6117aaaed3
This commit completes the Keycloak external identity provider integration, implementing the ADR-002 architecture where Keycloak acts as an external OAuth/OIDC provider and Nextcloud validates tokens via the user_oidc app. Architecture: MCP Client → Keycloak (OAuth) → MCP Server → Nextcloud user_oidc → APIs Key Fixes: 1. Keycloak JWT token configuration - Added 'sub' claim protocol mapper to realm-export.json - Updated token_verifier.py to accept both 'sub' and 'preferred_username' - Ensures tokens contain required OIDC claims 2. Keycloak hostname configuration for Docker networking - Implemented --hostname-backchannel-dynamic=true in docker-compose.yml - External clients use localhost:8888 (public) - Internal services use keycloak:8080 (Docker network) - Same issuer (localhost:8888) everywhere for token consistency - Restored frontendUrl in realm attributes 3. MCP server provider mode detection - Fixed URL normalization to handle port differences (http://app vs http://app:80) - Correctly distinguishes integrated mode vs external IdP mode - Removes explicit default ports (80 for HTTP, 443 for HTTPS) 4. Nextcloud SSRF protection configuration - Added allow_local_remote_servers=true to user_oidc install script - Enables Nextcloud to fetch JWKS from internal Keycloak container - Required for external IdP token validation 5. OAuth lifespan cleanup - Fixed RefreshTokenStorage close() error (uses context managers) - Added safe cleanup for oauth_client with hasattr check - Prevents session crash on shutdown 6. Test suite fixes - Fixed test_user_auto_provisioning to reflect actual behavior - Fixed test_scope_filtering_with_keycloak tool name (nc_webdav_write_file) - Updated test_keycloak_oauth_client_credentials_discovery for hostname config - All 11 Keycloak external IdP tests now passing Testing: ✅ All 11 tests in test_keycloak_external_idp.py passing ✅ OAuth token acquisition via Playwright automation ✅ Token validation through Nextcloud user_oidc app ✅ Write operations (Notes create, Calendar create, File upload) ✅ Read operations (search, list, get) ✅ Token persistence across multiple operations ✅ User authentication and bearer token validation ✅ Scope-based tool filtering ✅ Error handling for invalid operations Implementation validates: - ADR-002 external identity provider architecture - No admin credentials needed in MCP server - Centralized identity management via Keycloak - Standards-based OAuth 2.0 / OIDC integration - User auto-provisioning from IdP claims 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
550 lines
16 KiB
JSON
550 lines
16 KiB
JSON
{
|
|
"id": "nextcloud-mcp",
|
|
"realm": "nextcloud-mcp",
|
|
"notBefore": 0,
|
|
"defaultSignatureAlgorithm": "RS256",
|
|
"revokeRefreshToken": false,
|
|
"refreshTokenMaxReuse": 0,
|
|
"accessTokenLifespan": 300,
|
|
"accessTokenLifespanForImplicitFlow": 900,
|
|
"ssoSessionIdleTimeout": 1800,
|
|
"ssoSessionMaxLifespan": 36000,
|
|
"offlineSessionIdleTimeout": 2592000,
|
|
"offlineSessionMaxLifespanEnabled": false,
|
|
"offlineSessionMaxLifespan": 5184000,
|
|
"accessCodeLifespan": 60,
|
|
"accessCodeLifespanUserAction": 300,
|
|
"accessCodeLifespanLogin": 1800,
|
|
"enabled": true,
|
|
"sslRequired": "external",
|
|
"registrationAllowed": false,
|
|
"loginWithEmailAllowed": true,
|
|
"duplicateEmailsAllowed": false,
|
|
"resetPasswordAllowed": false,
|
|
"editUsernameAllowed": false,
|
|
"bruteForceProtected": false,
|
|
"attributes": {
|
|
"frontendUrl": "http://localhost:8888"
|
|
},
|
|
"roles": {
|
|
