Implement OIDC discovery and add Google OAuth demo guide (#9562)

Author: tobiu

ai/mcp/server/knowledge-base/Server.mjs

@@ -105,33 +105,59 @@ class Server extends Base {
             const mcpServerUrl = getFullUrl(process.env.HOST || 'localhost', aiConfig.ssePort);
 
             // Optional OIDC/OAuth Authorization
-            if (aiConfig.auth.host) {
+            if (aiConfig.auth.host || aiConfig.auth.issuerUrl) {
                 const {mcpAuthMetadataRouter, getOAuthProtectedResourceMetadataUrl} = await import('@modelcontextprotocol/sdk/server/auth/router.js');
                 const {requireBearerAuth}                                           = await import('@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js');
                 const {InvalidTokenError}                                           = await import('@modelcontextprotocol/sdk/server/auth/errors.js');
                 const {checkResourceAllowed}                                        = await import('@modelcontextprotocol/sdk/shared/auth-utils.js');
 
-                const authBaseUrl = getFullUrl(aiConfig.auth.host, aiConfig.auth.port);
+                let oauthUrls;
 
-                // Append Keycloak realm path if not already present
-                if (!authBaseUrl.pathname.includes('/realms/')) {
-                    authBaseUrl.pathname = `/realms/${aiConfig.auth.realm}/`;
-                }
+                if (aiConfig.auth.issuerUrl) {
+                    let issuerUrl = aiConfig.auth.issuerUrl;
 
-                const oauthUrls = {
-                    issuer                : authBaseUrl.toString(),
-                    introspection_endpoint: new URL('protocol/openid-connect/token/introspect', authBaseUrl).toString(),
-                    authorization_endpoint: new URL('protocol/openid-connect/auth',             authBaseUrl).toString(),
-                    token_endpoint        : new URL('protocol/openid-connect/token',            authBaseUrl).toString(),
-                };
+                    if (!issuerUrl.endsWith('/')) {
+                        issuerUrl += '/';
+                    }
+
+                    const discoveryUrl = new URL('.well-known/openid-configuration', issuerUrl);
+                    const response     = await fetch(discoveryUrl);
+
+                    if (!response.ok) {
+                        throw new Error(`Failed to fetch OIDC discovery document from ${discoveryUrl}: ${response.statusText}`);
+                    }
+
+                    oauthUrls = await response.json();
+                    logger.info(`[neo-knowledge-base MCP] OIDC Discovery successful for issuer: ${oauthUrls.issuer}`);
+                } else {
+                    const authBaseUrl = getFullUrl(aiConfig.auth.host, aiConfig.auth.port);
+
+                    // Append Keycloak realm path if not already present
+                    if (!authBaseUrl.pathname.includes('/realms/')) {
+                        authBaseUrl.pathname = `/realms/${aiConfig.auth.realm}/`;
+                    }
+
+                    oauthUrls = {
+                        issuer                : authBaseUrl.toString(),
+                        introspection_endpoint: new URL('protocol/openid-connect/token/introspect', authBaseUrl).toString(),
+                        authorization_endpoint: new URL('protocol/openid-connect/auth',             authBaseUrl).toString(),
+                        token_endpoint        : new URL('protocol/openid-connect/token',            authBaseUrl).toString(),
+                    };
+                }
 
                 const oauthMetadata = {
                     ...oauthUrls,
-                    response_types_supported: ['code'],
+                    response_types_supported: oauthUrls.response_types_supported || ['code'],
                 };
 
                 const tokenVerifier = {
                     verifyAccessToken: async (token) => {
+                        const introspectionEndpoint = oauthUrls.introspection_endpoint;
+
+                        if (!introspectionEndpoint) {
+                            throw new Error('No introspection endpoint available in OIDC metadata');
+                        }
+
                         const params = new URLSearchParams({
                             token    : token,
                             client_id: aiConfig.auth.clientId,
@@ -141,7 +167,7 @@ class Server extends Base {
                             params.set('client_secret', aiConfig.auth.clientSecret);
                         }
 
