Regarding custom JWT token #1475
-
|
Hi Team, I am just exploring mcp-context-forge. Is it possible to invoke the virtual server with custom JWT example Azure entra JWT ? I tried JWT auth using mcp python plugin, does the gateway support custom JWT validation as well? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
Hi @bayer-veera, thanks for the question. This is a common setup pattern; please share your identity provider, token structure, and current JWT validation settings and I’ll provide the exact config you should use. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @bayer-veera, yes — ContextForge fully supports validating external JWT tokens, including Azure Entra ID. Here are the options: Option 1 — Built-in Azure Entra ID SSO (recommended): ContextForge has dedicated Entra ID support ( SSO_ENTRA_TENANT_ID=your-tenant-id
SSO_ENTRA_CLIENT_ID=your-client-id
SSO_ENTRA_CLIENT_SECRET=your-client-secretThis enables full SSO login, token validation via Entra's JWKS endpoint, group-to-team mapping, and role mapping. The gateway auto-discovers Entra's JWKS keys. Group overage handling (for users with >200 groups) with Microsoft Graph API fallback is also supported ( Option 2 — Generic OIDC with JWKS URI: For any OIDC-compliant provider ( SSO_GENERIC_JWKS_URI=https://login.microsoftonline.com/{tenant-id}/discovery/v2.0/keysThe gateway fetches public keys from this endpoint to validate JWT signatures. Option 3 — Per-virtual-server OAuth: Enable OAuth on a virtual server and configure its authorization server. The gateway discovers JWKS via Option 4 — Manual public key import: JWT_PUBLIC_KEY_PATH=/path/to/your/public-key.pemImport the public key directly for RS256 verification without a JWKS endpoint ( Supported algorithms: RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, EdDSA ( For your Azure Entra use case, Option 1 is the simplest path. Documentation: https://ibm.github.io/mcp-context-forge/manage/sso/ |
Beta Was this translation helpful? Give feedback.
Hi @bayer-veera, yes — ContextForge fully supports validating external JWT tokens, including Azure Entra ID. Here are the options:
Option 1 — Built-in Azure Entra ID SSO (recommended):
ContextForge has dedicated Entra ID support (
config.py:376-378):This enables full SSO login, token validation via Entra's JWKS endpoint, group-to-team mapping, and role mapping. The gateway auto-discovers Entra's JWKS keys. Group overage handling (for users with >200 groups) with Microsoft Graph API fallback is also supported (
sso_service.py:1300-1312).Option 2 — Generic OIDC with JWKS URI:
For…