"realm": [
|
|
{
|
|
"name": "offline_access",
|
|
"description": "${role_offline-access}",
|
|
"composite": false,
|
|
"clientRole": false
|
|
},
|
|
{
|
|
"name": "uma_authorization",
|
|
"description": "${role_uma_authorization}",
|
|
"composite": false,
|
|
"clientRole": false
|
|
},
|
|
{
|
|
"name": "default-roles-nextcloud-mcp",
|
|
"description": "${role_default-roles}",
|
|
"composite": true,
|
|
"composites": {
|
|
"realm": ["offline_access", "uma_authorization"]
|
|
},
|
|
"clientRole": false
|
|
}
|
|
]
|
|
},
|
|
"users": [
|
|
{
|
|
"username": "admin",
|
|
"enabled": true,
|
|
"email": "admin@example.com",
|
|
"emailVerified": true,
|
|
"firstName": "Admin",
|
|
"lastName": "User",
|
|
"credentials": [
|
|
{
|
|
"type": "password",
|
|
"value": "admin",
|
|
"temporary": false
|
|
}
|
|
],
|
|
"realmRoles": ["default-roles-nextcloud-mcp", "offline_access"],
|
|
"attributes": {
|
|
"quota": ["1073741824"]
|
|
}
|
|
}
|
|
],
|
|
"clients": [
|
|
{
|
|
"clientId": "nextcloud",
|
|
"name": "Nextcloud Resource Server",
|
|
"description": "Resource server for Nextcloud APIs - used by user_oidc app for bearer token validation",
|
|
"enabled": true,
|
|
"clientAuthenticatorType": "client-secret",
|
|
"secret": "nextcloud-secret-change-in-production",
|
|
"redirectUris": [],
|
|
"webOrigins": [],
|
|
"bearerOnly": true,
|
|
"consentRequired": false,
|
|
"standardFlowEnabled": false,
|
|
"implicitFlowEnabled": false,
|
|
"directAccessGrantsEnabled": false,
|
|
"serviceAccountsEnabled": false,
|
|
"publicClient": false,
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"display.on.consent.screen": "false"
|
|
},
|
|
"fullScopeAllowed": true,
|
|
"nodeReRegistrationTimeout": -1
|
|
},
|
|
{
|
|
"clientId": "nextcloud-mcp-server",
|
|
"name": "Nextcloud MCP Server",
|
|
"enabled": true,
|
|
"clientAuthenticatorType": "client-secret",
|
|
"secret": "mcp-secret-change-in-production",
|
|
"redirectUris": [
|
|
"http://localhost:*",
|
|
"http://127.0.0.1:*",
|
|
"http://localhost:*/callback",
|
|
"http://127.0.0.1:*/callback"
|
|
],
|
|
"webOrigins": ["+"],
|
|
"bearerOnly": false,
|
|
"consentRequired": false,
|
|
"standardFlowEnabled": true,
|
|
"implicitFlowEnabled": false,
|
|
"directAccessGrantsEnabled": true,
|
|
"serviceAccountsEnabled": true,
|
|
"publicClient": false,
|
|
"frontchannelLogout": false,
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"pkce.code.challenge.method": "S256",
|
|
"use.refresh.tokens": "true",
|
|
"backchannel.logout.session.required": "true",
|
|
"backchannel.logout.url": "http://app:80/index.php/apps/user_oidc/backchannel-logout/keycloak",
|
|
"oauth2.device.authorization.grant.enabled": "false",
|
|
"oidc.ciba.grant.enabled": "false",
|
|
"client_credentials.use_refresh_token": "false",
|
|
"display.on.consent.screen": "false",
|
|
"token.exchange.grant.enabled": "true",
|
|
"client.token.exchange.standard.enabled": "true"
|
|
},
|
|
"fullScopeAllowed": true,
|
|
"nodeReRegistrationTimeout": -1,
|
|
"protocolMappers": [
|
|
{
|
|
"name": "audience-nextcloud",
|
|
"protocol": "openid-connect",
|
|
"protocolMapper": "oidc-audience-mapper",
|
|
"consentRequired": false,
|
|
"config": {
|
|
"included.custom.audience": "nextcloud",
|
|
"access.token.claim": "true",
|
|
"id.token.claim": "false"
|
|
}
|
|
},
|
|
{
|
|
"name": "sub",
|
|
"protocol": "openid-connect",
|
|
"protocolMapper": "oidc-usermodel-property-mapper",
|
|
"consentRequired": false,
|
|
"config": {
|
|
"userinfo.token.claim": "true",
|
|
"user.attribute": "username",
|
|
