feat(mcp): add HTTP with OAuth token forwarding#8460
Draft
Joel-hanson wants to merge 1 commit into
Draft
Conversation
|
Thanks for opening this PR! A maintainer will review and accept it shortly. In the meantime, you can Available commands:
Maintainer commands:
Note (fork PR): Review label updates may not apply automatically. A maintainer can use |
Enable optional HTTP MCP transport with inbound Quarkus OIDC and forward caller JWTs to Registry via Java SDK bearerToken() support. Stdio transport and client-credentials mode remain the default. Adds Keycloak example, docs, and integration tests. Fixes Apicurio#8394 Signed-off-by: Joel Hanson <17215044+Joel-hanson@users.noreply.github.com>
01164d6 to
dd544fe
Compare
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



Summary
This PR adds an HTTP transport to the Apicurio Registry MCP server, secured with inbound OIDC and per-caller bearer-token forwarding to Registry.
Today, MCP only works as a local process (stdio) that authenticates to Registry with a shared service account. After this change, you can also run MCP as a long-lived HTTP service: clients log in with their own Keycloak user, and Registry applies that user’s RBAC (same as the UI).
Stdio mode is unchanged and remains the default for local desktop clients.
Fixes: #8394
Mental model
Before (stdio only)
After (stdio or HTTP)
Runtime safety gate
HTTP transport is compiled into the MCP image at build time, but
/mcpis not exposed unless you opt in at runtime:Enforced by
McpHttpGateFilter(seeMcpHttpDisabledByDefaultTest).User journeys
Journey 1 — Local desktop client (stdio) — no change required
APICURIO_MCP_AUTH_*client credentials.APICURIO_MCP_HTTP_ENABLED=false,QUARKUS_OIDC_TENANT_ENABLED=false).Example:
examples/mcp-keycloak/stdio.example.jsonJourney 2 — HTTP MCP with OAuth (new)
url: http://<host>:8082/mcpand OAuth clientapicurio-mcp.Example:
examples/mcp-keycloak/http.example.jsonWhat users need to set
Stdio mode (MCP → Registry)
REGISTRY_URLhttp://localhost:8081APICURIO_MCP_AUTH_ENABLEDtrueAPICURIO_MCP_AUTH_TOKEN_ENDPOINThttp://localhost:8080/realms/registry/protocol/openid-connect/tokenAPICURIO_MCP_AUTH_CLIENT_IDadmin-clientAPICURIO_MCP_AUTH_CLIENT_SECRETtest1QUARKUS_OIDC_TENANT_ENABLEDfalseAPICURIO_MCP_HTTP_ENABLEDfalseHTTP mode (remote / OAuth clients)
Apicurio settings:
APICURIO_MCP_HTTP_ENABLEDtrueAPICURIO_MCP_HTTP_FORWARD_TOKENtrueREGISTRY_URLhttp://apicurio-registry:8080Quarkus companion settings (required when HTTP mode is on):
QUARKUS_MCP_SERVER_HTTP_ENABLEDtrueQUARKUS_MCP_SERVER_STDIO_ENABLEDfalseQUARKUS_OIDC_TENANT_ENABLEDtrueQUARKUS_OIDC_APPLICATION_TYPEserviceQUARKUS_OIDC_AUTH_SERVER_URLhttp://keycloak:8080/realms/registry/mcpQUARKUS_HTTP_AUTH_PERMISSION_AUTHENTICATED_PATHS/mcpQUARKUS_HTTP_AUTH_PERMISSION_AUTHENTICATED_POLICYauthenticatedOptional (OAuth discovery / CORS for Inspector-style clients): see
examples/mcp-keycloak/docker-compose.yml.Full reference: MCP server integration guide
What’s in the code
RegistryClientResolverMcpHttpGateFilter/mcpreturns 404 unlessapicurio.mcp.http.enabled=trueMcpHttpAuthValidatorRegistryClientOptions.bearerToken(),AuthType.BEARER, JDK adapter supportUtils.javaProblemDetails/ 401–403 messages (roles matter now that tokens are per-user)examples/mcp-keycloakWhy
Utils.javaerror formatting is in this PRWith token forwarding, tool calls fail based on the caller’s Keycloak role. Returning a clear 401/403 (with role hints) is part of making HTTP mode usable for agents and users.
Quarkus OIDC