Multi-IDP support (#33)

## Summary

- Replace Google-specific OAuth with a provider abstraction supporting
Google, Azure AD, GitHub, and generic OIDC
- Separate authentication (identity fetching) from authorization (access
policy) so IDP errors and policy rejections produce distinct error types
- Systematic quality pass: fix bugs, unify patterns, reduce complexity

## Breaking change

Config format changes from flat `googleClientId`/`googleClientSecret`
fields to a structured `idp` block:

```json
"idp": {
  "provider": "google|azure|github|oidc",
  "clientId": "...",
  "clientSecret": {"$env": "..."},
  "redirectUri": "..."
}
```

## Quality improvements

- Fix duplicate `isStdioServer` with diverging implementations
- Unify CSRF tokens to stateless HMAC approach (removes `sync.Map` leak)
- Make `StoreAuthorizeRequest` return error (Firestore failures were
silent)
- Fix SameSite cookie mismatch (Strict → Lax for OAuth callbacks)
- Add `GetUser` to Storage interface for O(1) admin checks
- Split oversized files, consolidate tiny packages, delete dead code

Closes #31, closes #29

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: dgellow

CLAUDE.md

@@ -245,23 +245,24 @@ When refactoring for better design:
 
 ```bash
 # Build everything
-make build
+./scripts/build
 
 # Format everything
-make format
+./scripts/format
 
 # Lint everything
-make lint
+./scripts/lint
 
 # Test mcp-front
+./scripts/test
 go test ./internal/... -v
 go test ./integration -v
 
 # Run mcp-front locally
 ./mcp-front -config config.json
 
 # Start docs dev server
-make doc
+./scripts/docs
 ```
 
 ## Documentation Site Guidelines

cmd/mcp-front/main.go

@@ -22,27 +22,42 @@ func generateDefaultConfig(path string) error {
 			"addr":    ":8080",
 			"name":    "mcp-front",
 			"auth": map[string]any{
-				"kind":               "oauth",
-				"issuer":             "https://mcp.yourcompany.com",
-				"allowedDomains":     []string{"yourcompany.com"},
-				"allowedOrigins":     []string{"https://claude.ai"},
-				"tokenTtl":           "24h",
-				"storage":            "memory",
-				"googleClientId":     map[string]string{"$env": "GOOGLE_CLIENT_ID"},
-				"googleClientSecret": map[string]string{"$env": "GOOGLE_CLIENT_SECRET"},
-				"googleRedirectUri":  "https://mcp.yourcompany.com/oauth/callback",
-				"jwtSecret":          map[string]string{"$env": "JWT_SECRET"},
-				"encryptionKey":      map[string]string{"$env": "ENCRYPTION_KEY"},
+				"kind":           "oauth",
+				"issuer":         "https://mcp.yourcompany.com",
+				"allowedDomains": []string{"yourcompany.com"},
+				"allowedOrigins": []string{"https://claude.ai"},
+				"tokenTtl":       "24h",
+				"storage":        "memory",
+				"idp": map[string]any{
+					"provider":     "google",
+					"clientId":     map[string]string{"$env": "GOOGLE_CLIENT_ID"},
+					"clientSecret": map[string]string{"$env": "GOOGLE_CLIENT_SECRET"},
+					"redirectUri":  "https://mcp.yourcompany.com/oauth/callback",
+				},
+				"jwtSecret":     map[string]string{"$env": "JWT_SECRET"},
+				"encryptionKey": map[string]string{"$env": "ENCRYPTION_KEY"},
 			},
 		},
 		"mcpServers": map[string]any{
 			"postgres": map[string]any{
 				"transportType": "stdio",
 				"command":       "docker",
 				"args": []any{
-					"run", "--rm", "-i",
-					"mcp/postgres:latest",
-					map[string]string{"$env": "POSTGRES_URL"},
+					"run", "--rm", "-i", "--network", "host",
+					"-e", "POSTGRES_HOST",
+					"-e", "POSTGRES_PORT",
+					"-e", "POSTGRES_DATABASE",
+					"-e", "POSTGRES_USER",
+					"-e", "POSTGRES_PASSWORD",
+					"us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:latest",
+					"--stdio", "--prebuilt", "postgres",
+				},
+				"env": map[string]any{
+					"POSTGRES_HOST":     map[string]string{"$env": "POSTGRES_HOST"},
+					"POSTGRES_PORT":     map[string]string{"$env": "POSTGRES_PORT"},
+					"POSTGRES_DATABASE": map[string]string{"$env": "POSTGRES_DATABASE"},
+					"POSTGRES_USER":     map[string]string{"$env": "POSTGRES_USER"},
+					"POSTGRES_PASSWORD": map[string]string{"$env": "POSTGRES_PASSWORD"},
 				},
 			},
 		},

