some token exchange fiddling

Signed-off-by: Matthias Wessendorf <[email protected]>

Author: matzew

build/keycloak.mk

@@ -184,7 +184,7 @@ keycloak-setup-realm: ## Setup OpenShift realm with token exchange support
 	MCP_CLIENT_RESPONSE=$$(curl -s -w "HTTPCODE:%{http_code}" -X POST "http://localhost:8090/admin/realms/openshift/clients" \
 		-H "Authorization: Bearer $$TOKEN" \
 		-H "Content-Type: application/json" \
-		-d '{"clientId":"mcp-server","enabled":true,"publicClient":false,"standardFlowEnabled":true,"directAccessGrantsEnabled":true,"serviceAccountsEnabled":true,"authorizationServicesEnabled":false,"redirectUris":["*"],"defaultClientScopes":["groups"],"optionalClientScopes":["mcp:openshift"],"attributes":{"oauth2.device.authorization.grant.enabled":"false","oidc.ciba.grant.enabled":"false","backchannel.logout.session.required":"true","backchannel.logout.revoke.offline.tokens":"false"}}'); \
+		-d '{"clientId":"mcp-server","enabled":true,"publicClient":false,"standardFlowEnabled":true,"directAccessGrantsEnabled":true,"serviceAccountsEnabled":true,"authorizationServicesEnabled":false,"redirectUris":["*"],"defaultClientScopes":["groups","mcp-server"],"optionalClientScopes":["mcp:openshift"],"attributes":{"oauth2.device.authorization.grant.enabled":"false","oidc.ciba.grant.enabled":"false","backchannel.logout.session.required":"true","backchannel.logout.revoke.offline.tokens":"false"}}'); \
 	MCP_CLIENT_CODE=$$(echo "$$MCP_CLIENT_RESPONSE" | grep -o "HTTPCODE:[0-9]*" | cut -d: -f2); \
 	if [ "$$MCP_CLIENT_CODE" = "201" ] || [ "$$MCP_CLIENT_CODE" = "409" ]; then \
 		if [ "$$MCP_CLIENT_CODE" = "201" ]; then echo "✅ mcp-server client created"; \
@@ -194,7 +194,7 @@ keycloak-setup-realm: ## Setup OpenShift realm with token exchange support
 		exit 1; \
 	fi; \
 	echo ""; \
-	echo "Enabling token exchange for mcp-server..."; \
+	echo "Enabling standard token exchange for mcp-server..."; \
 	CLIENTS_LIST=$$(curl -s -X GET "http://localhost:8090/admin/realms/openshift/clients" \
 		-H "Authorization: Bearer $$TOKEN" \
 		-H "Accept: application/json"); \
@@ -203,15 +203,15 @@ keycloak-setup-realm: ## Setup OpenShift realm with token exchange support
 		echo "❌ Failed to find mcp-server client"; \
 		exit 1; \
 	fi; \
-	PERMS_RESPONSE=$$(curl -s -w "HTTPCODE:%{http_code}" -X PUT "http://localhost:8090/admin/realms/openshift/clients/$$MCP_CLIENT_ID/management/permissions" \
+	UPDATE_CLIENT_RESPONSE=$$(curl -s -w "HTTPCODE:%{http_code}" -X PUT "http://localhost:8090/admin/realms/openshift/clients/$$MCP_CLIENT_ID" \
 		-H "Authorization: Bearer $$TOKEN" \
 		-H "Content-Type: application/json" \
-		-d '{"enabled":true}'); \
-	PERMS_CODE=$$(echo "$$PERMS_RESPONSE" | grep -o "HTTPCODE:[0-9]*" | cut -d: -f2); \
-	if [ "$$PERMS_CODE" = "200" ]; then \
-		echo "✅ Token exchange permissions enabled"; \
+		-d '{"clientId":"mcp-server","enabled":true,"publicClient":false,"standardFlowEnabled":true,"directAccessGrantsEnabled":true,"serviceAccountsEnabled":true,"authorizationServicesEnabled":false,"redirectUris":["*"],"defaultClientScopes":["groups","mcp-server"],"optionalClientScopes":["mcp:openshift"],"attributes":{"oauth2.device.authorization.grant.enabled":"false","oidc.ciba.grant.enabled":"false","backchannel.logout.session.required":"true","backchannel.logout.revoke.offline.tokens":"false","client.token.exchange.enabled":"true"}}'); \
+	UPDATE_CLIENT_CODE=$$(echo "$$UPDATE_CLIENT_RESPONSE" | grep -o "HTTPCODE:[0-9]*" | cut -d: -f2); \
+	if [ "$$UPDATE_CLIENT_CODE" = "204" ]; then \
+		echo "✅ Standard token exchange enabled for mcp-server client"; \
 	else \
-		echo "⚠️  Could not enable permissions (HTTP $$PERMS_CODE) - may need manual configuration"; \
+		echo "⚠️  Could not enable token exchange (HTTP $$UPDATE_CLIENT_CODE)"; \
 	fi; \
 	echo ""; \
 	echo "Getting mcp-server client secret..."; \