"id.token.claim": "true",
|
|
"access.token.claim": "true",
|
|
"claim.name": "sub",
|
|
"jsonType.label": "String"
|
|
}
|
|
},
|
|
{
|
|
"name": "full name",
|
|
"protocol": "openid-connect",
|
|
"protocolMapper": "oidc-full-name-mapper",
|
|
"consentRequired": false,
|
|
"config": {
|
|
"id.token.claim": "true",
|
|
"access.token.claim": "true",
|
|
"userinfo.token.claim": "true"
|
|
}
|
|
},
|
|
{
|
|
"name": "email",
|
|
"protocol": "openid-connect",
|
|
"protocolMapper": "oidc-usermodel-property-mapper",
|
|
"consentRequired": false,
|
|
"config": {
|
|
"userinfo.token.claim": "true",
|
|
"user.attribute": "email",
|
|
"id.token.claim": "true",
|
|
"access.token.claim": "true",
|
|
"claim.name": "email",
|
|
"jsonType.label": "String"
|
|
}
|
|
},
|
|
{
|
|
"name": "preferred_username",
|
|
"protocol": "openid-connect",
|
|
"protocolMapper": "oidc-usermodel-property-mapper",
|
|
"consentRequired": false,
|
|
"config": {
|
|
"userinfo.token.claim": "true",
|
|
"user.attribute": "username",
|
|
"id.token.claim": "true",
|
|
"access.token.claim": "true",
|
|
"claim.name": "preferred_username",
|
|
"jsonType.label": "String"
|
|
}
|
|
},
|
|
{
|
|
"name": "quota",
|
|
"protocol": "openid-connect",
|
|
"protocolMapper": "oidc-usermodel-attribute-mapper",
|
|
"consentRequired": false,
|
|
"config": {
|
|
"userinfo.token.claim": "true",
|
|
"user.attribute": "quota",
|
|
"id.token.claim": "true",
|
|
"access.token.claim": "true",
|
|
"claim.name": "quota",
|
|
"jsonType.label": "String"
|
|
}
|
|
}
|
|
],
|
|
"defaultClientScopes": ["web-origins", "profile", "roles", "email"],
|
|
"optionalClientScopes": [
|
|
"address",
|
|
"phone",
|
|
"offline_access",
|
|
"microprofile-jwt",
|
|
"notes:read",
|
|
"notes:write",
|
|
"calendar:read",
|
|
"calendar:write",
|
|
"contacts:read",
|
|
"contacts:write",
|
|
"cookbook:read",
|
|
"cookbook:write",
|
|
"deck:read",
|
|
"deck:write",
|
|
"tables:read",
|
|
"tables:write",
|
|
"files:read",
|
|
"files:write",
|
|
"sharing:read",
|
|
"sharing:write",
|
|
"todo:read",
|
|
"todo:write"
|
|
]
|
|
}
|
|
],
|
|
"clientScopes": [
|
|
{
|
|
"name": "offline_access",
|
|
"description": "OpenID Connect built-in scope: offline_access",
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"consent.screen.text": "${offlineAccessScopeConsentText}",
|
|
"display.on.consent.screen": "true"
|
|
}
|
|
},
|
|
{
|
|
"name": "profile",
|
|
"description": "OpenID Connect built-in scope: profile",
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"include.in.token.scope": "true",
|
|
"display.on.consent.screen": "true"
|
|
},
|
|
"protocolMappers": [
|
|
{
|
|
"name": "full name",
|
|
"protocol": "openid-connect",
|
|
"protocolMapper": "oidc-full-name-mapper",
|
|
"consentRequired": false,
|
|
"config": {
|
|
"id.token.claim": "true",
|
|
"access.token.claim": "true",
|
|
"userinfo.token.claim": "true"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"name": "email",
|
|
"description": "OpenID Connect built-in scope: email",
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"include.in.token.scope": "true",
|
|
"display.on.consent.screen": "true"
|
|
},
|
|
"protocolMappers": [
|
|
{
|
|
"name": "email",
|
|
"protocol": "openid-connect",
|
|
"protocolMapper": "oidc-usermodel-property-mapper",
|
|
"consentRequired": false,
|
|
"config": {
|
|
"userinfo.token.claim": "true",
|
|
"user.attribute": "email",
|
|
"id.token.claim": "true",
|
|
"access.token.claim": "true",
|
|
"claim.name": "email",
|
|
"jsonType.label": "String"
|
|
}
|
|
},
|
|
{
|
|