-                        const response = await fetch(oauthUrls.introspection_endpoint, {
+                        const response = await fetch(introspectionEndpoint, {
                             method : 'POST',
                             headers: {'Content-Type': 'application/x-www-form-urlencoded'},
                             body   : params.toString(),

ai/mcp/server/knowledge-base/config.mjs

@@ -13,7 +13,7 @@ const defaultConfig = {
      * Automatically synchronize the knowledge base on startup.
      * @type {boolean}
      */
-    autoSync: true,
+    autoSync: process.env.AUTO_SYNC !== 'false',
     /**
      * Global debug flag for all MCP servers.
      * @type {boolean}
@@ -43,6 +43,7 @@ const defaultConfig = {
         host        : process.env.AUTH_HOST || null,
         port        : Number(process.env.AUTH_PORT) || 8080,
         realm       : process.env.AUTH_REALM || 'master',
+        issuerUrl   : process.env.AUTH_ISSUER_URL || null,
         clientId    : process.env.OAUTH_CLIENT_ID || null,
         clientSecret: process.env.OAUTH_CLIENT_SECRET || '',
     },

ai/mcp/server/memory-core/Server.mjs

@@ -104,33 +104,59 @@ class Server extends Base {
             const mcpServerUrl = getFullUrl(process.env.HOST || 'localhost', aiConfig.ssePort);
 
             // Optional OIDC/OAuth Authorization
-            if (aiConfig.auth.host) {
+            if (aiConfig.auth.host || aiConfig.auth.issuerUrl) {
                 const {mcpAuthMetadataRouter, getOAuthProtectedResourceMetadataUrl} = await import('@modelcontextprotocol/sdk/server/auth/router.js');
                 const {requireBearerAuth}                                           = await import('@modelcontextprotocol/sdk/server/auth/middleware/bearerAuth.js');
                 const {InvalidTokenError}                                           = await import('@modelcontextprotocol/sdk/server/auth/errors.js');
                 const {checkResourceAllowed}                                        = await import('@modelcontextprotocol/sdk/shared/auth-utils.js');
 
-                const authBaseUrl = getFullUrl(aiConfig.auth.host, aiConfig.auth.port);
+                let oauthUrls;
 
-                // Append Keycloak realm path if not already present
-                if (!authBaseUrl.pathname.includes('/realms/')) {
-                    authBaseUrl.pathname = `/realms/${aiConfig.auth.realm}/`;
-                }
+                if (aiConfig.auth.issuerUrl) {
+                    let issuerUrl = aiConfig.auth.issuerUrl;
 
-                const oauthUrls = {
-                    issuer                : authBaseUrl.toString(),
-                    introspection_endpoint: new URL('protocol/openid-connect/token/introspect', authBaseUrl).toString(),
-                    authorization_endpoint: new URL('protocol/openid-connect/auth',             authBaseUrl).toString(),
-                    token_endpoint        : new URL('protocol/openid-connect/token',            authBaseUrl).toString(),
-                };
+                    if (!issuerUrl.endsWith('/')) {
+                        issuerUrl += '/';
+                    }
+
+                    const discoveryUrl = new URL('.well-known/openid-configuration', issuerUrl);
+                    const response     = await fetch(discoveryUrl);
+
+                    if (!response.ok) {
+                        throw new Error(`Failed to fetch OIDC discovery document from ${discoveryUrl}: ${response.statusText}`);
+                    }
+
+                    oauthUrls = await response.json();
+                    logger.info(`[neo-memory-core MCP] OIDC Discovery successful for issuer: ${oauthUrls.issuer}`);
+                } else {
+                    const authBaseUrl = getFullUrl(aiConfig.auth.host, aiConfig.auth.port);
+
+                    // Append Keycloak realm path if not already present
+                    if (!authBaseUrl.pathname.includes('/realms/')) {
+                        authBaseUrl.pathname = `/realms/${aiConfig.auth.realm}/`;
+                    }
+
+                    oauthUrls = {
+                        issuer                : authBaseUrl.toString(),
+                        introspection_endpoint: new URL('protocol/openid-connect/token/introspect', authBaseUrl).toString(),
+                        authorization_endpoint: new URL('protocol/openid-connect/auth',             authBaseUrl).toString(),
+                        token_endpoint        : new URL('protocol/openid-connect/token',            authBaseUrl).toString(),
+                    };
+                }
 
