Configure Keycloak authorization policies to allow nextcloud-mcp-server
to exchange tokens for nextcloud audience. This enables RFC 8693 token
exchange flow between the MCP client and Nextcloud.
Changes:
- Enable service accounts and authorization services for nextcloud client
- Add token-exchange resource with scope-based permissions
- Create client policy allowing nextcloud-mcp-server and nextcloud
- Add token-exchange-permission with affirmative decision strategy
- Add mcp-server-audience mapper to nextcloud-mcp-server client
- Simplify audience validation to accept tokens with MCP client ID
The authorization policy enables tokens issued to nextcloud-mcp-server
to be exchanged for tokens with nextcloud audience, validated via both
clients being included in the allow-nextcloud-mcp-server-to-exchange
policy.
All 7 token exchange integration tests pass, confirming:
- Basic token exchange with correct audience claims
- Nextcloud API access with exchanged tokens
- Stateless multiple exchange operations
- Full CRUD operations on Notes API
- Proper claim preservation (sub, azp, aud)
- Default scope configuration
- TokenExchangeService implementation
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Chris Coutinho
723eb57060