config-admin-example.json

@@ -7,13 +7,16 @@
     "auth": {
       "kind": "oauth",
       "issuer": "https://mcp.example.com",
+      "idp": {
+        "provider": "google",
+        "clientId": {"$env": "GOOGLE_CLIENT_ID"},
+        "clientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
+        "redirectUri": "https://mcp.example.com/oauth/callback"
+      },
       "allowedDomains": ["example.com"],
       "allowedOrigins": ["https://claude.ai"],
       "tokenTtl": "1h",
       "storage": "memory",
-      "googleClientId": {"$env": "GOOGLE_CLIENT_ID"},
-      "googleClientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
-      "googleRedirectUri": "https://mcp.example.com/oauth/callback",
       "jwtSecret": {"$env": "JWT_SECRET"},
       "encryptionKey": {"$env": "ENCRYPTION_KEY"}
     },

config-inline-example.json

@@ -7,13 +7,16 @@
     "auth": {
       "kind": "oauth",
       "issuer": "https://mcp.example.com",
+      "idp": {
+        "provider": "google",
+        "clientId": {"$env": "GOOGLE_CLIENT_ID"},
+        "clientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
+        "redirectUri": "https://mcp.example.com/oauth/callback"
+      },
       "allowedDomains": ["example.com"],
       "allowedOrigins": ["https://claude.ai"],
       "tokenTtl": "1h",
       "storage": "memory",
-      "googleClientId": {"$env": "GOOGLE_CLIENT_ID"},
-      "googleClientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
-      "googleRedirectUri": "https://mcp.example.com/oauth/callback",
       "jwtSecret": {"$env": "JWT_SECRET"},
       "encryptionKey": {"$env": "ENCRYPTION_KEY"}
     }

config-inline-test.json

@@ -7,13 +7,16 @@
     "auth": {
       "kind": "oauth",
       "issuer": "http://localhost:8080",
+      "idp": {
+        "provider": "google",
+        "clientId": {"$env": "GOOGLE_CLIENT_ID"},
+        "clientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
+        "redirectUri": "http://localhost:8080/oauth/callback"
+      },
       "allowedDomains": ["gmail.com"],
       "allowedOrigins": ["https://claude.ai"],
       "tokenTtl": "1h",
       "storage": "memory",
-      "googleClientId": {"$env": "GOOGLE_CLIENT_ID"},
-      "googleClientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
-      "googleRedirectUri": "http://localhost:8080/oauth/callback",
       "jwtSecret": {"$env": "JWT_SECRET"},
       "encryptionKey": {"$env": "ENCRYPTION_KEY"}
     }

