@@ -166,6 +166,42 @@ keycloak-setup-realm: ## Setup OpenShift realm with token exchange support
166166 exit 1; \
167167 fi ; \
168168 echo " " ; \
169+ echo " Creating mcp-server client scope..." ; \
170+ MCP_SERVER_SCOPE_RESPONSE=$$(curl -s -w "HTTPCODE:%{http_code}" -X POST "http://localhost:8090/admin/realms/openshift/client-scopes" \
171+ -H " Authorization: Bearer $$ TOKEN" \
172+ -H " Content-Type: application/json" \
173+ -d ' {"name":"mcp-server","protocol":"openid-connect","attributes":{"display.on.consent.screen":"false","include.in.token.scope":"true"}}' ; \
174+ MCP_SERVER_SCOPE_CODE=$$(echo "$$MCP_SERVER_SCOPE_RESPONSE" | grep -o "HTTPCODE:[0-9]*" | cut -d: -f2 ) ; \
175+ if [ " $$ MCP_SERVER_SCOPE_CODE" = " 201" || [ " $$ MCP_SERVER_SCOPE_CODE" = " 409" ; then \
176+ if [ " $$ MCP_SERVER_SCOPE_CODE" = " 201" ; then echo " ✅ mcp-server client scope created" ; \
177+ else echo " ✅ mcp-server client scope already exists" ; fi ; \
178+ else \
179+ echo " ❌ Failed to create mcp-server scope (HTTP $$ MCP_SERVER_SCOPE_CODE)" ; \
180+ exit 1; \
181+ fi ; \
182+ echo " " ; \
183+ echo " Adding audience mapper to mcp-server scope..." ; \
184+ SCOPES_LIST=$$(curl -s -X GET "http://localhost:8090/admin/realms/openshift/client-scopes" \
185+ -H " Authorization: Bearer $$ TOKEN" \
186+ -H " Accept: application/json" ; \
187+ MCP_SERVER_SCOPE_ID=$$(echo "$$SCOPES_LIST" | jq -r '.[] | select(.name == "mcp-server" ) | .id // empty' 2>/dev/null); \
188+ if [ -z " $$ MCP_SERVER_SCOPE_ID" ; then \
189+ echo " ❌ Failed to find mcp-server scope" ; \
190+ exit 1; \
191+ fi ; \
192+ MCP_SERVER_MAPPER_RESPONSE=$$(curl -s -w "HTTPCODE:%{http_code}" -X POST "http://localhost:8090/admin/realms/openshift/client-scopes/$$MCP_SERVER_SCOPE_ID/protocol-mappers/models" \
193+ -H " Authorization: Bearer $$ TOKEN" \
194+ -H " Content-Type: application/json" \
195+ -d ' {"name":"mcp-server-audience","protocol":"openid-connect","protocolMapper":"oidc-audience-mapper","config":{"included.client.audience":"mcp-server","id.token.claim":"true","access.token.claim":"true"}}' ; \
196+ MCP_SERVER_MAPPER_CODE=$$(echo "$$MCP_SERVER_MAPPER_RESPONSE" | grep -o "HTTPCODE:[0-9]*" | cut -d: -f2 ) ; \
197+ if [ " $$ MCP_SERVER_MAPPER_CODE" = " 201" || [ " $$ MCP_SERVER_MAPPER_CODE" = " 409" ; then \
198+ if [ " $$ MCP_SERVER_MAPPER_CODE" = " 201" ; then echo " ✅ mcp-server audience mapper added" ; \
199+ else echo " ✅ mcp-server audience mapper already exists" ; fi ; \
200+ else \
201+ echo " ❌ Failed to create mcp-server audience mapper (HTTP $$ MCP_SERVER_MAPPER_CODE)" ; \
202+ exit 1; \
203+ fi ; \
204+ echo " " ; \
169205 echo " Creating openshift service client..." ; \
170206 OPENSHIFT_CLIENT_RESPONSE=$$(curl -s -w "HTTPCODE:%{http_code}" -X POST "http://localhost:8090/admin/realms/openshift/clients" \
171207 -H " Authorization: Bearer $$ TOKEN" \
@@ -184,7 +220,7 @@ keycloak-setup-realm: ## Setup OpenShift realm with token exchange support
184220 MCP_CLIENT_RESPONSE=$$(curl -s -w "HTTPCODE:%{http_code}" -X POST "http://localhost:8090/admin/realms/openshift/clients" \
185221 -H " Authorization: Bearer $$ TOKEN" \
186222 -H " Content-Type: application/json" \
187- -d ' {"clientId":"mcp-server","enabled":true,"publicClient":false,"standardFlowEnabled":true,"directAccessGrantsEnabled":true,"serviceAccountsEnabled":true,"authorizationServicesEnabled":false,"redirectUris":["*"],"defaultClientScopes":["groups"],"optionalClientScopes":["mcp:openshift"],"attributes":{"oauth2.device.authorization.grant.enabled":"false","oidc.ciba.grant.enabled":"false","backchannel.logout.session.required":"true","backchannel.logout.revoke.offline.tokens":"false"}}' ; \
