Fix: Serve CIMD endpoint when OAuth server protection is enabled#191
Merged
Fix: Serve CIMD endpoint when OAuth server protection is enabled#191
Conversation
The CIMD endpoint was only mounted in createStandardMux (used when OAuth server protection is disabled). When OAuth protection is enabled, createOAuthProtectedMux was used instead, which didn't mount the CIMD. Added setupOAuthProxyRoutes to OAuthHTTPServer.CreateMux() which mounts: - OAuth callback handler for remote server auth - Self-hosted CIMD at /.well-known/oauth-client.json The CIMD is served without authentication as it's a public discovery document that remote MCP servers need to fetch.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Two issues with the CIMD endpoint when OAuth server protection is enabled:
Issue 1: CIMD returning 404
The CIMD endpoint (
/.well-known/oauth-client.json) was returning 404 when OAuth server protection is enabled.From mcp-kubernetes logs:
Root cause: The CIMD handler was only mounted in
createStandardMux()(used when OAuth server protection is disabled). When enabled,createOAuthProtectedMux()was used instead, which didn't mount the CIMD.Issue 2: Crashloop due to duplicate route registration
After adding the CIMD, muster was crashlooping with:
Root cause: The OAuth server already registers
/oauth/callback, and the OAuth proxy was trying to register the same path.Solution
Added
setupOAuthProxyRoutes()toOAuthHTTPServer.CreateMux()which mounts the self-hosted CIMD at/.well-known/oauth-client.jsonRemoved the duplicate OAuth callback registration from the proxy - the OAuth server's callback handles both cases since they use the same Dex IdP
Testing
Context
This is part of the OAuth proxy feature that allows muster to authenticate with remote MCP servers (like mcp-kubernetes) on behalf of users.