[Bug]: OAuth callback failed for provider keycloak: AttributeError: 'MetaData' object has no attribute 'get'Β #1500
Description
π Bug Summary
MCP Context Forge integration with Keycloak is failing with the error: "OAuth callback failed for provider keycloak: AttributeError: 'MetaData' object has no attribute 'get'"
As a result, it is not possible to log in to the Admin UI using Keycloak or call MCP tools via the API using Keycloak tokens.
𧩠Affected Component
Select the area of the project impacted:
-
mcpgateway- API -
mcpgateway- UI (admin panel) -
mcpgateway.wrapper- stdio wrapper - Federation or Transports
- CLI, Makefiles, or shell scripts
- Container setup (Docker/Podman/Compose)
- Other (explain below)
π Steps to Reproduce
Follow the guide: https://ibm.github.io/mcp-context-forge/manage/sso-keycloak-tutorial/
- Start Keycloak, create a realm and client, and configure them as per the guide. Skip the roles mapping section for a simple setup.
- Run mcpgateway via Docker.
docker run -d --name mcpgateway \
-p 4444:4444 \
-e PORT=4444 \
-e MCPGATEWAY_UI_ENABLED=true \
-e MCPGATEWAY_ADMIN_API_ENABLED=true \
-e HOST=0.0.0.0 \
-e JWT_SECRET_KEY=my-test-key \
-e BASIC_AUTH_USER=admin \
-e BASIC_AUTH_PASSWORD=changeme \
-e AUTH_REQUIRED=true \
-e [email protected] \
-e PLATFORM_ADMIN_PASSWORD=changeme \
-e PLATFORM_ADMIN_FULL_NAME="Platform Administrator" \
-e DATABASE_URL=sqlite:///./mcp.db \
-e SSO_ENABLED=true \
-e SSO_KEYCLOAK_ENABLED=true \
-e SSO_KEYCLOAK_BASE_URL=http://keycloak:8080 \
-e SSO_KEYCLOAK_REALM=myrealm \
-e SSO_KEYCLOAK_CLIENT_ID=mcpgateway \
-e SSO_KEYCLOAK_CLIENT_SECRET=$KEYCLOAK_CLIENT_SECRET \
ghcr.io/ibm/mcp-context-forge:0.9.0OR use generic SSO configuration for Keycloak e.g.:
-e SSO_GENERIC_ENABLED=true \
-e SSO_GENERIC_PROVIDER_ID=keycloak \
-e SSO_GENERIC_DISPLAY_NAME=Keycloak \
-e SSO_GENERIC_CLIENT_ID=mcpgateway \
-e SSO_GENERIC_CLIENT_SECRET=$KEYCLOAK_CLIENT_SECRET \
-e SSO_GENERIC_AUTHORIZATION_URL="http://keycloak:8080/realms/myrealm/protocol/openid-connect/auth" \
-e SSO_GENERIC_TOKEN_URL="http://keycloak:8080/realms/myrealm/protocol/openid-connect/token" \
-e SSO_GENERIC_USERINFO_URL="http://keycloak:8080/realms/myrealm/protocol/openid-connect/userinfo" \
-e SSO_GENERIC_ISSUER="http://keycloak:8080/realms/myrealm" \
-e SSO_GENERIC_SCOPE="openid profile email web-origins" \- Try to log in via the Admin UI OR call any tool via API using
Authorization: Bearer <token issued by Keycloak>.
π€ Expected Behavior
The MCP Gateway instance is integrated with Keycloak, allowing users to log in to the Admin UI and call MCP tools via API using Keycloak tokens.
π Logs / Error Output
mcpgateway.services.sso_service - ERROR - OAuth callback failed for provider keycloak: AttributeError: 'MetaData' object has no attribute 'get'
mcpgateway | 2025-11-26 14:13:38,598 - mcpgateway.services.sso_service - ERROR - Full traceback for OAuth callback failure:
mcpgateway | Traceback (most recent call last):
mcpgateway | File "/app/mcpgateway/services/sso_service.py", line 421, in handle_oauth_callback
mcpgateway | user_info = await self._get_user_info(provider, token_data["access_token"])
mcpgateway | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
mcpgateway | File "/app/mcpgateway/services/sso_service.py", line 500, in _get_user_info
mcpgateway | return self._normalize_user_info(provider, user_data)
mcpgateway | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
mcpgateway | File "/app/mcpgateway/services/sso_service.py", line 563, in _normalize_user_info
mcpgateway | username_claim = metadata.get("username_claim", "preferred_username")
mcpgateway | ^^^^^^^^^^^^
mcpgateway | AttributeError: 'MetaData' object has no attribute 'get'
π§ Environment Info
| Key | Value |
|---|---|
| Version or commit | v0.9.0 |
| Runtime | Python 3.12, Gunicorn |
| Platform / OS | Ubuntu 22.04, WSL2, Windows11 |
| Container | Docker or running from code |
| Keycloak | version 26.4.5 |