223+ -d ' {"clientId":"mcp-server","enabled":true,"publicClient":false,"standardFlowEnabled":true,"directAccessGrantsEnabled":true,"serviceAccountsEnabled":true,"authorizationServicesEnabled":false,"redirectUris":["*"],"defaultClientScopes":["groups","mcp-server" ],"optionalClientScopes":["mcp:openshift"],"attributes":{"oauth2.device.authorization.grant.enabled":"false","oidc.ciba.grant.enabled":"false","backchannel.logout.session.required":"true","backchannel.logout.revoke.offline.tokens":"false"}}' ; \
188224 MCP_CLIENT_CODE=$$(echo "$$MCP_CLIENT_RESPONSE" | grep -o "HTTPCODE:[0-9]*" | cut -d: -f2 ) ; \
189225 if [ " $$ MCP_CLIENT_CODE" = " 201" || [ " $$ MCP_CLIENT_CODE" = " 409" ; then \
190226 if [ " $$ MCP_CLIENT_CODE" = " 201" ; then echo " ✅ mcp-server client created" ; \
@@ -194,7 +230,7 @@ keycloak-setup-realm: ## Setup OpenShift realm with token exchange support
194230 exit 1; \
195231 fi ; \
196232 echo " " ; \
197- echo " Enabling token exchange for mcp-server..." ; \
233+ echo " Enabling standard token exchange for mcp-server..." ; \
198234 CLIENTS_LIST=$$(curl -s -X GET "http://localhost:8090/admin/realms/openshift/clients" \
199235 -H " Authorization: Bearer $$ TOKEN" \
200236 -H " Accept: application/json" ; \
@@ -203,15 +239,15 @@ keycloak-setup-realm: ## Setup OpenShift realm with token exchange support
203239 echo " ❌ Failed to find mcp-server client" ; \
204240 exit 1; \
205241 fi ; \
206- PERMS_RESPONSE =$$(curl -s -w "HTTPCODE:%{http_code}" -X PUT "http://localhost:8090/admin/realms/openshift/clients/$$MCP_CLIENT_ID/management/permissions " \
242+ UPDATE_CLIENT_RESPONSE =$$(curl -s -w "HTTPCODE:%{http_code}" -X PUT "http://localhost:8090/admin/realms/openshift/clients/$$MCP_CLIENT_ID" \
207243 -H " Authorization: Bearer $$ TOKEN" \
208244 -H " Content-Type: application/json" \
209- -d ' {"enabled":true}' ; \
210- PERMS_CODE =$$(echo "$$PERMS_RESPONSE " | grep -o "HTTPCODE:[0-9]*" | cut -d: -f2 ) ; \
211- if [ " $$ PERMS_CODE " = " 200 " ; then \
212- echo " ✅ Token exchange permissions enabled" ; \
245+ -d ' {"clientId":"mcp-server"," enabled":true,"publicClient":false,"standardFlowEnabled":true,"directAccessGrantsEnabled":true,"serviceAccountsEnabled":true,"authorizationServicesEnabled":false,"redirectUris":["*"],"defaultClientScopes":["groups","mcp-server"],"optionalClientScopes":["mcp:openshift"],"attributes":{"oauth2.device.authorization.grant.enabled":"false","oidc.ciba.grant.enabled":"false","backchannel.logout.session.required":"true","backchannel.logout.revoke.offline.tokens":"false","client.token.exchange.enabled":"true"} }' ; \
246+ UPDATE_CLIENT_CODE =$$(echo "$$UPDATE_CLIENT_RESPONSE " | grep -o "HTTPCODE:[0-9]*" | cut -d: -f2 ) ; \
247+ if [ " $$ UPDATE_CLIENT_CODE " = " 204 " ; then \
248+ echo " ✅ Standard token exchange enabled for mcp-server client " ; \
213249 else \
214- echo " ⚠️ Could not enable permissions (HTTP $$ PERMS_CODE) - may need manual configuration " ; \
250+ echo " ⚠️ Could not enable token exchange (HTTP $$ UPDATE_CLIENT_CODE) " ; \
215251 fi ; \
216252 echo " " ; \
217253 echo " Getting mcp-server client secret..." ; \
@@ -260,6 +296,7 @@ keycloak-setup-realm: ## Setup OpenShift realm with token exchange support
260296 echo " Client ID: openshift" ; \
261297 echo " " ; \
262298 echo " Client Scopes:" ; \
299+ echo " mcp-server (default) - Audience: mcp-server" ; \
263300 echo " mcp:openshift (optional) - Audience: openshift" ; \
264301 echo " groups (default) - Group membership mapper" ; \
265302 echo " " ; \
0 commit comments