"name": "email verified",
|
|
"protocol": "openid-connect",
|
|
"protocolMapper": "oidc-usermodel-property-mapper",
|
|
"consentRequired": false,
|
|
"config": {
|
|
"userinfo.token.claim": "true",
|
|
"user.attribute": "emailVerified",
|
|
"id.token.claim": "true",
|
|
"access.token.claim": "true",
|
|
"claim.name": "email_verified",
|
|
"jsonType.label": "boolean"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"name": "roles",
|
|
"description": "OpenID Connect scope for add user roles to the access token",
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"include.in.token.scope": "false",
|
|
"display.on.consent.screen": "true"
|
|
},
|
|
"protocolMappers": [
|
|
{
|
|
"name": "realm roles",
|
|
"protocol": "openid-connect",
|
|
"protocolMapper": "oidc-usermodel-realm-role-mapper",
|
|
"consentRequired": false,
|
|
"config": {
|
|
"user.attribute": "foo",
|
|
"access.token.claim": "true",
|
|
"claim.name": "realm_access.roles",
|
|
"jsonType.label": "String",
|
|
"multivalued": "true"
|
|
}
|
|
},
|
|
{
|
|
"name": "client roles",
|
|
"protocol": "openid-connect",
|
|
"protocolMapper": "oidc-usermodel-client-role-mapper",
|
|
"consentRequired": false,
|
|
"config": {
|
|
"user.attribute": "foo",
|
|
"access.token.claim": "true",
|
|
"claim.name": "resource_access.${client_id}.roles",
|
|
"jsonType.label": "String",
|
|
"multivalued": "true"
|
|
}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"name": "web-origins",
|
|
"description": "OpenID Connect scope for add allowed web origins to the access token",
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"include.in.token.scope": "false",
|
|
"display.on.consent.screen": "false"
|
|
},
|
|
"protocolMappers": [
|
|
{
|
|
"name": "allowed web origins",
|
|
"protocol": "openid-connect",
|
|
"protocolMapper": "oidc-allowed-origins-mapper",
|
|
"consentRequired": false,
|
|
"config": {}
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"name": "notes:read",
|
|
"description": "Nextcloud Notes read access",
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"include.in.token.scope": "true",
|
|
"display.on.consent.screen": "true",
|
|
"consent.screen.text": "Read your notes"
|
|
}
|
|
},
|
|
{
|
|
"name": "notes:write",
|
|
"description": "Nextcloud Notes write access",
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"include.in.token.scope": "true",
|
|
"display.on.consent.screen": "true",
|
|
"consent.screen.text": "Create, update, and delete your notes"
|
|
}
|
|
},
|
|
{
|
|
"name": "calendar:read",
|
|
"description": "Nextcloud Calendar read access",
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"include.in.token.scope": "true",
|
|
"display.on.consent.screen": "true",
|
|
"consent.screen.text": "Read your calendars and events"
|
|
}
|
|
},
|
|
{
|
|
"name": "calendar:write",
|
|
"description": "Nextcloud Calendar write access",
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"include.in.token.scope": "true",
|
|
"display.on.consent.screen": "true",
|
|
"consent.screen.text": "Create, update, and delete calendars and events"
|
|
}
|
|
},
|
|
{
|
|
"name": "contacts:read",
|
|
"description": "Nextcloud Contacts read access",
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"include.in.token.scope": "true",
|
|
"display.on.consent.screen": "true",
|
|
"consent.screen.text": "Read your contacts"
|
|
}
|
|
},
|
|
{
|
|
"name": "contacts:write",
|
|
"description": "Nextcloud Contacts write access",
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"include.in.token.scope": "true",