config-oauth-firestore.example.json

@@ -8,13 +8,16 @@
       "kind": "oauth",
       "issuer": {"$env": "OAUTH_ISSUER"},
       "gcpProject": {"$env": "GCP_PROJECT"},
+      "idp": {
+        "provider": "google",
+        "clientId": {"$env": "GOOGLE_CLIENT_ID"},
+        "clientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
+        "redirectUri": {"$env": "GOOGLE_REDIRECT_URI"}
+      },
       "allowedDomains": ["yourcompany.com", "contractors.yourcompany.com"],
       "allowedOrigins": ["https://claude.ai", "https://yourcompany.com"],
       "tokenTtl": "24h",
       "storage": "firestore",
-      "googleClientId": {"$env": "GOOGLE_CLIENT_ID"},
-      "googleClientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
-      "googleRedirectUri": {"$env": "GOOGLE_REDIRECT_URI"},
       "jwtSecret": {"$env": "JWT_SECRET"},
       "encryptionKey": {"$env": "ENCRYPTION_KEY"}
     }
@@ -25,11 +28,20 @@
       "command": "docker",
       "args": [
         "run", "--rm", "-i", "--network", "host",
-        "mcp/postgres",
-        {"$env": "DATABASE_URL"}
+        "-e", "POSTGRES_HOST",
+        "-e", "POSTGRES_PORT",
+        "-e", "POSTGRES_DATABASE",
+        "-e", "POSTGRES_USER",
+        "-e", "POSTGRES_PASSWORD",
+        "us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:latest",
+        "--stdio", "--prebuilt", "postgres"
       ],
       "env": {
-        "PGPASSWORD": {"$env": "POSTGRES_PASSWORD"}
+        "POSTGRES_HOST": {"$env": "POSTGRES_HOST"},
+        "POSTGRES_PORT": {"$env": "POSTGRES_PORT"},
+        "POSTGRES_DATABASE": {"$env": "POSTGRES_DATABASE"},
+        "POSTGRES_USER": {"$env": "POSTGRES_USER"},
+        "POSTGRES_PASSWORD": {"$env": "POSTGRES_PASSWORD"}
       }
     },
     "notion": {

config-oauth.example.json

@@ -8,13 +8,16 @@
       "kind": "oauth",
       "issuer": {"$env": "OAUTH_ISSUER"},
       "gcpProject": {"$env": "GCP_PROJECT"},
+      "idp": {
+        "provider": "google",
+        "clientId": {"$env": "GOOGLE_CLIENT_ID"},
+        "clientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
+        "redirectUri": {"$env": "GOOGLE_REDIRECT_URI"}
+      },
       "allowedDomains": ["yourcompany.com", "contractors.yourcompany.com"],
       "allowedOrigins": ["https://claude.ai", "https://yourcompany.com"],
       "tokenTtl": "24h",
       "storage": "memory",
-      "googleClientId": {"$env": "GOOGLE_CLIENT_ID"},
-      "googleClientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
-      "googleRedirectUri": {"$env": "GOOGLE_REDIRECT_URI"},
       "jwtSecret": {"$env": "JWT_SECRET"},
       "encryptionKey": {"$env": "ENCRYPTION_KEY"}
     }
@@ -25,11 +28,20 @@
       "command": "docker",
       "args": [
         "run", "--rm", "-i", "--network", "host",
-        "mcp/postgres",
-        {"$env": "DATABASE_URL"}
+        "-e", "POSTGRES_HOST",
+        "-e", "POSTGRES_PORT",
+        "-e", "POSTGRES_DATABASE",
+        "-e", "POSTGRES_USER",
+        "-e", "POSTGRES_PASSWORD",
+        "us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:latest",
+        "--stdio", "--prebuilt", "postgres"
       ],
       "env": {
-        "PGPASSWORD": {"$env": "POSTGRES_PASSWORD"}
+        "POSTGRES_HOST": {"$env": "POSTGRES_HOST"},
+        "POSTGRES_PORT": {"$env": "POSTGRES_PORT"},
+        "POSTGRES_DATABASE": {"$env": "POSTGRES_DATABASE"},
+        "POSTGRES_USER": {"$env": "POSTGRES_USER"},
+        "POSTGRES_PASSWORD": {"$env": "POSTGRES_PASSWORD"}
       }
     },
     "notion": {

