Feature/keycloak vscode redirects (Azure-Samples#22)

* keycloak and vscode

* Add VS Code GitHub Copilot integration docs for Keycloak OAuth

- Add "Use Keycloak OAuth MCP server with GitHub Copilot" section to README
- Add step-by-step instructions for connecting VS Code to deployed MCP server
- Include screenshots for authentication flow (allow access, sign-in, redirect)
- Add Spanish translation of the new section to spanish/README.md
- Configure VS Code redirect URIs in Keycloak realm for DCR support
- Update infra and keycloak configs for VS Code OAuth redirect handling

* update with credit

* ruff run

* ruff run again

* attemtp to get audience validation

* Refactor Keycloak auth with scope injection and proxying

* add openid scope

* remove mcp url

* ruff

* clean up to realm so it has only what we need

* addresses feedback from Pamela and Copilot

Author: madebygps

.vscode/mcp.json

@@ -27,7 +27,8 @@
 				"0.0.0.0:5678",
 				"servers/basic_mcp_stdio.py"
 			]
-		},
+		}
+		
 	},
 	"inputs": []
-}
+}

README.md

@@ -432,23 +432,46 @@ This project supports deploying with OAuth 2.0 authentication using Keycloak as
 
    Login with `admin` and your configured password.
 
-### Testing with the agent
 
-1. Generate the local environment file (automatically created after `azd up`):
+### Use Keycloak OAuth MCP server with GitHub Copilot
 
-   ```bash
-   ./infra/write_env.sh
-   ```
+The Keycloak deployment supports Dynamic Client Registration (DCR), which allows VS Code to automatically register as an OAuth client. VS Code redirect URIs are pre-configured in the Keycloak realm.
+
+To use the deployed MCP server with GitHub Copilot Chat:
+
+1. To avoid conflicts, stop the MCP servers from `mcp.json` and disable the expense MCP servers in GitHub Copilot Chat tools.
+2. Select "MCP: Add Server" from the VS Code Command Palette
+3. Select "HTTP" as the server type
+4. Enter the URL of the MCP server from `azd env get-value MCP_SERVER_URL`
+5. You should see a Keycloak authentication screen open in your browser. Select "Allow access":
 
-   This creates `.env` with `KEYCLOAK_REALM_URL`, `MCP_SERVER_URL`, and Azure OpenAI settings.
+   ![Keycloak allow access screen](screenshots/kc-allow-1.jpg)
 
-2. Run the agent:
+6. Sign in with a Keycloak user (e.g., `testuser` / `testpass` for the pre-configured demo user):
 
-   ```bash
-   uv run agents/agentframework_http.py
+   ![Keycloak sign-in screen](screenshots/kc-signin-2.jpg)
+
+7. After authentication, the browser will redirect back to VS Code:
+
+   ![VS Code redirect after Keycloak sign-in](screenshots/kc-redirect-3.jpg)
+
+8. Enable the MCP server in GitHub Copilot Chat tools:
+
+   ![Select MCP tools in GitHub Copilot](screenshots/kc-select-tools-4.jpg)
+
+9. Test it with an expense tracking query:
+
+   ```text
+   Log expense for 75 dollars of office supplies on my visa last Friday
    ```
 
-   The agent automatically detects `KEYCLOAK_REALM_URL` in the environment and authenticates via DCR + client credentials. On success, it will add an expense and print the result.
+   ![Example GitHub Copilot Chat with Keycloak auth](screenshots/kc-chat-5.jpg)
+
+10. Verify the expense was added by checking the Cosmos DB `user-expenses` container in the Azure Portal or by asking GitHub Copilot Chat:
+
+    ```text
+    Show me my expenses from last week
+    ```
 
 ### Known limitations (demo trade-offs)
 

agents/keycloak_auth.py

@@ -29,18 +29,14 @@ resource httpRouteConfig 'Microsoft.App/managedEnvironments/httpRouteConfigs@202
   parent: containerEnv
   properties: {
     rules: [
-      // Route /auth/* to Keycloak (strip /auth prefix since Keycloak serves at root)
-      // Using pathSeparatedPrefix ensures /auth doesn't match /authentication
       {
         description: 'Keycloak Authentication Server'
         routes: [
           {
             match: {
               pathSeparatedPrefix: '/auth'
             }
-            action: {
-              prefixRewrite: '/'
-            }
+            action: {}
           }
         ]
         targets: [
@@ -49,17 +45,14 @@ resource httpRouteConfig 'Microsoft.App/managedEnvironments/httpRouteConfigs@202
           }
         ]
       }
-      // Route everything else to MCP server (catch-all)
       {
         description: 'MCP Expenses Server'
         routes: [
           {
             match: {
               prefix: '/'
             }
-            action: {
-              prefixRewrite: '/'
-            }
+            action: {}
           }
         ]
         targets: [