|
|
"display.on.consent.screen": "true",
|
|
"consent.screen.text": "Create, update, and delete contacts"
|
|
}
|
|
},
|
|
{
|
|
"name": "cookbook:read",
|
|
"description": "Nextcloud Cookbook read access",
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"include.in.token.scope": "true",
|
|
"display.on.consent.screen": "true",
|
|
"consent.screen.text": "Read your recipes"
|
|
}
|
|
},
|
|
{
|
|
"name": "cookbook:write",
|
|
"description": "Nextcloud Cookbook write access",
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"include.in.token.scope": "true",
|
|
"display.on.consent.screen": "true",
|
|
"consent.screen.text": "Create, update, and delete recipes"
|
|
}
|
|
},
|
|
{
|
|
"name": "deck:read",
|
|
"description": "Nextcloud Deck read access",
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"include.in.token.scope": "true",
|
|
"display.on.consent.screen": "true",
|
|
"consent.screen.text": "Read your boards and cards"
|
|
}
|
|
},
|
|
{
|
|
"name": "deck:write",
|
|
"description": "Nextcloud Deck write access",
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"include.in.token.scope": "true",
|
|
"display.on.consent.screen": "true",
|
|
"consent.screen.text": "Create, update, and delete boards and cards"
|
|
}
|
|
},
|
|
{
|
|
"name": "tables:read",
|
|
"description": "Nextcloud Tables read access",
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"include.in.token.scope": "true",
|
|
"display.on.consent.screen": "true",
|
|
"consent.screen.text": "Read your tables and rows"
|
|
}
|
|
},
|
|
{
|
|
"name": "tables:write",
|
|
"description": "Nextcloud Tables write access",
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"include.in.token.scope": "true",
|
|
"display.on.consent.screen": "true",
|
|
"consent.screen.text": "Create, update, and delete tables and rows"
|
|
}
|
|
},
|
|
{
|
|
"name": "files:read",
|
|
"description": "Nextcloud Files read access",
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"include.in.token.scope": "true",
|
|
"display.on.consent.screen": "true",
|
|
"consent.screen.text": "Read your files"
|
|
}
|
|
},
|
|
{
|
|
"name": "files:write",
|
|
"description": "Nextcloud Files write access",
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"include.in.token.scope": "true",
|
|
"display.on.consent.screen": "true",
|
|
"consent.screen.text": "Upload, update, and delete files"
|
|
}
|
|
},
|
|
{
|
|
"name": "sharing:read",
|
|
"description": "Nextcloud Sharing read access",
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"include.in.token.scope": "true",
|
|
"display.on.consent.screen": "true",
|
|
"consent.screen.text": "View shared resources"
|
|
}
|
|
},
|
|
{
|
|
"name": "sharing:write",
|
|
"description": "Nextcloud Sharing write access",
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"include.in.token.scope": "true",
|
|
"display.on.consent.screen": "true",
|
|
"consent.screen.text": "Create and manage shares"
|
|
}
|
|
},
|
|
{
|
|
"name": "todo:read",
|
|
"description": "Nextcloud Tasks/Todo read access",
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"include.in.token.scope": "true",
|
|
"display.on.consent.screen": "true",
|
|
"consent.screen.text": "Read your tasks"
|
|
}
|
|
},
|
|
{
|
|
"name": "todo:write",
|
|
"description": "Nextcloud Tasks/Todo write access",
|
|
"protocol": "openid-connect",
|
|
"attributes": {
|
|
"include.in.token.scope": "true",
|
|
"display.on.consent.screen": "true",
|
|
"consent.screen.text": "Create, update, and delete tasks"
|
|
}
|
|
}
|
|
]
|
|
}
|