config-oauth.json

@@ -8,26 +8,41 @@
       "kind": "oauth",
       "issuer": "https://mcp-internal.yourcompany.org",
       "gcpProject": {"$env": "GCP_PROJECT"},
+      "idp": {
+        "provider": "google",
+        "clientId": {"$env": "GOOGLE_CLIENT_ID"},
+        "clientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
+        "redirectUri": "https://mcp-internal.yourcompany.org/oauth/callback"
+      },
       "allowedDomains": ["yourcompany.com"],
       "allowedOrigins": ["https://claude.ai"],
       "tokenTtl": "24h",
       "storage": "memory",
-      "googleClientId": {"$env": "GOOGLE_CLIENT_ID"},
-      "googleClientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
-      "googleRedirectUri": "https://mcp-internal.yourcompany.org/oauth/callback",
       "jwtSecret": {"$env": "JWT_SECRET"},
       "encryptionKey": {"$env": "ENCRYPTION_KEY"}
     }
   },
   "mcpServers": {
     "postgres": {
       "transportType": "stdio",
-      "command": "docker", 
+      "command": "docker",
       "args": [
-        "run", "--rm", "-i",
-        "mcp/postgres:latest",
-        "postgresql://user:password@localhost:5432/database"
-      ]
+        "run", "--rm", "-i", "--network", "host",
+        "-e", "POSTGRES_HOST",
+        "-e", "POSTGRES_PORT",
+        "-e", "POSTGRES_DATABASE",
+        "-e", "POSTGRES_USER",
+        "-e", "POSTGRES_PASSWORD",
+        "us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:latest",
+        "--stdio", "--prebuilt", "postgres"
+      ],
+      "env": {
+        "POSTGRES_HOST": {"$env": "POSTGRES_HOST"},
+        "POSTGRES_PORT": {"$env": "POSTGRES_PORT"},
+        "POSTGRES_DATABASE": {"$env": "POSTGRES_DATABASE"},
+        "POSTGRES_USER": {"$env": "POSTGRES_USER"},
+        "POSTGRES_PASSWORD": {"$env": "POSTGRES_PASSWORD"}
+      }
     },
     "notion": {
       "transportType": "stdio",

config-token.example.json

@@ -11,8 +11,13 @@
       "command": "docker",
       "args": [
         "run", "--rm", "-i", "--network", "host",
-        "mcp/postgres",
-        "postgresql://testuser:testpass@localhost:5432/testdb"
+        "-e", "POSTGRES_HOST=localhost",
+        "-e", "POSTGRES_PORT=5432",
+        "-e", "POSTGRES_DATABASE=testdb",
+        "-e", "POSTGRES_USER=testuser",
+        "-e", "POSTGRES_PASSWORD=testpass",
+        "us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:latest",
+        "--stdio", "--prebuilt", "postgres"
       ],
       "serviceAuths": [
         {

config-user-tokens-example.json

@@ -8,13 +8,16 @@
       "kind": "oauth",
       "issuer": {"$env": "OAUTH_ISSUER"},
       "gcpProject": {"$env": "GCP_PROJECT"},
+      "idp": {
+        "provider": "google",
+        "clientId": {"$env": "GOOGLE_CLIENT_ID"},
+        "clientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
+        "redirectUri": {"$env": "GOOGLE_REDIRECT_URI"}
+      },
       "allowedDomains": ["yourcompany.com"],
       "allowedOrigins": ["https://claude.ai"],
       "tokenTtl": "24h",
       "storage": "memory",
-      "googleClientId": {"$env": "GOOGLE_CLIENT_ID"},
-      "googleClientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
-      "googleRedirectUri": {"$env": "GOOGLE_REDIRECT_URI"},
       "jwtSecret": {"$env": "JWT_SECRET"},
       "encryptionKey": {"$env": "ENCRYPTION_KEY"}
     }
@@ -57,11 +60,20 @@
       "command": "docker",
       "args": [
         "run", "--rm", "-i", "--network", "host",
-        "mcp/postgres",
-        {"$env": "DATABASE_URL"}
+        "-e", "POSTGRES_HOST",
+        "-e", "POSTGRES_PORT",
+        "-e", "POSTGRES_DATABASE",
+        "-e", "POSTGRES_USER",
+        "-e", "POSTGRES_PASSWORD",
+        "us-central1-docker.pkg.dev/database-toolbox/toolbox/toolbox:latest",
+        "--stdio", "--prebuilt", "postgres"
       ],
       "env": {
-        "PGPASSWORD": {"$env": "POSTGRES_PASSWORD"}
+        "POSTGRES_HOST": {"$env": "POSTGRES_HOST"},
+        "POSTGRES_PORT": {"$env": "POSTGRES_PORT"},
+        "POSTGRES_DATABASE": {"$env": "POSTGRES_DATABASE"},
+        "POSTGRES_USER": {"$env": "POSTGRES_USER"},
+        "POSTGRES_PASSWORD": {"$env": "POSTGRES_PASSWORD"}
       }
     }
   }