Implement multi-IDP support with provider abstraction

Replaces Google-specific OAuth with a provider abstraction pattern
supporting Google, Azure AD, GitHub, and generic OIDC providers.

Changes:
- Create internal/idp package with Provider interface and implementations
- Update config from googleClientId/googleClientSecret to structured idp block
- Add provider tracking to browser session cookies for multi-IDP readiness
- Delete internal/googleauth package
- Add comprehensive tests for idp package (including GitHub UserInfo tests)
- Update all example configs and documentation
- Refactor parseIDPConfig to use helper function for cleaner code

Config format change:
  "idp": {
    "provider": "google|azure|github|oidc",
    "clientId": "...",
    "clientSecret": {"$env": "..."},
    "redirectUri": "...",
    // Provider-specific: tenantId (azure), allowedOrgs (github), discoveryUrl (oidc)
  }

Co-authored-by: Claude <[email protected]>

Author: dgellow

cmd/mcp-front/main.go

@@ -22,17 +22,20 @@ func generateDefaultConfig(path string) error {
 			"addr":    ":8080",
 			"name":    "mcp-front",
 			"auth": map[string]any{
-				"kind":               "oauth",
-				"issuer":             "https://mcp.yourcompany.com",
-				"allowedDomains":     []string{"yourcompany.com"},
-				"allowedOrigins":     []string{"https://claude.ai"},
-				"tokenTtl":           "24h",
-				"storage":            "memory",
-				"googleClientId":     map[string]string{"$env": "GOOGLE_CLIENT_ID"},
-				"googleClientSecret": map[string]string{"$env": "GOOGLE_CLIENT_SECRET"},
-				"googleRedirectUri":  "https://mcp.yourcompany.com/oauth/callback",
-				"jwtSecret":          map[string]string{"$env": "JWT_SECRET"},
-				"encryptionKey":      map[string]string{"$env": "ENCRYPTION_KEY"},
+				"kind":           "oauth",
+				"issuer":         "https://mcp.yourcompany.com",
+				"allowedDomains": []string{"yourcompany.com"},
+				"allowedOrigins": []string{"https://claude.ai"},
+				"tokenTtl":       "24h",
+				"storage":        "memory",
+				"idp": map[string]any{
+					"provider":     "google",
+					"clientId":     map[string]string{"$env": "GOOGLE_CLIENT_ID"},
+					"clientSecret": map[string]string{"$env": "GOOGLE_CLIENT_SECRET"},
+					"redirectUri":  "https://mcp.yourcompany.com/oauth/callback",
+				},
+				"jwtSecret":     map[string]string{"$env": "JWT_SECRET"},
+				"encryptionKey": map[string]string{"$env": "ENCRYPTION_KEY"},
 			},
 		},
 		"mcpServers": map[string]any{

config-admin-example.json

@@ -7,13 +7,16 @@
     "auth": {
       "kind": "oauth",
       "issuer": "https://mcp.example.com",
+      "idp": {
+        "provider": "google",
+        "clientId": {"$env": "GOOGLE_CLIENT_ID"},
+        "clientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
+        "redirectUri": "https://mcp.example.com/oauth/callback"
+      },
       "allowedDomains": ["example.com"],
       "allowedOrigins": ["https://claude.ai"],
       "tokenTtl": "1h",
       "storage": "memory",
-      "googleClientId": {"$env": "GOOGLE_CLIENT_ID"},
-      "googleClientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
-      "googleRedirectUri": "https://mcp.example.com/oauth/callback",
       "jwtSecret": {"$env": "JWT_SECRET"},
       "encryptionKey": {"$env": "ENCRYPTION_KEY"}
     },

config-inline-example.json

@@ -7,13 +7,16 @@
     "auth": {
       "kind": "oauth",
       "issuer": "https://mcp.example.com",
+      "idp": {
+        "provider": "google",
+        "clientId": {"$env": "GOOGLE_CLIENT_ID"},
+        "clientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
+        "redirectUri": "https://mcp.example.com/oauth/callback"
+      },
       "allowedDomains": ["example.com"],
       "allowedOrigins": ["https://claude.ai"],
       "tokenTtl": "1h",
       "storage": "memory",
-      "googleClientId": {"$env": "GOOGLE_CLIENT_ID"},
-      "googleClientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
-      "googleRedirectUri": "https://mcp.example.com/oauth/callback",
       "jwtSecret": {"$env": "JWT_SECRET"},
       "encryptionKey": {"$env": "ENCRYPTION_KEY"}
     }

