-
Notifications
You must be signed in to change notification settings - Fork 28
Expand file tree
/
Copy pathconfig-http.yaml
More file actions
77 lines (67 loc) · 2.41 KB
/
config-http.yaml
File metadata and controls
77 lines (67 loc) · 2.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# MCP Server Configuration
server:
name: "MCP Forge"
version: "0.1.0"
transport:
type: "http"
http:
host: ":8080"
# Middleware Configuration
middleware:
access_logs:
excluded_headers:
- X-Excluded
redacted_headers:
- Authorization
- X-Validated-Jwt
jwt:
enabled: true
validation:
strategy: "external" # Values: 'local' or 'external'
# JWT forwarded by upstream proxy (Istio, etc.)
# Ref: https://istio.io/latest/docs/reference/config/security/request_authentication/#JWTRule-output_payload_to_header
forwarded_header: "X-Validated-Jwt"
local:
jwks_uri: &JwksUri "https://keycloak.example.com/realms/mcp-servers/protocol/openid-connect/certs"
cache_interval: "10s"
# CEL expressions to fine tune allowance. JWT payload is available under object 'payload'
allow_conditions: []
#- expression: 'payload.groups.exists(group, group in ["admin", "editor"])'
#- expression: 'has(payload.email) && payload.email.endsWith("@example.com")'
# Oauth Authorization Server Configuration
# Endpoint: /.well-known/oauth-authorization-server
oauth_authorization_server:
enabled: true
# A suffix can be attached to the URL using following param as follows:
# It will produce: /.well-known/oauth-authorization-server{url_suffix}
# url_suffix: "/mcp"
# Following path will be attached: /.well-known/openid-configuration
issuer_uri: "https://keycloak.example.com/realms/mcp-servers"
# Oauth Protected Resource Configuration
# Endpoint: /.well-known/oauth-protected-resource
oauth_protected_resource:
enabled: true
# A suffix can be attached to the URL using following param as follows:
# It will produce: /.well-known/oauth-protected-resource{url_suffix}
# url_suffix: "/mcp"
resource: "https://mcp-forge.example.com/mcp"
auth_servers:
- "https://keycloak.example.com/realms/mcp-servers"
jwks_uri: *JwksUri
scopes_supported:
- openid
- profile
- email
- groups
- mcp-forge/custom-audience
# Optional parameters (currently empty)
bearer_methods_supported: []
resource_signing_alg_values_supported: []
resource_name: ""
resource_documentation: ""
resource_policy_uri: ""
resource_tos_uri: ""
tls_client_certificate_bound_access_tokens: false
authorization_details_types_supported: []
dpop_signing_alg_values_supported: []
dpop_bound_access_tokens_required: false