Introduce jwks url flag to be published in oauth metadata

Author: ardaguclu

pkg/config/config.go

@@ -24,6 +24,7 @@ type StaticConfig struct {
 	DisabledTools      []string `toml:"disabled_tools,omitempty"`
 	RequireOAuth       bool     `toml:"require_oauth,omitempty"`
 	AuthorizationURL   string   `toml:"authorization_url,omitempty"`
+	JwksURL            string   `toml:"jwks_url,omitempty"`
 	ServerURL          string   `toml:"server_url,omitempty"`
 }
 

pkg/http/http.go

@@ -60,6 +60,7 @@ func Serve(ctx context.Context, mcpServer *mcp.Server, staticConfig *config.Stat
 
 		response := map[string]interface{}{
 			"authorization_servers":    authServers,
+			"authorization_server":     authServers[0],
 			"scopes_supported":         []string{},
 			"bearer_methods_supported": []string{"header"},
 		}
@@ -68,6 +69,10 @@ func Serve(ctx context.Context, mcpServer *mcp.Server, staticConfig *config.Stat
 			response["resource"] = staticConfig.ServerURL
 		}
 
+		if staticConfig.JwksURL != "" {
+			response["jwks_uri"] = staticConfig.JwksURL
+		}
+
 		w.WriteHeader(http.StatusOK)
 		if err := json.NewEncoder(w).Encode(response); err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)

pkg/kubernetes-mcp-server/cmd/root.go

@@ -59,6 +59,7 @@ type MCPServerOptions struct {
 	DisableDestructive bool
 	RequireOAuth       bool
 	AuthorizationURL   string
+	JwksURL            string
 	ServerURL          string
 
 	ConfigPath   string
@@ -116,6 +117,8 @@ func NewMCPServer(streams genericiooptions.IOStreams) *cobra.Command {
 	cmd.Flags().MarkHidden("require-oauth")
 	cmd.Flags().StringVar(&o.AuthorizationURL, "authorization-url", o.AuthorizationURL, "OAuth authorization server URL for protected resource endpoint. If not provided, the Kubernetes API server host will be used. Only valid if require-oauth is enabled.")
 	cmd.Flags().MarkHidden("authorization-url")
+	cmd.Flags().StringVar(&o.JwksURL, "jwks-url", o.JwksURL, "OAuth JWKS server URL for protected resource endpoint. Only valid if require-oauth is enabled.")
+	cmd.Flags().MarkHidden("jwks-url")
 	cmd.Flags().StringVar(&o.ServerURL, "server-url", o.ServerURL, "Server URL of this application. Optional. If set, this url will be served in protected resource metadata endpoint and tokens will be validated with this audience. If not set, expected audience is kubernetes-mcp-server. Only valid if require-oauth is enabled.")
 	cmd.Flags().MarkHidden("server-url")
 	return cmd
@@ -174,6 +177,9 @@ func (m *MCPServerOptions) loadFlags(cmd *cobra.Command) {
 	if cmd.Flag("authorization-url").Changed {
 		m.StaticConfig.AuthorizationURL = m.AuthorizationURL
 	}
+	if cmd.Flag("jwks-url").Changed {
+		m.StaticConfig.JwksURL = m.JwksURL
+	}
 	if cmd.Flag("server-url").Changed {
 		m.StaticConfig.ServerURL = m.ServerURL
 	}
@@ -195,8 +201,8 @@ func (m *MCPServerOptions) Validate() error {
 	if m.Port != "" && (m.SSEPort > 0 || m.HttpPort > 0) {
 		return fmt.Errorf("--port is mutually exclusive with deprecated --http-port and --sse-port flags")
 	}
-	if !m.StaticConfig.RequireOAuth && (m.StaticConfig.AuthorizationURL != "" || m.StaticConfig.ServerURL != "") {
-		return fmt.Errorf("authorization-url and server-url are only valid if require-oauth is enabled")
+	if !m.StaticConfig.RequireOAuth && (m.StaticConfig.AuthorizationURL != "" || m.StaticConfig.ServerURL != "" || m.StaticConfig.JwksURL != "") {
+		return fmt.Errorf("authorization-url, server-url and jwks-url are only valid if require-oauth is enabled. Missing --port may implicitly set require-oauth to false")
 	}
 	if m.StaticConfig.AuthorizationURL != "" {
 		u, err := url.Parse(m.StaticConfig.AuthorizationURL)
@@ -222,6 +228,18 @@ func (m *MCPServerOptions) Validate() error {
 			klog.Warningf("server-url is using http://, this is not recommended production use")
 		}
 	}
+	if m.StaticConfig.JwksURL != "" {
+		u, err := url.Parse(m.StaticConfig.JwksURL)
+		if err != nil {
+			return err
+		}
+		if u.Scheme != "https" && u.Scheme != "http" {
+			return fmt.Errorf("--jwks-url must be a valid URL")
+		}
+		if u.Scheme == "http" {
+			klog.Warningf("jwks-url is using http://, this is not recommended production use")
+		}
+	}
 	return nil
 }