Release 1.24.7 - Auth/Scope Hardening & Deployment Flexibility
June 2026
Overview
This release focuses on authentication and scope hardening alongside greater deployment flexibility. On the auth side, IdP groups are now filtered to the scope-relevant set at login (backed by a single bulk scope lookup), the /mcp-proxy internal token is hardened with a configurable short TTL and clock-skew leeway, signed JWTs are validated on both the registry and mcp-proxy hops, and datetime serialization and token-lifetime enforcement are fixed. On the deployment side, this release adds a full AWS CDK infrastructure option, lets ECS deployments reuse an existing VPC and subnets, and exposes a configurable AUTH_SERVER_URL Terraform variable for Cloud Map / FQDN setups. It also restores working Kubernetes / Helm (EKS) deployments by repointing the Keycloak and PostgreSQL images away from the removed Bitnami public ECR mirror. Rounding out the release are stale-embedding cleanup tooling, an audit dashboard executive summary, and on-demand A2A agent card pulls with a dry-run preview.
Note: token-mint audit / OTEL (#1215) moved to the 1.24.8 milestone.
Upgrading from 1.24.6
This section covers everything you need to know to upgrade from 1.24.6 to 1.24.7.
Breaking Changes
There are no breaking changes in this release. However, Kubernetes / Helm (EKS) operators must take action because of a required Keycloak image source change (see below).
Required action for EKS: Keycloak and PostgreSQL image source changed
Broadcom removed the free Bitnami catalog from both Docker Hub (docker.io/bitnami/*) and the AWS public ECR mirror (public.ecr.aws/bitnami/*). The stack chart previously pulled Keycloak and its bundled PostgreSQL from public.ecr.aws/bitnami/*, which now returns HTTP 404. Fresh EKS deployments, scale-ups, and node refreshes would fail with ImagePullBackOff.
This release repoints both images to the frozen Bitnami legacy archive on Docker Hub, which is still publicly pullable (PR #1287):
| Image | Old (removed) | New |
|---|---|---|
| Keycloak | public.ecr.aws/bitnami/keycloak |
docker.io/bitnamilegacy/keycloak:26.3.3-debian-12-r0 |
| PostgreSQL | public.ecr.aws/bitnami/postgresql |
docker.io/bitnamilegacy/postgresql:17.6.0-debian-12-r0 |
Note that bitnamilegacy images are frozen and no longer receive updates or security patches. This restores working deployments now; a future release will migrate the Helm surface onto the upstream quay.io/keycloak/keycloak image already used by Docker Compose, Terraform/ECS, and CDK. If you override the Keycloak image in your own values.yaml, update it to match.
New Environment Variables
| Variable | Default | Description |
|---|---|---|
| ALLOWED_IDP_GROUPS | (empty) | Login-time IdP group allowlist (applies to all identity providers). Comma-separated EXACT group names/IDs. When set, only these groups are stored in a user's session at login. When empty, the registry auto-derives the allowlist from scope mappings (recommended). Fixes session bloat and per-request slowness for users with very large IdP group memberships (e.g. Entra ID users in hundreds of AD groups). |
| INTERNAL_TOKEN_TTL_SECONDS | 30 | Lifetime (seconds) of the minted /mcp-proxy internal token; the replay-window cap. Short by design. Minimum 5. |
| INTERNAL_TOKEN_LEEWAY_SECONDS | 5 | Clock-skew leeway (seconds) on the internal token's exp/iat checks. |
Upgrade Instructions
Docker Compose
cd mcp-gateway-registry
git pull origin main
git checkout 1.24.7
# Review new env vars in .env.example and update your .env if needed
# Then rebuild and restart:
./build_and_run.shKubernetes / Helm (EKS)
cd mcp-gateway-registry
git pull origin main
git checkout 1.24.7
# REQUIRED: subchart templates and values changed in this release, so the
# packaged subchart .tgz files must be rebuilt before upgrading.
cd charts/mcp-gateway-registry-stack
helm dependency build
helm dependency update
# Update values.yaml if needed, then upgrade:
helm upgrade mcp-gateway . -f your-values.yamlThe helm dependency build and helm dependency update steps are mandatory for this release: files under charts/ changed (the Keycloak/PostgreSQL image source, the new allowedIdpGroups and internal-token values, and the registry Service/Deployment port cleanup). The packaged subchart .tgz files inside charts/mcp-gateway-registry-stack/charts/ are gitignored and only repackage when these commands run. A plain git pull followed by helm upgrade would silently use stale subcharts and miss the Keycloak image fix.
