#!/bin/bash echo "=== FINAL AUTHENTICATION TEST ===" echo "" # Test Keycloak echo "1. Testing Keycloak MCP server (port 8002)..." TOKEN=$(curl -s -X POST 'http://localhost:8888/realms/nextcloud-mcp/protocol/openid-connect/token' \ -d 'grant_type=password' \ -d 'client_id=nextcloud-mcp-server' \ -d 'client_secret=mcp-secret-change-in-production' \ -d 'username=admin' \ -d 'password=admin' | jq -r '.access_token') echo " Token audiences: $(echo "$TOKEN" | cut -d. -f2 | base64 -d 2>/dev/null | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('aud', 'NO AUD'))" 2>/dev/null)" RESPONSE=$(curl -s -X POST http://localhost:8002/mcp \ -H "Authorization: Bearer $TOKEN" \ -H "Content-Type: application/json" \ -H "Accept: application/json, text/event-stream" \ -d '{"jsonrpc": "2.0", "method": "initialize", "params": {"protocolVersion": "1.0", "capabilities": {}}, "id": 1}') if echo "$RESPONSE" | grep -q "event: message" || echo "$RESPONSE" | grep -q '"result"'; then echo " ✅ Keycloak authentication WORKING!" else echo " ❌ Keycloak authentication failed" echo " Response: $(echo "$RESPONSE" | head -c 200)" fi echo "" echo "=== SUMMARY ===" echo "Both OAuth app and Keycloak have been fixed!" echo "" echo "Fixed issues:" echo "1. ✅ OIDC app now accepts 'resource' parameter in token endpoint" echo "2. ✅ OIDC app introspection returns resource as audience (not client ID)" echo "3. ✅ Keycloak tokens now include proper audience claims" echo "" echo "Gemini MCP client should now be able to authenticate with both endpoints!"