Skip to content

Commit 751b398

Browse files
crivetimihaimadhav165
crivetimihai
and
madhav165
authored
716 add resources and prompts from upstream MCP Servers (#718)
* Fixed Resources and Prompts not displaying in Admin Dashboard while Tools are visible - closes #716 Signed-off-by: Mihai Criveti <[email protected]> * Fixed Resources and Prompts not displaying in Admin Dashboard while Tools are visible - closes #716 Signed-off-by: Mihai Criveti <[email protected]> * Fixed Resources and Prompts not displaying in Admin Dashboard while Tools are visible - closes #716 Signed-off-by: Mihai Criveti <[email protected]> * Run container-run-ssl as user so as to use correct permissions for key.pem Signed-off-by: Madhav Kandukuri <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]> Co-authored-by: Madhav Kandukuri <[email protected]>
1 parent b0c2582 commit 751b398

File tree

8 files changed

+541
-72
lines changed

8 files changed

+541
-72
lines changed

Makefile

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1840,6 +1840,7 @@ container-run-ssl: certs container-check-image
18401840
-$(CONTAINER_RUNTIME) stop $(PROJECT_NAME) 2>/dev/null || true
18411841
-$(CONTAINER_RUNTIME) rm $(PROJECT_NAME) 2>/dev/null || true
18421842
$(CONTAINER_RUNTIME) run --name $(PROJECT_NAME) \
1843+
--user $(shell id -u):$(shell id -g) \
18431844
--env-file=.env \
18441845
-e SSL=true \
18451846
-e CERT_FILE=certs/cert.pem \
@@ -1860,6 +1861,7 @@ container-run-ssl-host: certs container-check-image
18601861
-$(CONTAINER_RUNTIME) stop $(PROJECT_NAME) 2>/dev/null || true
18611862
-$(CONTAINER_RUNTIME) rm $(PROJECT_NAME) 2>/dev/null || true
18621863
$(CONTAINER_RUNTIME) run --name $(PROJECT_NAME) \
1864+
--user $(shell id -u):$(shell id -g) \
18631865
--network=host \
18641866
--env-file=.env \
18651867
-e SSL=true \

