Enable client credentials OAuth flow for MCP #892
Conversation
…ials authentication
📝 WalkthroughWalkthroughThis PR adds client credentials OAuth 2.0 authentication support to the MCP service, complementing the existing browser-based flow. Documentation, Helm/Docker configuration, and a Thunder bootstrap script enable the ChangesMCP Client Credentials Authentication Support
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
documentation/docs/reference/mcp-server.mdx (1)
9-9:⚠️ Potential issue | 🟠 Major | ⚡ Quick winInconsistent client ID references throughout the documentation.
The command example at Line 104 uses
--client-id am-mcp-user, but the surrounding text and table still reference the oldam-mcpclient:
- Line 9: "A single OAuth client (
am-mcp) is pre-registered"- Lines 86-89: Table shows
| am-mcp | Authorization Code + PKCE |- Line 92: "The
am-mcpclient is provisioned"- Line 109: Comment mentions "
am-mcp"This PR renames the browser-based client to
am-mcp-userand adds a newam-mcp-serviceclient for client credentials. The documentation should consistently useam-mcp-userfor the browser-based client throughout, and ideally document both authentication methods (similar to the README.md approach).📝 Suggested updates
Update the table to reflect the new client naming:
| Client ID | Grant Type | Redirect URIs | Use Case | | --------- | ------------------------- | -------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- | -| `am-mcp` | Authorization Code + PKCE | `http://127.0.0.1:33418/callback`, `http://localhost:33418/callback` | Interactive use with AI assistants that support browser-based OAuth (Claude Code, etc.) | +| `am-mcp-user` | Authorization Code + PKCE | `http://127.0.0.1:33418/callback`, `http://localhost:33418/callback` | Interactive use with AI assistants that support browser-based OAuth (Claude Code, etc.) | +| `am-mcp-service` | Client Credentials | N/A | Headless AI agents and server-to-server access (containers, CI/CD, backend services) |Update the surrounding text to reference
am-mcp-user:-AMP ships a pre-registered OAuth application in Thunder for MCP clients: +AMP ships pre-registered OAuth applications in Thunder for MCP clients:-The `am-mcp` client is provisioned automatically... +The `am-mcp-user` client is provisioned automatically...Also applies to: 86-92, 104-104, 109-109
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@documentation/docs/reference/mcp-server.mdx` at line 9, Replace all legacy references to the browser OAuth client `am-mcp` with the new `am-mcp-user` identifier (including the sentence "A single OAuth client (`am-mcp`)...", the table entry, the "The `am-mcp` client is provisioned" line, the example command that uses `--client-id am-mcp-user`, and the comment referencing `am-mcp`), and add a short note or table row documenting the new `am-mcp-service` client for client credentials flow so the doc shows both authentication methods (Authorization Code + PKCE → am-mcp-user; Client Credentials → am-mcp-service) consistently throughout the section.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@documentation/docs/reference/mcp-server.mdx`:
- Line 9: Replace all legacy references to the browser OAuth client `am-mcp`
with the new `am-mcp-user` identifier (including the sentence "A single OAuth
client (`am-mcp`)...", the table entry, the "The `am-mcp` client is provisioned"
line, the example command that uses `--client-id am-mcp-user`, and the comment
referencing `am-mcp`), and add a short note or table row documenting the new
`am-mcp-service` client for client credentials flow so the doc shows both
authentication methods (Authorization Code + PKCE → am-mcp-user; Client
Credentials → am-mcp-service) consistently throughout the section.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 7232f907-cdf2-4b27-88cf-67fd27f8adf8
📒 Files selected for processing (6)
agent-manager-service/mcp/README.mddeployments/docker-compose.ymldeployments/helm-charts/wso2-agent-manager/values.yamldeployments/helm-charts/wso2-amp-thunder-extension/templates/amp-thunder-bootstrap.yamldeployments/helm-charts/wso2-amp-thunder-extension/values.yamldocumentation/docs/reference/mcp-server.mdx
Purpose
Enable MCP server to support two authentication flows:
Goals
Approach
User stories
Release note
Documentation
Training
Certification
Marketing
Automation tests
Security checks
Samples
Related PRs
Migrations (if applicable)
Test environment
Learning
Summary by CodeRabbit
Release Notes
Documentation
Configuration