null | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('aud', 'NO AUD'))" 2>/dev/null)" - -RESPONSE=$(curl -s -X POST http://localhost:8002/mcp \ - -H "Authorization: Bearer $TOKEN" \ - -H "Content-Type: application/json" \ - -H "Accept: application/json, text/event-stream" \ - -d '{"jsonrpc": "2.0", "method": "initialize", "params": {"protocolVersion": "1.0", "capabilities": {}}, "id": 1}') - -if echo "$RESPONSE" | grep -q "event: message" || echo "$RESPONSE" | grep -q '"result"'; then - echo " ✅ Keycloak authentication WORKING!" -else - echo " ❌ Keycloak authentication failed" - echo " Response: $(echo "$RESPONSE" | head -c 200)" -fi - -echo "" -echo "=== SUMMARY ===" -echo "Both OAuth app and Keycloak have been fixed!" -echo "" -echo "Fixed issues:" -echo "1. ✅ OIDC app now accepts 'resource' parameter in token endpoint" -echo "2. ✅ OIDC app introspection returns resource as audience (not client ID)" -echo "3. ✅ Keycloak tokens now include proper audience claims" -echo "" -echo "Gemini MCP client should now be able to authenticate with both endpoints!" \ No newline at end of file diff --git a/fix_keycloak_realm_audience.sh b/fix_keycloak_realm_audience.sh deleted file mode 100755 index 5d61665..0000000 --- a/fix_keycloak_realm_audience.sh +++ /dev/null @@ -1,112 +0,0 @@ -#!/bin/bash - -echo "Applying audience fix to Keycloak realm for ALL clients..." - -# Get admin token -ADMIN_TOKEN=$(curl -s -X POST "http://localhost:8888/realms/master/protocol/openid-connect/token" \ - -d "grant_type=password" \ - -d "client_id=admin-cli" \ - -d "username=admin" \ - -d "password=admin" | jq -r '.access_token') - -if [ -z "$ADMIN_TOKEN" ] || [ "$ADMIN_TOKEN" == "null" ]; then - echo "Failed to get admin token. Is Keycloak running?" - exit 1 -fi - -echo "Got admin token" - -# Create a default client scope with audience mapper that will apply to ALL clients -echo "Creating default audience scope..." - -# First, delete if it exists -curl -s -X DELETE "http://localhost:8888/admin/realms/nextcloud-mcp/client-scopes/default-audience" \ - -H "Authorization: Bearer $ADMIN_TOKEN" 2>/dev/null - -# Create new client scope -SCOPE_RESPONSE=$(curl -s -X POST "http://localhost:8888/admin/realms/nextcloud-mcp/client-scopes" \ - -H "Authorization: Bearer $ADMIN_TOKEN" \ - -H "Content-Type: application/json" \ - -d '{ - "name": "default-audience", - "protocol": "openid-connect", - "attributes": { - "include.in.token.scope": "false", - "display.on.consent.screen": "false" - }, - "protocolMappers": [ - { - "name": "mcp-server-audience", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-mapper", - "consentRequired": false, - "config": { - "included.client.audience": "nextcloud-mcp-server", - "access.token.claim": "true", - "id.token.claim": "false" - } - }, - { - "name": "mcp-url-audience", - "protocol": "openid-connect", - "protocolMapper": "oidc-audience-mapper", - "consentRequired": false, - "config": { - "included.custom.audience": "http://localhost:8002", - "access.token.claim": "true", - "id.token.claim": "false" - } - } - ] - }') - -# Get the scope ID -SCOPE_ID=$(curl -s -X GET "http://localhost:8888/admin/realms/nextcloud-mcp/client-scopes" \ - -H "Authorization: Bearer $ADMIN_TOKEN" | jq -r '.