mcp auth doc

2026-03-17 13:14:15 +01:00
parent fc2ab655b1
commit eacce3a8c1
3 changed files with 100 additions and 5 deletions
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -828,12 +828,13 @@ spec:

 **Purpose**: Automatically inject authentication sidecar into pods with authentication enabled

-**Rules**: 5 rules in the policy
+**Rules**: 6 rules in the policy
 1. `generate-auth-tokens-secret` - Creates Secret for token mode
 2. `generate-auth-oidc-secret` - Creates Secret for OIDC mode
 3. `inject-sidecar-token` - Injects auth sidecar for token mode
 4. `inject-sidecar-oidc` - Injects auth sidecar for OIDC mode
-5. `generate-auth-network-policy` - Creates NetworkPolicy to restrict ingress
+5. `inject-sidecar-mcp` - Injects auth sidecar for MCP OAuth mode (RFC 9728 / RFC 7591)
+6. `generate-auth-network-policy` - Creates NetworkPolicy to restrict ingress

 #### Trigger Annotation

@@ -872,6 +873,22 @@ policies.forteapps.io/auth-image: "ghcr.io/snothub/stunning-memory"
 policies.forteapps.io/auth-image-version: "latest"
 ```

+**MCP Mode** (OAuth 2.0 for MCP servers, implements RFC 9728 / RFC 7591):
+```yaml
+# Annotations (required)
+policies.forteapps.io/auth: "true"
+policies.forteapps.io/auth-type: "mcp"
+policies.forteapps.io/auth-mcp-resource: "https://mcp.example.com"
+policies.forteapps.io/auth-mcp-authority: "https://auth.example.com"
+
+# Optional annotations
+policies.forteapps.io/auth-mcp-scopes: "read,write"
+policies.forteapps.io/auth-upstream-url: "http://localhost:3000"
+policies.forteapps.io/auth-log-level: "info"
+policies.forteapps.io/auth-image: "ghcr.io/snothub/stunning-memory"
+policies.forteapps.io/auth-image-version: "latest"
+```
+
 #### Sidecar Container Specification

 **Token Mode**:
@@ -956,6 +973,43 @@ securityContext:
    drop: [ALL]
 ```

+**MCP Mode**:
+```yaml
+name: authn
+image: ghcr.io/snothub/stunning-memory:latest
+ports:
+- containerPort: 8080
+  name: auth
+  protocol: TCP
+env:
+- name: AUTH_MODE
+  value: "mcp"
+- name: AUTH_LISTEN_ADDR
+  value: ":8080"
+- name: AUTH_LOG_LEVEL
+  value: "info"
+- name: AUTH_UPSTREAM_URL
+  value: "http://localhost:3000"
+- name: AUTH_MCP_RESOURCE
+  value: "https://mcp.example.com"
+- name: AUTH_MCP_AUTHORIZATION_SERVERS
+  value: "https://auth.example.com"
+- name: AUTH_MCP_SCOPES_SUPPORTED
+  value: "read,write"
+resources:
+  requests:
+    cpu: 10m
+    memory: 32Mi
+  limits:
+    cpu: 50m
+    memory: 64Mi
+securityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop: [ALL]
+```
+
 #### Generated Resources

 **Secret (Token Mode)**:
@@ -1047,6 +1101,7 @@ Pod: Auth Sidecar (port 8080)
    ├─ Validate credentials
    │  • Token mode: Check Bearer token
    │  • OIDC mode: Validate session or redirect to IdP
+    │  • MCP mode: OAuth 2.0 via RFC 9728 discovery / RFC 7591 dynamic registration
    ↓
 Forward to Application (localhost:3000)
    ↓