config-inline-test.json

@@ -7,13 +7,16 @@
     "auth": {
       "kind": "oauth",
       "issuer": "http://localhost:8080",
+      "idp": {
+        "provider": "google",
+        "clientId": {"$env": "GOOGLE_CLIENT_ID"},
+        "clientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
+        "redirectUri": "http://localhost:8080/oauth/callback"
+      },
       "allowedDomains": ["gmail.com"],
       "allowedOrigins": ["https://claude.ai"],
       "tokenTtl": "1h",
       "storage": "memory",
-      "googleClientId": {"$env": "GOOGLE_CLIENT_ID"},
-      "googleClientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
-      "googleRedirectUri": "http://localhost:8080/oauth/callback",
       "jwtSecret": {"$env": "JWT_SECRET"},
       "encryptionKey": {"$env": "ENCRYPTION_KEY"}
     }

config-oauth-firestore.example.json

@@ -8,13 +8,16 @@
       "kind": "oauth",
       "issuer": {"$env": "OAUTH_ISSUER"},
       "gcpProject": {"$env": "GCP_PROJECT"},
+      "idp": {
+        "provider": "google",
+        "clientId": {"$env": "GOOGLE_CLIENT_ID"},
+        "clientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
+        "redirectUri": {"$env": "GOOGLE_REDIRECT_URI"}
+      },
       "allowedDomains": ["yourcompany.com", "contractors.yourcompany.com"],
       "allowedOrigins": ["https://claude.ai", "https://yourcompany.com"],
       "tokenTtl": "24h",
       "storage": "firestore",
-      "googleClientId": {"$env": "GOOGLE_CLIENT_ID"},
-      "googleClientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
-      "googleRedirectUri": {"$env": "GOOGLE_REDIRECT_URI"},
       "jwtSecret": {"$env": "JWT_SECRET"},
       "encryptionKey": {"$env": "ENCRYPTION_KEY"}
     }

config-oauth.example.json

@@ -8,13 +8,16 @@
       "kind": "oauth",
       "issuer": {"$env": "OAUTH_ISSUER"},
       "gcpProject": {"$env": "GCP_PROJECT"},
+      "idp": {
+        "provider": "google",
+        "clientId": {"$env": "GOOGLE_CLIENT_ID"},
+        "clientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
+        "redirectUri": {"$env": "GOOGLE_REDIRECT_URI"}
+      },
       "allowedDomains": ["yourcompany.com", "contractors.yourcompany.com"],
       "allowedOrigins": ["https://claude.ai", "https://yourcompany.com"],
       "tokenTtl": "24h",
       "storage": "memory",
-      "googleClientId": {"$env": "GOOGLE_CLIENT_ID"},
-      "googleClientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
-      "googleRedirectUri": {"$env": "GOOGLE_REDIRECT_URI"},
       "jwtSecret": {"$env": "JWT_SECRET"},
       "encryptionKey": {"$env": "ENCRYPTION_KEY"}
     }

config-oauth.json

@@ -8,13 +8,16 @@
       "kind": "oauth",
       "issuer": "https://mcp-internal.yourcompany.org",
       "gcpProject": {"$env": "GCP_PROJECT"},
+      "idp": {
+        "provider": "google",
+        "clientId": {"$env": "GOOGLE_CLIENT_ID"},
+        "clientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
+        "redirectUri": "https://mcp-internal.yourcompany.org/oauth/callback"
+      },
       "allowedDomains": ["yourcompany.com"],
       "allowedOrigins": ["https://claude.ai"],
       "tokenTtl": "24h",
       "storage": "memory",
-      "googleClientId": {"$env": "GOOGLE_CLIENT_ID"},
-      "googleClientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
-      "googleRedirectUri": "https://mcp-internal.yourcompany.org/oauth/callback",
       "jwtSecret": {"$env": "JWT_SECRET"},
       "encryptionKey": {"$env": "ENCRYPTION_KEY"}
     }

config-user-tokens-example.json

@@ -8,13 +8,16 @@
       "kind": "oauth",
       "issuer": {"$env": "OAUTH_ISSUER"},
       "gcpProject": {"$env": "GCP_PROJECT"},
+      "idp": {
+        "provider": "google",
+        "clientId": {"$env": "GOOGLE_CLIENT_ID"},
+        "clientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
+        "redirectUri": {"$env": "GOOGLE_REDIRECT_URI"}
+      },
       "allowedDomains": ["yourcompany.com"],
       "allowedOrigins": ["https://claude.ai"],
       "tokenTtl": "24h",
       "storage": "memory",
-      "googleClientId": {"$env": "GOOGLE_CLIENT_ID"},
-      "googleClientSecret": {"$env": "GOOGLE_CLIENT_SECRET"},
-      "googleRedirectUri": {"$env": "GOOGLE_REDIRECT_URI"},
       "jwtSecret": {"$env": "JWT_SECRET"},
       "encryptionKey": {"$env": "ENCRYPTION_KEY"}
     }

docs-site/src/content/docs/configuration.md

@@ -49,13 +49,16 @@ For production, use OAuth with Google. Claude redirects users to Google for auth
   "auth": {
     "kind": "oauth",
     "issuer": "https://mcp.company.com",
+    "idp": {
+      "provider": "google",
+      "clientId": { "$env": "GOOGLE_CLIENT_ID" },
+      "clientSecret": { "$env": "GOOGLE_CLIENT_SECRET" },
+      "redirectUri": "https://mcp.company.com/oauth/callback"
+    },
     "allowedDomains": ["company.com"],
     "allowedOrigins": ["https://claude.ai"],
     "tokenTtl": "24h",
     "storage": "memory",
-    "googleClientId": { "$env": "GOOGLE_CLIENT_ID" },
-    "googleClientSecret": { "$env": "GOOGLE_CLIENT_SECRET" },
-    "googleRedirectUri": "https://mcp.company.com/oauth/callback",
     "jwtSecret": { "$env": "JWT_SECRET" },
     "encryptionKey": { "$env": "ENCRYPTION_KEY" }
   }
@@ -66,7 +69,7 @@ The `issuer` should match your `baseURL`. `allowedDomains` restricts access to s
 
 `tokenTtl` controls how long JWT tokens are valid. Shorter times are more secure but require more frequent logins.
 
-Security requirements: `googleClientSecret`, `jwtSecret`, and `encryptionKey` must be environment variables. The JWT secret must be at least 32 bytes. The encryption key must be exactly 32 bytes.
+Security requirements: `idp.clientSecret`, `jwtSecret`, and `encryptionKey` must be environment variables. The JWT secret must be at least 32 bytes. The encryption key must be exactly 32 bytes.
 
 For production, set `storage` to "firestore" and add `gcpProject`, `firestoreDatabase`, and `firestoreCollection` fields.
 
@@ -345,13 +348,16 @@ Set `MCP_FRONT_ENV=development` when testing OAuth locally. It allows http:// UR
     "auth": {
       "kind": "oauth",
       "issuer": "https://mcp.company.com",
+      "idp": {
+        "provider": "google",
+        "clientId": { "$env": "GOOGLE_CLIENT_ID" },
+        "clientSecret": { "$env": "GOOGLE_CLIENT_SECRET" },
+        "redirectUri": "https://mcp.company.com/oauth/callback"
+      },
       "allowedDomains": ["company.com"],
       "allowedOrigins": ["https://claude.ai"],
       "tokenTtl": "4h",
       "storage": "firestore",
-      "googleClientId": { "$env": "GOOGLE_CLIENT_ID" },
-      "googleClientSecret": { "$env": "GOOGLE_CLIENT_SECRET" },
-      "googleRedirectUri": "https://mcp.company.com/oauth/callback",
       "jwtSecret": { "$env": "JWT_SECRET" },
       "encryptionKey": { "$env": "ENCRYPTION_KEY" },
       "gcpProject": { "$env": "GOOGLE_CLOUD_PROJECT" },

docs-site/src/content/docs/examples/oauth-google.md

@@ -39,15 +39,26 @@ Create `config.json`:
 
 ```json
 {
-  "version": "1.0",
+  "version": "v0.0.1-DEV_EDITION_EXPECT_CHANGES",
   "proxy": {
     "name": "Company MCP Proxy",
-    "baseUrl": "https://mcp.company.com",
+    "baseURL": "https://mcp.company.com",
     "addr": ":8080",
     "auth": {
       "kind": "oauth",
       "issuer": "https://mcp.company.com",
-      "allowedDomains": ["company.com"]
+      "idp": {
+        "provider": "google",
+        "clientId": { "$env": "GOOGLE_CLIENT_ID" },
+        "clientSecret": { "$env": "GOOGLE_CLIENT_SECRET" },
+        "redirectUri": "https://mcp.company.com/oauth/callback"
+      },
+      "allowedDomains": ["company.com"],
+      "allowedOrigins": ["https://claude.ai"],
+      "tokenTtl": "24h",
+      "storage": "memory",
+      "jwtSecret": { "$env": "JWT_SECRET" },
+      "encryptionKey": { "$env": "ENCRYPTION_KEY" }
     }
   },
   "mcpServers": {
@@ -80,6 +91,7 @@ Create `config.json`:
 export GOOGLE_CLIENT_ID="your-client-id.apps.googleusercontent.com"
 export GOOGLE_CLIENT_SECRET="your-client-secret"
 export JWT_SECRET=$(openssl rand -base64 32)
+export ENCRYPTION_KEY=$(openssl rand -base64 32)
 ```
 
 ## 4. Run with Docker
@@ -89,6 +101,7 @@ docker run -p 8080:8080 \
   -e GOOGLE_CLIENT_ID \
   -e GOOGLE_CLIENT_SECRET \
   -e JWT_SECRET \
+  -e ENCRYPTION_KEY \
   -v $(pwd)/config.json:/config.json \
   ghcr.io/dgellow/mcp-front:latest
 ```