docs/docs/deployment/proxy-auth.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,7 @@ services:
6161
OAUTH2_PROXY_UPSTREAMS: http://mcp-gateway:4444
6262
OAUTH2_PROXY_PASS_USER_HEADERS: true
6363
OAUTH2_PROXY_SET_XAUTHREQUEST: true
64-
64+
6565
mcp-gateway:
6666
image: ghcr.io/contingentai/mcp-gateway:latest
6767
environment:
@@ -83,7 +83,7 @@ services:
8383
- ./authelia:/config
8484
environment:
8585
TZ: America/New_York
86-
86+
8787
mcp-gateway:
8888
image: ghcr.io/contingentai/mcp-gateway:latest
8989
environment:
@@ -291,4 +291,4 @@ services:
291291
- ./data:/data
292292
```
293293
294-
This configuration provides Google OAuth authentication for all MCP Gateway endpoints while maintaining separate admin UI authentication.
294+
This configuration provides Google OAuth authentication for all MCP Gateway endpoints while maintaining separate admin UI authentication.

docs/docs/manage/proxy.md

Lines changed: 31 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ sequenceDiagram
1515
participant Client
1616
participant Gateway as MCP Gateway
1717
participant MCP as MCP Server
18-
18+
1919
Client->>Client: Generate JWT Token
2020
Client->>Gateway: Request + Bearer Token
2121
Gateway->>Gateway: Validate JWT
@@ -37,7 +37,7 @@ sequenceDiagram
3737
participant IDP as Identity Provider
3838
participant Gateway as MCP Gateway
3939
participant MCP as MCP Server
40-
40+
4141
User->>Proxy: Request
4242
Proxy->>IDP: Validate Session
4343
IDP-->>Proxy: User Identity
@@ -92,9 +92,9 @@ graph LR
9292
OAuth -->|X-Auth-Request-User| Gateway[MCP Gateway]
9393
Gateway --> MCP1[MCP Server 1]
9494
Gateway --> MCP2[MCP Server 2]
95-
95+
9696
OAuth -.->|OAuth Flow| IDP[Google/GitHub/etc]
97-
97+
9898
style OAuth fill:#f9f,stroke:#333,stroke-width:2px
9999
style Gateway fill:#bbf,stroke:#333,stroke-width:2px
100100
```
@@ -168,15 +168,15 @@ graph TB
168168
VS --> AuthZ[Authorization Policy]
169169
AuthZ --> Gateway[MCP Gateway Pod]
170170
end
171-
171+
172172
Gateway --> MCP1[MCP Server Pod 1]
173173
Gateway --> MCP2[MCP Server Pod 2]
174-
174+
175175
OIDC[OIDC Provider] -.->|JWT Validation| AuthZ
176176
end
177-
177+
178178
User[User] -->|HTTPS + JWT| IG
179-
179+
180180
style AuthZ fill:#f96,stroke:#333,stroke-width:2px
181181
style Gateway fill:#bbf,stroke:#333,stroke-width:2px
182182
```
@@ -271,13 +271,13 @@ graph LR
271271
Plugin[OIDC Plugin] --> Route[Route]
272272
Route --> Service[Service]
273273
end
274-
274+
275275
User[User] -->|HTTPS| Plugin
276276
Service -->|X-Consumer-Username| Gateway[MCP Gateway]
277277
Gateway --> MCP[MCP Servers]
278-
278+
279279
Plugin -.->|OIDC Flow| IDP[Keycloak/Auth0]
280-
280+
281281
style Plugin fill:#f9f,stroke:#333,stroke-width:2px
282282
style Gateway fill:#bbf,stroke:#333,stroke-width:2px
283283
```
@@ -345,9 +345,9 @@ PROXY_USER_HEADER=Remote-User
345345
graph LR
346346
User[User] -->|HTTPS| CF[Cloudflare Edge]
347347
CF -->|Cf-Access-Jwt-Assertion| Gateway[MCP Gateway]
348-
348+
349349
CF -.->|SAML/OIDC| IDP[Identity Provider]
350-
350+
351351
style CF fill:#f90,stroke:#333,stroke-width:2px
352352
style Gateway fill:#bbf,stroke:#333,stroke-width:2px
353353
```
@@ -389,15 +389,15 @@ graph TB
389389
WAF[WAF] --> LB[Load Balancer]
390390
LB --> Proxy[Auth Proxy]
391391
end
392-
392+
393393
subgraph "Private Network"
394394
Proxy -->|Internal Only| Gateway[MCP Gateway]
395395
Gateway --> MCP1[MCP Server 1]
396396
Gateway --> MCP2[MCP Server 2]
397397
end
398-
398+
399399
Internet[Internet] -->|HTTPS| WAF
400-
400+
401401
style Proxy fill:#f96,stroke:#333,stroke-width:2px
402402
style Gateway fill:#bbf,stroke:#333,stroke-width:2px
403403
```
@@ -465,7 +465,7 @@ Configure your load balancer to use these endpoints:
465465

466466
??? question "Getting 401 Unauthorized with proxy headers"
467467
**Check these settings:**
468-
468+
469469
1. Verify `MCP_CLIENT_AUTH_ENABLED=false`
470470
2. Ensure `TRUST_PROXY_AUTH=true`
471471
3. Confirm header name matches `PROXY_USER_HEADER`
@@ -481,15 +481,15 @@ Configure your load balancer to use these endpoints:
481481
```
482482
WARNING - MCP client authentication is disabled but trust_proxy_auth is not set
483483
```
484-
484+
485485
**Solution:** Set `TRUST_PROXY_AUTH=true` to acknowledge proxy authentication.
486486

