Chris Coutinho
e331544cee
feat: Implement RFC 8693 token exchange for Keycloak (ADR-002 Tier 2)
Implements OAuth 2.0 Token Exchange (RFC 8693) enabling the MCP server to
exchange service account tokens for user-scoped tokens. This provides an
alternative to refresh tokens for background operations.
**Core Implementation:**
- Added `get_service_account_token()` method to KeycloakOAuthClient for
client_credentials grant
- Added `exchange_token_for_user()` method implementing RFC 8693 token exchange
- Fixed Fernet encryption key handling in RefreshTokenStorage (was incorrectly
base64 decoding already-encoded keys)
- Updated OAuth configuration to support offline_access scope and refresh token
storage infrastructure
**Keycloak Configuration:**
- Enabled `serviceAccountsEnabled` in realm-export.json
- Added `token.exchange.grant.enabled` attribute
- Added `client.token.exchange.standard.enabled` attribute (required for
Keycloak 26.2+ Standard Token Exchange V2)
- Fresh Keycloak imports now correctly enable token exchange
**Docker Compose:**
- Added TOKEN_ENCRYPTION_KEY and ENABLE_OFFLINE_ACCESS environment variables
- Created oauth-tokens volume for refresh token storage
- Configured both mcp-oauth and mcp-keycloak services
**Testing & Documentation:**
- Added tests/manual/test_token_exchange.py - Validates complete RFC 8693 flow
- Added tests/manual/test_nextcloud_impersonate.py - Documents session-based
impersonation limitations
- Added docs/oauth-impersonation-findings.md - Comprehensive investigation
findings and resolution documentation
**Verified Working:**
✅ Service account token acquisition (client_credentials grant)
✅ RFC 8693 token exchange for internal-to-internal tokens
✅ Exchanged tokens validate with Nextcloud APIs
✅ Keycloak 26.4.2 Standard Token Exchange V2 support
**Known Limitations:**
- User impersonation (requested_subject) requires Keycloak Legacy V1 with
preview features
- Cross-client token exchange limited to same realm
- Refresh token storage infrastructure ready but unused (MCP protocol limitation)
Dependencies: aiosqlite>=0.20.0
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-02 22:03:19 +01:00
..
2025-05-07 23:06:22 +02:00
2025-10-31 02:59:44 +01:00
2025-10-31 02:59:44 +01:00
2025-11-02 22:03:19 +01:00
2025-10-14 01:23:49 +02:00
2025-09-11 17:31:00 +02:00
2025-10-15 14:47:43 +02:00
2025-10-14 01:23:49 +02:00
2025-09-11 17:28:13 +02:00
2025-10-17 03:08:16 +02:00
2025-09-11 17:28:13 +02:00
2025-10-14 01:23:38 +02:00
2025-10-24 04:38:49 +02:00
2025-11-02 22:03:19 +01:00
2025-05-06 02:52:51 +02:00
2025-09-11 17:28:13 +02:00
2025-10-25 21:54:30 +02:00
2025-11-02 22:03:19 +01:00
2025-10-15 16:27:22 +02:00
2025-10-24 04:38:49 +02:00
2025-10-20 19:10:23 +02:00
2025-10-15 16:27:22 +02:00
2025-10-14 01:23:38 +02:00
2025-09-11 17:28:13 +02:00
2025-10-23 11:20:49 +02:00
2025-10-24 04:38:49 +02:00
2025-10-14 01:23:49 +02:00
2025-09-11 17:28:13 +02:00