Terraform / ECS
cd mcp-gateway-registry
git pull origin main
git checkout 1.24.7
# Update your .tfvars with any new variables (see AUTH_SERVER_URL below)
cd terraform/aws-ecs
terraform plan
terraform applyThis release adds an AUTH_SERVER_URL Terraform variable so ECS deployments can point the auth-server at a Cloud Map / FQDN endpoint (PR #1284). Review the new variable in variables.tf before applying.
Container Images
Pre-built images are published to Amazon ECR Public at public.ecr.aws/p3v1o3c6 by the "Release Docker Images" workflow on tag push:
docker pull public.ecr.aws/p3v1o3c6/registry:1.24.7
docker pull public.ecr.aws/p3v1o3c6/auth-server:1.24.7
docker pull public.ecr.aws/p3v1o3c6/mcpgw:1.24.7Major Features
CDK infrastructure for MCP Gateway Registry
A complete AWS CDK deployment option has been added alongside the existing Terraform/ECS and Helm surfaces, giving teams a TypeScript-native infrastructure-as-code path for provisioning the gateway, registry, auth-server, Keycloak, and supporting AWS resources.
Login-time IdP group filtering
Users with very large IdP group memberships (for example Entra ID accounts in hundreds or thousands of AD groups) previously caused X-Groups header bloat and per-request slowness. The registry now filters groups to the scope-relevant set at login. By default it auto-derives the allowlist from scope mappings; operators can also pin an explicit allowlist via ALLOWED_IDP_GROUPS.
On-demand A2A agent card pull with dry-run preview
Agent cards can now be pulled on demand for A2A agents, with a dry-run preview and overwrite support so operators can review what will change before committing.
What's New
Deployment
- Expose
AUTH_SERVER_URLas a Terraform variable for ECS (Cloud Map / FQDN auth-server) (#1284) - Enable use of existing VPC and subnets for AWS ECS deployment (#1264)
- Fix Keycloak and PostgreSQL image source for EKS by repointing to
docker.io/bitnamilegacy/*(#1287)
Security / Authentication
- Harden the
/mcp-proxyinternal token with a configurable short TTL and clock-skew leeway (#1272) - Validate signed JWT for the registry (#1262)
- Validate signed JWT for the mcp-proxy hop (#1260)
- Filter IdP groups to a scope-relevant set at login (#1279)
- Stop exposing the raw uvicorn app port (7860) as a registry Service port; the app binds loopback only and is fronted by in-pod nginx (#1278)
Performance
- Collapse per-group scope lookup into a single bulk query and add a
group_mappingsindex (#1281) - Remove N+1 calls for ratings and security-scans (#1258)
Audit and Reporting
- Add an executive summary band to the audit dashboard (#1274)
- Add a report-day reporter count to the usage-report executive summary (#1273)
Embeddings
- Add a stale-embedding CLI, no-op cleanup feedback, and FAQ as a follow-up to stale-index cleanup (#1261)
- Remove stale embeddings from the vector index after server/agent/skill deletion (#1232)
Connect-Config
- Persist per-server
oauth_client_idandappend_mcp_path(#1241) - Document the write path for per-server
oauth_client_idandappend_mcp_path(#1256)
Infrastructure / Build
- Add CDK infrastructure for MCP Gateway Registry (#903)
- Restore
docker/Dockerfile.mcp-server-lightstill referenced by compose (#1257) - Remove unused dockerfiles and
package.json(#1254)
Bug Fixes
- Fix datetime serialization causing
GET /api/servers/groups/{group_name}to return 500, and enforce token lifetime (#1272) - Templatize the auth-server hostname in nginx templates and fix the file-backend group mapping inversion (#1278)
- Validate signed JWT for the registry (#1262)
- Validate signed JWT for the mcp-proxy (#1260)
- Restore
docker/Dockerfile.mcp-server-lightstill referenced by compose (#1257)
Closed Issues
| Issue | Title | Closed By |
|---|---|---|
| #1283 | Expose AUTH_SERVER_URL as a Terraform variable for ECS (Cloud Map / FQDN auth-server) | PR #1284 |
| #1280 | IdP group bloat: filter groups to scope-relevant set at login | PR #1279 |
| #1145 | Stale embeddings remain in vector index after server/agent/skill deletion | PR #1232 |
| #1030 | Add on-demand A2A agent card pull with dry-run preview and overwrite | PR #1263 |
| #862 | CDK Deployment Support for mcp-gateway-registry | PR #903 |
| #573 | GET /api/servers/groups/{group_name} returns 500 due to datetime serialization | PR #1272 |
Pull Requests Included
| PR | Title |
|---|---|
| #1287 | updating keycloak and postgres images |