[] | select(.name == "default-audience") | .id') - -if [ -z "$SCOPE_ID" ] || [ "$SCOPE_ID" == "null" ]; then - echo "Failed to create client scope" - exit 1 -fi - -echo "Created client scope with ID: $SCOPE_ID" - -# Make this a default client scope (applies to ALL clients automatically) -curl -s -X PUT "http://localhost:8888/admin/realms/nextcloud-mcp/default-default-client-scopes/$SCOPE_ID" \ - -H "Authorization: Bearer $ADMIN_TOKEN" - -echo "Made it a default client scope" - -# Now update ALL existing clients to use this scope -echo "Updating existing clients..." - -# Get all clients -CLIENTS=$(curl -s -X GET "http://localhost:8888/admin/realms/nextcloud-mcp/clients" \ - -H "Authorization: Bearer $ADMIN_TOKEN" | jq -r '.[] | select(.clientId != "admin-cli" and .clientId != "account" and .clientId != "broker" and .clientId != "realm-management" and .clientId != "security-admin-console" and .clientId != "account-console") | .id') - -for CLIENT_ID in $CLIENTS; do - CLIENT_NAME=$(curl -s -X GET "http://localhost:8888/admin/realms/nextcloud-mcp/clients/$CLIENT_ID" \ - -H "Authorization: Bearer $ADMIN_TOKEN" | jq -r '.clientId') - - echo " Adding scope to client: $CLIENT_NAME" - - # Add the default scope to this client - curl -s -X PUT "http://localhost:8888/admin/realms/nextcloud-mcp/clients/$CLIENT_ID/default-client-scopes/$SCOPE_ID" \ - -H "Authorization: Bearer $ADMIN_TOKEN" -done - -echo "" -echo "Testing with a new token..." -TOKEN=$(curl -s -X POST 'http://localhost:8888/realms/nextcloud-mcp/protocol/openid-connect/token' \ - -d 'grant_type=password' \ - -d 'client_id=nextcloud-mcp-server' \ - -d 'client_secret=mcp-secret-change-in-production' \ - -d 'username=admin' \ - -d 'password=admin' | jq -r '.access_token') - -echo "Token audience:" -echo "$TOKEN" | cut -d. -f2 | base64 -d 2>/dev/null | python3 -c "import sys,json; d=json.load(sys.stdin); print('aud:', d.get('aud', 'NO AUD'))" - -echo "" -echo "✅ Audience configuration applied to ALL clients in the realm!" -echo "New clients registered by Gemini will automatically get these audiences." \ No newline at end of file diff --git a/test_keycloak_auth.sh b/test_keycloak_auth.sh deleted file mode 100755 index 5b01de8..0000000 --- a/test_keycloak_auth.sh +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/bash - -echo "Getting token from Keycloak..." -TOKEN=$(curl -s -X POST 'http://localhost:8888/realms/nextcloud-mcp/protocol/openid-connect/token' \ - -d 'grant_type=password' \ - -d 'client_id=nextcloud-mcp-server' \ - -d 'client_secret=mcp-secret-change-in-production' \ - -d 'username=admin' \ - -d 'password=admin' | jq -r '.access_token') - -if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then - echo "Failed to get token from Keycloak" - exit 1 -fi - -echo "Token obtained successfully" -echo "" -echo "Token audience claim:" -echo "$TOKEN" | cut -d. -f2 | base64 -d 2>/dev/null | python3 -c "import sys,json; d=json.load(sys.stdin); print('aud:', d.get('aud', 'NO AUD FIELD'))" - -echo "" -echo "Testing MCP endpoint at http://localhost:8002/mcp..." -RESPONSE=$(curl -s -X POST http://localhost:8002/mcp \ - -H "Authorization: Bearer $TOKEN" \ - -H "Content-Type: application/json" \ - -d '{"jsonrpc": "2.0", "method": "initialize", "params": {"protocolVersion": "1.0", "capabilities": {}}, "id": 1}') - -echo "Response:" -echo "$RESPONSE" | jq '.' 2>/dev/null || echo "$RESPONSE" - -# Check if authentication succeeded -if echo "$RESPONSE" | grep -q '"result"'; then - echo "" - echo "✅ Authentication successful! Keycloak is working with the MCP server." -else - echo "" - echo "❌ Authentication failed. Checking logs..." - docker compose logs mcp-keycloak --tail 5 -fi \ No newline at end of file