infra/http-routes.bicep

@@ -782,8 +782,7 @@ module server 'server.bicep' = {
     openTelemetryPlatform: openTelemetryPlatform
     exists: serverExists
     // Keycloak authentication configuration (only when enabled)
-    keycloakRealmUrl: useKeycloak ? '${keycloak!.outputs.uri}/realms/${keycloakRealmName}' : ''
-    keycloakTokenIssuer: useKeycloak ? '${keycloakMcpServerBaseUrl}/realms/${keycloakRealmName}' : ''
+    keycloakRealmUrl: useKeycloak ? '${keycloak!.outputs.uri}/auth/realms/${keycloakRealmName}' : ''
     keycloakMcpServerBaseUrl: useKeycloak ? keycloakMcpServerBaseUrl : ''
     keycloakMcpServerAudience: keycloakMcpServerAudience
     // Azure/Entra ID OAuth Proxy authentication configuration (only when enabled)
@@ -810,7 +809,7 @@ module agent 'agent.bicep' = {
     openAiDeploymentName: openAiDeploymentName
     openAiEndpoint: openAi.outputs.endpoint
     mcpServerUrl: useKeycloak ? 'https://mcproutes.${containerApps.outputs.defaultDomain}/mcp' : '${server.outputs.uri}/mcp'
-    keycloakRealmUrl: useKeycloak ? '${keycloak.outputs.uri}/realms/${keycloakRealmName}' : ''
+    keycloakRealmUrl: useKeycloak ? '${keycloak.outputs.uri}/auth/realms/${keycloakRealmName}' : ''
     exists: agentExists
   }
 }
@@ -946,9 +945,10 @@ output KEYCLOAK_MCP_SERVER_BASE_URL string = useKeycloak ? keycloakMcpServerBase
 
 // Keycloak and MCP Server routing outputs (only populated when mcpAuthProvider is keycloak)
 output KEYCLOAK_REALM_URL string = useKeycloak ? '${httpRoutes!.outputs.routeConfigUrl}/auth/realms/${keycloakRealmName}' : ''
-output KEYCLOAK_ADMIN_CONSOLE string = useKeycloak ? '${httpRoutes!.outputs.routeConfigUrl}/auth/admin' : ''
+output KEYCLOAK_ADMIN_CONSOLE string = useKeycloak ? '${httpRoutes!.outputs.routeConfigUrl}/auth/admin/master/console' : ''
 output KEYCLOAK_DIRECT_URL string = keycloak.outputs.uri
-output KEYCLOAK_TOKEN_ISSUER string = useKeycloak ? '${keycloakMcpServerBaseUrl}/realms/${keycloakRealmName}' : ''
+output KEYCLOAK_TOKEN_ISSUER string = useKeycloak ? '${keycloakMcpServerBaseUrl}/auth/realms/${keycloakRealmName}' : ''
+output KEYCLOAK_AGENT_REALM_URL string = useKeycloak ? '${keycloak!.outputs.uri}/auth/realms/${keycloakRealmName}' : ''
 
 // Auth provider for env scripts
 output MCP_AUTH_PROVIDER string = mcpAuthProvider

infra/main.bicep

@@ -22,7 +22,6 @@ param applicationInsightsConnectionString string = ''
 ])
 param openTelemetryPlatform string = 'appinsights'
 param keycloakRealmUrl string = ''
-param keycloakTokenIssuer string = ''
 param keycloakMcpServerAudience string = 'mcp-server'
 param keycloakMcpServerBaseUrl string = ''
 param entraProxyClientId string = ''
@@ -112,10 +111,6 @@ var keycloakEnv = !empty(keycloakRealmUrl) ? [
     name: 'KEYCLOAK_REALM_URL'
     value: keycloakRealmUrl
   }
-  {
-    name: 'KEYCLOAK_TOKEN_ISSUER'
-    value: !empty(keycloakTokenIssuer) ? keycloakTokenIssuer : keycloakRealmUrl
-  }
   {
     name: 'KEYCLOAK_MCP_SERVER_AUDIENCE'
     value: keycloakMcpServerAudience

infra/server.bicep

@@ -49,6 +49,7 @@ $KEYCLOAK_REALM_URL = Get-AzdValue KEYCLOAK_REALM_URL
 if ($KEYCLOAK_REALM_URL -and $KEYCLOAK_REALM_URL -ne "") {
     Add-Content -Path $ENV_FILE_PATH -Value "KEYCLOAK_REALM_URL=$KEYCLOAK_REALM_URL"
     Write-EnvIfSet KEYCLOAK_TOKEN_ISSUER
+    Write-EnvIfSet KEYCLOAK_AGENT_REALM_URL
 }
 
 # Entra proxy env vars (only if ENTRA_PROXY_AZURE_CLIENT_ID is set)

infra/write_env.ps1

@@ -55,6 +55,7 @@ KEYCLOAK_REALM_URL=$(get_azd_value KEYCLOAK_REALM_URL)
 if [ -n "$KEYCLOAK_REALM_URL" ]; then
   echo "KEYCLOAK_REALM_URL=${KEYCLOAK_REALM_URL}" >> "$ENV_FILE_PATH"
   write_env_if_set KEYCLOAK_TOKEN_ISSUER
+  write_env_if_set KEYCLOAK_AGENT_REALM_URL
 fi
 
 # Entra proxy env vars (only if ENTRA_PROXY_AZURE_CLIENT_ID is set)

infra/write_env.sh

@@ -22,5 +22,7 @@ ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
 # Start in dev mode with H2 database (still uses pre-built themes)
 # --proxy-headers=xforwarded tells Keycloak it's behind a reverse proxy that sets X-Forwarded-* headers
 # --hostname-strict=false allows dynamic hostname resolution from proxy headers
+# --http-relative-path=/auth sets the base path so Keycloak serves all content under /auth/*
 # --import-realm imports the MCP realm on startup
-CMD ["start-dev", "--http-port=8080", "--proxy-headers=xforwarded", "--hostname-strict=false", "--import-realm"]
+# --import-strategy=overwrite-existing ensures realm.json changes are applied even if the realm exists
+CMD ["start-dev", "--http-port=8080", "--proxy-headers=xforwarded", "--hostname-strict=false", "--http-relative-path=/auth", "--import-realm", "--import-strategy=overwrite-existing"]