MCP Keycloak OAuth Policy
MCP Gateway Policy
This policy is for use with the MCP Gateway. See the MCP Gateway documentation to learn how to proxy and secure MCP servers with Zuplo.
Use the MCP Keycloak OAuth policy to protect an MCP virtual server with gateway-issued OAuth tokens while delegating browser login to a Keycloak realm.
Configuration
The configuration shows how to configure the policy in the 'policies.json' document.
config/policies.json
Policy Configuration
name<string>- The name of your policy instance. This is used as a reference in your routes.policyType<string>- The identifier of the policy. This is used by the Zuplo UI. Value should bemcp-keycloak-oauth-inbound.handler.export<string>- The name of the exported type. Value should beMcpKeycloakOAuthInboundPolicy.handler.module<string>- The module containing the policy. Value should be$import(@zuplo/runtime).handler.options<object>- The options for this policy. See Policy Options below.
Policy Options
The options for this policy are specified below. All properties are optional unless specifically marked as required.
keycloakBaseUrl(required)<string>- The absolute URL for the Keycloak server root. Do not include /realms/{realm}; set the realm option separately.realm(required)<string>- The Keycloak realm name.clientId(required)<string>- The Keycloak OIDC client_id registered for the gateway's browser login flow.clientSecret(required)<string>- The Keycloak OIDC client_secret. Use $env(...) to source from a secret environment variable.scope<string>- OIDC scopes requested during browser login. Defaults to"openid profile email".gateway<object>- Gateway-side OAuth token settings. The gateway issuer and advertised URLs are derived from the incoming request origin.accessTokenTtlSeconds<integer>- Lifetime of access tokens issued by /oauth/token. Defaults to900.refreshTokenTtlSeconds<integer>- Lifetime of refresh tokens issued by /oauth/token. Defaults to2592000.cimdEnabled<boolean>- Whether to advertise client_id_metadata_document_supported in AS metadata. Defaults totrue.
browserLoginOverrides<object>- Optional overrides for the derived browser-login settings.remoteTimeoutMs<integer>- No description available. Defaults to10000.stateTtlSeconds<integer>- No description available. Defaults to900.sessionTtlSeconds<integer>- No description available. Defaults to28800.
Using the Policy
MCP Keycloak OAuth
The MCP Keycloak OAuth policy is a provider-specific wrapper around the generic MCP OAuth inbound policy. It keeps the gateway OAuth behavior the same, but lets you configure Keycloak with the values an administrator normally has:
keycloakBaseUrlrealmclientIdclientSecret
The policy derives the Keycloak realm issuer, JWKS URL, authorization endpoint, and token endpoint from Keycloak's OpenID Connect endpoint layout.
Code
If your Keycloak deployment uses a path prefix, include it in keycloakBaseUrl:
Code
Do not include /realms/{realm} in keycloakBaseUrl; set realm separately.
Read more about how policies work