Skip to content

Enable client credentials OAuth flow for MCP #892

Closed
sathsaraniii wants to merge 6 commits into
wso2:mainfrom
sathsaraniii:feat/mcp-agent-tools
Closed

Enable client credentials OAuth flow for MCP #892
sathsaraniii wants to merge 6 commits into
wso2:mainfrom
sathsaraniii:feat/mcp-agent-tools

Conversation

@sathsaraniii

@sathsaraniii sathsaraniii commented May 16, 2026

Copy link
Copy Markdown
Contributor

Purpose

Enable MCP server to support two authentication flows:

  • Browser-based authentication (existing) — Interactive use with Claude Code, Codex, etc. User logs in via browser, gets a token, MCP calls work automatically.
  • Client Credentials authentication (new) — Headless/service-to-service use. Agents running in containers, CI/CD workflows, or backend services can get a token directly and make MCP calls without a browser.

Goals

Approach

User stories

Release note

Documentation

Training

Certification

Marketing

Automation tests

Security checks

Samples

Related PRs

Migrations (if applicable)

Test environment

Learning

Summary by CodeRabbit

Release Notes

  • Documentation

    • Added alternative OAuth 2.0 authentication method for non-browser MCP access with dedicated quick-start guide
    • Updated MCP server setup instructions with corrected client identifiers
  • Configuration

    • Updated deployment configurations (Docker Compose and Kubernetes Helm charts) to support new authentication service option
    • Added automated provisioning script for new authentication service during deployment

Review Change Stack

@coderabbitai

coderabbitai Bot commented May 16, 2026

Copy link
Copy Markdown
Contributor
📝 Walkthrough

Walkthrough

This PR adds client credentials OAuth 2.0 authentication support to the MCP service, complementing the existing browser-based flow. Documentation, Helm/Docker configuration, and a Thunder bootstrap script enable the am-mcp-service client to obtain tokens and call the MCP server without interactive authentication.

Changes

MCP Client Credentials Authentication Support

Layer / File(s) Summary
MCP Authentication Documentation and User Guidance
agent-manager-service/mcp/README.md, documentation/docs/reference/mcp-server.mdx
README now documents two OAuth 2.0 methods: browser-based (am-mcp-user) and client credentials (am-mcp-service). New "Quick start with Client Credentials" section shows example Thunder token requests and MCP JSON-RPC calls. Claude Code registration command updated to use am-mcp-user client ID.
MCP Service Client Configuration and Bootstrap Provisioning
deployments/helm-charts/wso2-amp-thunder-extension/values.yaml, deployments/helm-charts/wso2-amp-thunder-extension/templates/amp-thunder-bootstrap.yaml
Helm values define new amMcpServerClient confidential client with client_credentials grant type; existing amMcpClient renamed to am-mcp-user for clarity. New 59-am-mcp-service-client.sh bootstrap script idempotently provisions the MCP server application in Thunder by discovering OU and flow IDs, then creating or updating the application via REST API.
JWT Audience Configuration for Token Validation
deployments/docker-compose.yml, deployments/helm-charts/wso2-agent-manager/values.yaml
Docker Compose and Helm agent-manager keyManager audience lists extended with amp-mcp-service to validate tokens issued to the new MCP service client.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

  • wso2/agent-manager#883: Updates Claude Code MCP registration command to use the new am-mcp-user OAuth client ID documented in this PR.

Suggested reviewers

  • RAVEENSR

Poem

🐰 Two paths now lead where one did flow,
Browser dance and credentials' glow,
Thunder grants what seekers need,
Tokens bloom at client's speed! 🌿✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The PR description is largely incomplete. While the Purpose section is filled out with clear context, most other required sections (Goals, Approach, User stories, Release note, Documentation, Training, Certification, etc.) are present but completely empty. Complete the remaining sections including Goals, Approach, User stories, Release note, Documentation links, and Security checks to meet the template requirements.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and specifically describes the main change: enabling client credentials OAuth flow for MCP. It accurately reflects the core objective of the PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@sathsaraniii sathsaraniii changed the title Feat/mcp agent tools Enable client credentials OAuth flow for MCP May 16, 2026
@sathsaraniii sathsaraniii marked this pull request as ready for review May 28, 2026 02:10

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
documentation/docs/reference/mcp-server.mdx (1)

9-9: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Inconsistent client ID references throughout the documentation.