| #1284 | feat(terraform): expose AUTH_SERVER_URL as a variable for ECS |
| #1281 | perf(auth): collapse per-group scope lookup into one bulk query (+ group_mappings index) |
| #1279 | Filter IdP groups to scope-relevant set at login (fix X-Groups header bloat and per-request slowness) |
| #1278 | Update auth Server DNS Resolution in NGINX Templates and Align FileScopeRepository Group Mapping Behavior |
| #1274 | feat(audit): add executive summary band to audit dashboard |
| #1273 | feat(usage-report): add report-day reporter count to executive summary |
| #1272 | Fix datetime serialization and token lifetime enforcement |
| #1264 | feat: Enable use of existing VPC and subnets for AWS ECS deployment |
| #1263 | feat(agents): on-demand A2A agent card pull with dry-run preview |
| #1262 | fix: validate signed jwt for registry |
| #1261 | feat(embeddings): stale-embedding CLI, no-op cleanup feedback, and FAQ |
| #1260 | fix: validate signed jwt for mcp-proxy |
| #1258 | Remove N+1 calls for ratings and security-scans |
| #1257 | fix(build): restore docker/Dockerfile.mcp-server-light still referenced by compose |
| #1256 | docs(connect-config): document write path for per-server oauth_client_id / append_mcp_path |
| #1254 | Remove unused dockerfiles and package.json |
| #1253 | chore: update image tags to 1.24.6 |
| #1252 | build(deps): bump the uv group across 9 directories with 2 updates |
| #1241 | feat(connect-config): persist per-server oauth_client_id and append_mcp_path |
| #1232 | Remove stale embeddings from vector index after deletion |
| #903 | feat(infra): add CDK infrastructure for MCP Gateway Registry |
Security Dependency Updates
| Package | Previous | Updated | Scope |
|---|---|---|---|
| uv group (2 updates across 9 directories) | - | - | Build / dependencies (#1252) |
Contributors
Thank you to all contributors for this release:
- Amit Arora (@aarora79)
- omrishiv (@omrishiv)
- Ajay Misra (@ajmsra)
- Vrinda Bhandari (@vrindabhandari)
- Ahmed Hatem (@AhmedHatemMG)
- Harshit Kumar Gupta (@harshitkgupta)
- Gonçalo Faustino (@go-faustino)
- Akarsh Saklani (@Akarsh-2004)
Support
Full Changelog: 1.24.6...1.24.7
What's Changed
- chore: update image tags to 1.24.6 by @github-actions[bot] in #1253
- build(deps): bump the uv group across 9 directories with 2 updates by @dependabot[bot] in #1252
- Remove unused dockerfiles and package.json by @omrishiv in #1254
- feat(connect-config): persist per-server oauth_client_id and append_mcp_path by @go-faustino in #1241
- fix(build): restore docker/Dockerfile.mcp-server-light still referenced by compose by @aarora79 in #1257
- docs(connect-config): document write path for per-server oauth_client_id / append_mcp_path by @aarora79 in #1256
- feat(infra): add CDK infrastructure for MCP Gateway Registry by @harshitkgupta in #903
- Remove N+1 calls for ratings and security-scans by @omrishiv in #1258
- fix: validate signed jwt for mcp-proxy by @omrishiv in #1260
- 1145 by @Akarsh-2004 in #1232
- feat(embeddings): stale-embedding CLI, no-op cleanup feedback, and FAQ (#1232 follow-up) by @aarora79 in #1261
- fix:validate signed jwt for registry by @omrishiv in #1262
- feat(usage-report): add report-day reporter count to executive summary by @aarora79 in #1273
- feat(audit): add executive summary band to audit dashboard by @aarora79 in #1274
- Filter IdP groups to scope-relevant set at login (fix X-Groups header bloat and per-request slowness) by @aarora79 in #1279
- feat(agents): on-demand A2A agent card pull with dry-run preview (#1030) by @vrindabhandari in #1263
- perf(auth): collapse per-group scope lookup into one bulk query (+ group_mappings index) by @aarora79 in #1281
- feat: Enable use of existing VPC and subnets for AWS ECS deployment. by @AhmedHatemMG in #1264
- Fix datetime serialization and token lifetime enforcement (#573, #889) by @ajmsra in #1272
- Update auth Server DNS Resolution in NGINX Templates and Align FileScopeRepository Group Mapping Behavior by @ajmsra in #1278
- feat(terraform): expose AUTH_SERVER_URL as a variable for ECS (#1283) by @aarora79 in #1284
- updating keycloak and postgres images by @omrishiv in #1287
New Contributors
- @Akarsh-2004 made their first contribution in #1232
- @AhmedHatemMG made their first contribution in #1264
- @ajmsra made their first contribution in #1272
Full Changelog: 1.24.6...1.24.7
