17 Commits

Author	SHA1	Message	Date
Chris Coutinho	de99296779	feat: implement scope-based audience mapping and RFC 9728 support ... This commit removes hardcoded Keycloak audience mappers and implements dynamic audience assignment based on OAuth client scopes and RFC 8707 resource indicators. ## MCP Server Changes ### Protected Resource Metadata (app.py) - Change resource field from client_id to URL (RFC 9728 compliance) - Use `{mcp_server_url}/mcp` as resource identifier - Update DCR registration to include all Nextcloud API scopes - Add resource_url parameter to client registration ### Client Registration (auth/client_registration.py) - Add resource_url parameter to register_client() - Pass resource_url to DCR endpoint - Support RFC 9728 resource metadata ### Browser OAuth Routes (auth/browser_oauth_routes.py) - Enhanced error logging for token exchange failures - Log HTTP status code and response body for debugging - Improved error messages for OAuth provisioning issues ### Token Verifier (auth/progressive_token_verifier.py) - Add introspection_uri and client_secret parameters - Initialize HTTP client for introspection requests - Enable opaque token validation support ## Keycloak Configuration ### realm-export.json - **Remove** hardcoded `audience-mcp-server` protocol mapper - Audience now determined by client scopes: - External clients: RFC 8707 resource parameter → `aud: {resource_url}` - MCP Server: `token-exchange-nextcloud` scope → `aud: "nextcloud"` ### OIDC App (third_party/oidc) - Updated submodule with RFC 9728 support - Added resource_url database field - Enhanced introspection authorization logic ## Architecture Two separate audience flows: 1. **Gemini CLI → MCP Server** - Client requests: `resource=http://localhost:8002/mcp` - Token audience: `aud: "http://localhost:8002/mcp"` - MCP server validates via progressive_token_verifier 2. **MCP Server → Nextcloud APIs** - MCP server includes: `scope=token-exchange-nextcloud` - Token audience: `aud: "nextcloud"` (via scope mapper) - Nextcloud user_oidc validates via SelfEncodedValidator ## Benefits - ✅ RFC 8707 compliant (resource indicators) - ✅ RFC 9728 compliant (protected resource metadata) - ✅ Dynamic audience based on OAuth context - ✅ Fixes Gemini CLI authentication failures - ✅ Maintains Nextcloud API access for background jobs - ✅ Clear security boundaries between flows 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-11-04 05:28:58 +01:00
Chris Coutinho	636bfd416f	build: Update oidc submodule	2025-11-03 20:33:55 +01:00
Chris Coutinho	3b4606b798	build: Update submodule	2025-11-03 20:33:50 +01:00
Chris Coutinho	b41bbd6c65	ci: Add condition service_healthy check for app to mcp containers	2025-11-03 20:33:38 +01:00
Chris Coutinho	4f82357f24	ci: update submodule	2025-10-31 02:59:35 +01:00
Chris Coutinho	c9db6afb59	chore: Update CLAUDE.md	2025-10-24 19:35:04 +02:00
Chris Coutinho	72fce189d2	test: Add tests for dcr endpoint and update oidc app	2025-10-24 18:48:05 +02:00
Chris Coutinho	2f1bd1bbe9	test: Move client integration tests to mocked unit tests	2025-10-24 05:50:25 +02:00
Chris Coutinho	d452684535	feat: Split read/write scopes into app:read/write scopes	2025-10-24 04:38:49 +02:00
Chris Coutinho	d4ee5a74c2	test: Update default tokens to JWT, add to introspection tests	2025-10-24 00:51:50 +02:00
Chris Coutinho	261749fcdc	ci: Update oidc app	2025-10-23 22:45:22 +02:00
Chris Coutinho	bdb0e17401	chore: Add logging to token introspection	2025-10-23 21:18:14 +02:00
Chris Coutinho	a93e7a1e3b	build: Update submodule	2025-10-23 16:56:18 +02:00
Chris Coutinho	d915efd3f6	docs: Update jwt docs [skip ci]	2025-10-23 15:26:51 +02:00
Chris Coutinho	053cf7798b	fix: Add CORS middleware to allow browser-based clients like MCP Inspector	2025-10-23 15:23:41 +02:00
Chris Coutinho	e9a16c43b5	refactor: Update JWT client to use DCR, re-enable tool filtering	2025-10-23 09:33:06 +02:00
Chris Coutinho	e48f5f3f30	feat(server): Add support for custom OIDC scopes and permissions via JWTs	2025-10-23 08:37:36 +02:00