feat!: new configuration schema and support for more OAuth providers

[kosmoz]

No description provided.

[Bockit]

Would this let me use Authelia instead of Dex? I was trying to make that work earlier and got stuck on this:

Error: dexGRPCClient is required when dynamicClientRegistrationEnabled is true

[kosmoz]

Would this let me use Authelia instead of Dex? I was trying to make that work earlier and got stuck on this:

Error: dexGRPCClient is required when dynamicClientRegistrationEnabled is true

Yes, I think Authelia should work if you configure it as OIDC provider. This PR still needs some refinement and a lot of testing but you can already try it if you want. The relevant config should look something like this:

authorization:
  type: oidc
  oidc:
    issuerUrl: "<authelia url>"
    clientId: "..."
    clientSecret: "..."

The redirect URL for the client should be http://localhost:9000/oauth/callback.

[Bockit]

Thanks for the tip, I did build the branch locally (docker build) and have tried to set it up with authelia backing it, I've got the following error if it helps:

2025/10/01 08:04:24 "level"=0 "msg"="Loaded configuration" "config"={"host"="https://path.to.server.net/" "authorization"={"type"="oidc" "oidc"={"issuerUrl"="https://path.to.server.net:9091" "clientId"="mcp-gateway" "clientSecret"="redacted"}} "proxy"=[{"path"="/my-mcp/mcp" "http"={"url"="https://path.to.server.net:9093/servers/my-mcp/sse"} "authentication"={"enabled"=true} "telemetry"={"enabled"=false}}]}

2025/10/01 08:04:24 "level"=0 "msg"="starting auth proxy server" "addr"="https://path.to.server.net:9091"

Error: auth proxy serve failed: listen tcp: address https://path.to.server.net:9091:⁠ too many colons in address

[kosmoz]

Thanks for trying! It looks like you start the gateway with the --auth-proxy-addr flag. You can try removing it or using localhost:9091 instead (no protocol scheme, it's just a host and port).

[Bockit]

Ok, it boots! I'll check it all works now :)

[Bockit]

Update on my end:

Using MCP Inspector: It sends the user to authelia, I authorise, it redirects back to MCP inspector and says in a toast notification "Successfully Connected" but it also says "Disconnected" in the left sidebar.

Problem could easily be in how I'm wiring these things up, and I'll keep digging on that front, but in case it's relevant, the MCP inspector UI is making hundreds of requests to http://localhost:6277/sse?url=http%3A%2F%2Fpath-to.mcp.gateway%3A9000%2Fmy-mcp%2Fmcp&transportType=sse and getting 401s.

Response:

{"code":401,"event":{"code":401,"message":"Non-200 status code (401)"}}

Logs from the gateway (order might be swapped, hard to tell based on the volume which is first and which is second)

2025/10/06 12:21:27 "level"=0 "msg"="Protected resource metadata" "response"={"resource"="http://path-to.mcp.gateway:9000/" "authorization_servers"=["http://path-to.mcp.gateway:9000/"]}

2025/10/06 12:21:27 "level"=0 "msg"="Protected resource metadata" "response"={"resource"="http://path-to.mcp.gateway:9000/desktop-commander/mcp" "authorization_servers"=["http://path-to.mcp.gateway:9000/"]}

I'm still digging into cons issues on my side, but in case it helps the PR those are my results so far.

Oh, also, when refreshing and trying to connect again, it 400s on POST /oauth/token

grant_type=refresh_token&refresh_token=authelia_rt_redacted&client_id=mcp-gateway&resource=http%3A%2F%2Fpath-to.mcp.gateway%3A9000%my-mcp%2Fmcp

it gets this response body:

{"error":"invalid_grant","error_description":"The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The refresh token has not been found: Could not find the requested resource(s)."}