The command example at Line 104 uses --client-id am-mcp-user, but the surrounding text and table still reference the old am-mcp client:

  • Line 9: "A single OAuth client (am-mcp) is pre-registered"
  • Lines 86-89: Table shows | am-mcp | Authorization Code + PKCE |
  • Line 92: "The am-mcp client is provisioned"
  • Line 109: Comment mentions "am-mcp"

This PR renames the browser-based client to am-mcp-user and adds a new am-mcp-service client for client credentials. The documentation should consistently use am-mcp-user for the browser-based client throughout, and ideally document both authentication methods (similar to the README.md approach).

📝 Suggested updates

Update the table to reflect the new client naming:

 | Client ID | Grant Type                | Redirect URIs                                                              | Use Case                                                                                |
 | --------- | ------------------------- | -------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- |
-| `am-mcp`  | Authorization Code + PKCE | `http://127.0.0.1:33418/callback`, `http://localhost:33418/callback`       | Interactive use with AI assistants that support browser-based OAuth (Claude Code, etc.) |
+| `am-mcp-user`  | Authorization Code + PKCE | `http://127.0.0.1:33418/callback`, `http://localhost:33418/callback`       | Interactive use with AI assistants that support browser-based OAuth (Claude Code, etc.) |
+| `am-mcp-service`  | Client Credentials | N/A       | Headless AI agents and server-to-server access (containers, CI/CD, backend services) |

Update the surrounding text to reference am-mcp-user:

-AMP ships a pre-registered OAuth application in Thunder for MCP clients:
+AMP ships pre-registered OAuth applications in Thunder for MCP clients:
-The `am-mcp` client is provisioned automatically...
+The `am-mcp-user` client is provisioned automatically...

Also applies to: 86-92, 104-104, 109-109

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@documentation/docs/reference/mcp-server.mdx` at line 9, Replace all legacy
references to the browser OAuth client `am-mcp` with the new `am-mcp-user`
identifier (including the sentence "A single OAuth client (`am-mcp`)...", the
table entry, the "The `am-mcp` client is provisioned" line, the example command
that uses `--client-id am-mcp-user`, and the comment referencing `am-mcp`), and
add a short note or table row documenting the new `am-mcp-service` client for
client credentials flow so the doc shows both authentication methods
(Authorization Code + PKCE → am-mcp-user; Client Credentials → am-mcp-service)
consistently throughout the section.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@documentation/docs/reference/mcp-server.mdx`:
- Line 9: Replace all legacy references to the browser OAuth client `am-mcp`
with the new `am-mcp-user` identifier (including the sentence "A single OAuth
client (`am-mcp`)...", the table entry, the "The `am-mcp` client is provisioned"
line, the example command that uses `--client-id am-mcp-user`, and the comment
referencing `am-mcp`), and add a short note or table row documenting the new
`am-mcp-service` client for client credentials flow so the doc shows both
authentication methods (Authorization Code + PKCE → am-mcp-user; Client
Credentials → am-mcp-service) consistently throughout the section.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 7232f907-cdf2-4b27-88cf-67fd27f8adf8

📥 Commits

Reviewing files that changed from the base of the PR and between 0f97c07 and 8103d5b.

📒 Files selected for processing (6)
  • agent-manager-service/mcp/README.md
  • deployments/docker-compose.yml
  • deployments/helm-charts/wso2-agent-manager/values.yaml
  • deployments/helm-charts/wso2-amp-thunder-extension/templates/amp-thunder-bootstrap.yaml
  • deployments/helm-charts/wso2-amp-thunder-extension/values.yaml
  • documentation/docs/reference/mcp-server.mdx

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant