mcvsphere

MCP/mcvsphere

Fork 0

Commit Graph

Author	SHA1	Message	Date
Ryan Malloy	64ba7a69de	fix OAuth token validation for Authentik opaque tokens - Remove required_scopes validation (Authentik doesn't embed scopes in JWT) - Add oauth_base_url config for proper HTTPS callback URLs - Add docker-compose.dev.yml for host proxy via Caddy - Update docker-compose.oauth.yml with unique domain label Authentik uses opaque access tokens that don't include scope claims. Authentication is enforced at the IdP level, so scope validation in the token is unnecessary and was causing 401 errors.	2025-12-27 05:27:21 -07:00
Ryan Malloy	cda49f2912	implement OAuth authentication with Authentik support Core OAuth infrastructure: - permissions.py: 5-level permission model (read_only → full_admin) Maps all 94 tools to permission levels Maps OAuth groups to permission sets - audit.py: Centralized logging with OAuth user identity - auth.py: OIDCProxy configuration for Authentik/OIDC providers - middleware.py: Permission checking decorator and tool wrapper Server integration: - config.py: Add OAuth settings (oauth_enabled, oauth_issuer_url, etc.) Validate OAuth config completeness, require HTTP transport - server.py: Integrate auth provider, add HTTP transport support Show OAuth status in startup banner Deployment: - docker-compose.oauth.yml: Authentik stack (server, worker, postgres, redis) - .env.example: Document all OAuth and Authentik environment variables Permission model: - vsphere-readers: READ_ONLY (32 tools) - vsphere-operators: + POWER_OPS (14 tools) - vsphere-admins: + VM_LIFECYCLE (33 tools) - vsphere-host-admins: + HOST_ADMIN (6 tools) - vsphere-super-admins: + FULL_ADMIN (9 tools)	2025-12-27 01:12:58 -07:00

Author

SHA1

Message

Date

Ryan Malloy

64ba7a69de

fix OAuth token validation for Authentik opaque tokens

- Remove required_scopes validation (Authentik doesn't embed scopes in JWT)
- Add oauth_base_url config for proper HTTPS callback URLs
- Add docker-compose.dev.yml for host proxy via Caddy
- Update docker-compose.oauth.yml with unique domain label

Authentik uses opaque access tokens that don't include scope claims.
Authentication is enforced at the IdP level, so scope validation in
the token is unnecessary and was causing 401 errors.

2025-12-27 05:27:21 -07:00

Ryan Malloy

cda49f2912

implement OAuth authentication with Authentik support

Core OAuth infrastructure:
- permissions.py: 5-level permission model (read_only → full_admin)
  Maps all 94 tools to permission levels
  Maps OAuth groups to permission sets
- audit.py: Centralized logging with OAuth user identity
- auth.py: OIDCProxy configuration for Authentik/OIDC providers
- middleware.py: Permission checking decorator and tool wrapper

Server integration:
- config.py: Add OAuth settings (oauth_enabled, oauth_issuer_url, etc.)
  Validate OAuth config completeness, require HTTP transport
- server.py: Integrate auth provider, add HTTP transport support
  Show OAuth status in startup banner

Deployment:
- docker-compose.oauth.yml: Authentik stack (server, worker, postgres, redis)
- .env.example: Document all OAuth and Authentik environment variables

Permission model:
- vsphere-readers: READ_ONLY (32 tools)
- vsphere-operators: + POWER_OPS (14 tools)
- vsphere-admins: + VM_LIFECYCLE (33 tools)
- vsphere-host-admins: + HOST_ADMIN (6 tools)
- vsphere-super-admins: + FULL_ADMIN (9 tools)

2025-12-27 01:12:58 -07:00

2 Commits