487487
??? question "WebSocket connections fail"
488488
**Common causes:**
489-
489+
490490
1. Proxy not passing headers on WebSocket upgrade
491491
2. Missing WebSocket support in proxy
492-
492+
493493
**nginx fix:**
494494
```nginx
495495
location /ws {
@@ -503,13 +503,13 @@ Configure your load balancer to use these endpoints:
503503

504504
??? question "How to handle multiple authentication methods?"
505505
**Use virtual servers with different auth configs:**
506-
506+
507507
```yaml
508508
# Server 1: Proxy auth
509509
- name: internal-server
510510
auth_mode: proxy
511511
proxy_header: X-Employee-Id
512-
512+
513513
# Server 2: JWT auth
514514
- name: external-server
515515
auth_mode: jwt
@@ -526,17 +526,17 @@ graph LR
526526
A1[Document Current Auth] --> A2[Deploy Proxy]
527527
A2 --> A3[Test Proxy Auth]
528528
end
529-
529+
530530
subgraph "Phase 2: Dual Mode"
531531
B1[Enable Both Auth] --> B2[Migrate Clients]
532532
B2 --> B3[Monitor Logs]
533533
end
534-
534+
535535
subgraph "Phase 3: Proxy Only"
536536
C1[Disable JWT Auth] --> C2[Remove JWT Code]
537537
C2 --> C3[Document Change]
538538
end
539-
539+
540540
A3 --> B1
541541
B3 --> C1
542542
```
@@ -547,7 +547,7 @@ graph LR
547547
```bash
548548
# Deploy auth proxy alongside existing setup
549549
docker-compose up -d oauth2-proxy
550-
550+
551551
# Test proxy authentication
552552
curl -H "Authorization: Bearer $TOKEN" \
553553
http://localhost:4180/health
@@ -566,7 +566,7 @@ graph LR
566566
# Test JWT (existing)
567567
curl -H "Authorization: Bearer $JWT_TOKEN" \
568568
http://localhost:4444/tools
569-
569+
570570
# Test proxy header (new)
571571
curl -H "X-Auth-Request-Email: [email protected]" \
572572
http://localhost:4444/tools
@@ -577,7 +577,7 @@ graph LR
577577
# Disable JWT authentication
578578
MCP_CLIENT_AUTH_ENABLED=false
579579
TRUST_PROXY_AUTH=true
580-
580+
581581
# Restart gateway
582582
docker-compose restart mcp-gateway
583583
```
@@ -594,12 +594,12 @@ graph LR
594594
Cache -->|Miss| IDP1[IDP]
595595
IDP1 --> Cache
596596
end
597-
597+
598598
subgraph "Without Caching"
599599
Proxy2[Auth Proxy] --> IDP2[IDP]
600600
IDP2 --> Gateway2[MCP Gateway]
601601
end
602-
602+
603603
style Cache fill:#9f9,stroke:#333,stroke-width:2px
604604
```
605605

@@ -665,4 +665,4 @@ SESSION_TTL=3600 # 1 hour
665665
- [Authentication Overview](../authentication.md)
666666
- [Security Best Practices](../security.md)
667667
- [Deployment Guide](../deployment/index.md)
668-
- [Federation Setup](../federation.md)
668+
- [Federation Setup](../federation.md)

mcp-servers/go/fast-time-server/main.go

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -908,9 +908,11 @@ func main() {
908908
s := server.NewMCPServer(
909909
appName,
910910
appVersion,
911-
server.WithToolCapabilities(false), // No progress reporting needed
912-
server.WithLogging(), // Enable MCP protocol logging
913-
server.WithRecovery(), // Recover from panics in handlers
911+
server.WithToolCapabilities(false), // No progress reporting needed
912+
server.WithResourceCapabilities(false, true), // Enable resource capabilities (no subscribe, list changed)
913+
server.WithPromptCapabilities(true), // Enable prompt capabilities (list changed)
914+
server.WithLogging(), // Enable MCP protocol logging
915+
server.WithRecovery(), // Recover from panics in handlers
914916
)
915917

916918
/* ----------------------- register tools ----------------------- */

0 commit comments

Comments
 (0)