Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity

mcp auth doc

Browse Source
This commit is contained in:
Danijel Simeunovic
2026-03-17 13:14:15 +01:00
parent fc2ab655b1
commit eacce3a8c1
3 changed files with 100 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
docs/DEVELOPER-GUIDE.md
View File

@@ -967,7 +967,7 @@ User sees application (authenticated)
```yaml
auth:
enabled: false # Enable/disable authentication
type: token # "token" or "oidc"
type: token # "token", "oidc", or "mcp"
# Token mode configuration
tokens: [] # List of valid bearer tokens
@@ -980,6 +980,12 @@ auth:
clientId: "" # OIDC client ID (required for OIDC)
scopes: "openid,profile,email" # OIDC scopes (optional)
callbackPath: /auth/callback # OAuth callback path (optional)
# MCP mode configuration (RFC 9728 / RFC 7591)
mcp:
resource: "" # Protected resource URL (required for MCP)
authority: "" # Authorization server URL (required for MCP)
scopes: "read,write" # Supported scopes (optional)
```
#### Annotations Set by Helm Chart
@@ -1005,6 +1011,16 @@ policies.forteapps.io/auth-oidc-callback-path: "/auth/callback"
policies.forteapps.io/auth-upstream-url: "http://localhost:3000"
```
**MCP mode** (OAuth 2.0 for MCP servers):
```yaml
policies.forteapps.io/auth: "true"
policies.forteapps.io/auth-type: "mcp"
policies.forteapps.io/auth-mcp-resource: "https://mcp.forteapps.net"
policies.forteapps.io/auth-mcp-authority: "https://keycloak.forteapps.net/realms/master"
policies.forteapps.io/auth-mcp-scopes: "read,write"
policies.forteapps.io/auth-upstream-url: "http://localhost:3000"
```
#### Sidecar Configuration
The auth sidecar container:
@@ -1091,7 +1107,31 @@ kubectl create secret generic auth-oidc \
> secrets/web-app-auth-oidc-sealed.yaml
```
#### Example 3: Disabling Authentication
#### Example 3: MCP Server with OAuth 2.0
```yaml
# helm-values/mcp-server/values.yaml
app:
image:
repository: ghcr.io/company/mcp-server
tag: v1.0.0
auth:
enabled: true
type: mcp
mcp:
resource: https://mcp-server.forteapps.net
authority: https://auth.company.com/realms/mcp
scopes: "read,write,admin"
ingress:
enabled: true
host: mcp-server.forteapps.net
```
The MCP auth mode implements RFC 9728 (OAuth 2.0 Protected Resource Metadata) for authorization server discovery and RFC 7591 (OAuth 2.0 Dynamic Client Registration) for automatic client registration. MCP clients discover the authorization server and scopes from the `/.well-known/oauth-protected-resource` endpoint served by the sidecar.
#### Example 4: Disabling Authentication
```yaml
# helm-values/public-api/values.yaml