                 const oauthMetadata = {
                     ...oauthUrls,
-                    response_types_supported: ['code'],
+                    response_types_supported: oauthUrls.response_types_supported || ['code'],
                 };
 
                 const tokenVerifier = {
                     verifyAccessToken: async (token) => {
+                        const introspectionEndpoint = oauthUrls.introspection_endpoint;
+
+                        if (!introspectionEndpoint) {
+                            throw new Error('No introspection endpoint available in OIDC metadata');
+                        }
+
                         const params = new URLSearchParams({
                             token    : token,
                             client_id: aiConfig.auth.clientId,
@@ -140,7 +166,7 @@ class Server extends Base {
                             params.set('client_secret', aiConfig.auth.clientSecret);
                         }
 
-                        const response = await fetch(oauthUrls.introspection_endpoint, {
+                        const response = await fetch(introspectionEndpoint, {
                             method : 'POST',
                             headers: {'Content-Type': 'application/x-www-form-urlencoded'},
                             body   : params.toString(),

ai/mcp/server/memory-core/config.mjs

@@ -13,7 +13,7 @@ const defaultConfig = {
      * Automatically trigger session summarization on startup.
      * @type {boolean}
      */
-    autoSummarize: true,
+    autoSummarize: process.env.AUTO_SUMMARIZE !== 'false',
     /**
      * Global debug flag for all MCP servers.
      * @type {boolean}
@@ -43,6 +43,7 @@ const defaultConfig = {
         host        : process.env.AUTH_HOST || null,
         port        : Number(process.env.AUTH_PORT) || 8080,
         realm       : process.env.AUTH_REALM || 'master',
+        issuerUrl   : process.env.AUTH_ISSUER_URL || null,
         clientId    : process.env.OAUTH_CLIENT_ID || null,
         clientSecret: process.env.OAUTH_CLIENT_SECRET || '',
     },

learn/guides/mcp/Authorization.md

@@ -22,9 +22,10 @@ To enable authorization on your MCP server, you must use the **SSE transport** a
 
 | Variable | Description | Example |
 | :--- | :--- | :--- |
-| `AUTH_HOST` | The hostname of your OIDC provider. | `keycloak.local` |
-| `AUTH_PORT` | The port of your OIDC provider. | `8080` |
-| `AUTH_REALM` | The OIDC realm name. | `master` |
+| `AUTH_ISSUER_URL` | The base URL of the OIDC provider (enables Discovery). | `https://accounts.google.com` |
+| `AUTH_HOST` | The hostname of your OIDC provider (Keycloak fallback). | `keycloak.local` |
+| `AUTH_PORT` | The port of your OIDC provider (Keycloak fallback). | `8080` |
+| `AUTH_REALM` | The OIDC realm name (Keycloak fallback). | `master` |
 | `OAUTH_CLIENT_ID` | The OAuth 2.1 client ID for the server. | `neo-mcp-server` |
 | `OAUTH_CLIENT_SECRET` | The OAuth 2.1 client secret. | `your-secret-here` |
 | `HOST` | The public hostname of the MCP server. | `mcp.neomjs.com` |
@@ -37,6 +38,13 @@ The server intelligently resolves URLs:
 
 ---
 
+## Hands-on Examples
+
+- **Keycloak:** See the [Local Keycloak Setup](#example-local-keycloak-setup) below.
+- **Google OAuth:** Follow the [Google OAuth 2.1 Demo](GoogleAuthDemo.md) guide.
+
+---
+
 ## Example: Local Keycloak Setup
 
 1. **Start Keycloak:** Ensure Keycloak is running at `localhost:8080`.

learn/guides/mcp/GoogleAuthDemo.md

@@ -0,0 +1,77 @@
+# Google OAuth 2.1 Demo
+
+This hands-on guide demonstrates how to secure your Neo.mjs MCP servers (Knowledge Base or Memory Core) using Google OAuth 2.1. This allows you to restrict access to your AI tools using your organization's Google workspace.
+
+## Prerequisites
+
+1.  A Google Cloud Platform (GCP) project.
+2.  The Neo.mjs project cloned and initialized.
+3.  The MCP server deployed to a public URL (or using a tunnel like `ngrok` for local testing).
+
+---
+
+## Step 1: Configure Google Cloud Console
+
+1.  Go to the [GCP APIs & Services > Credentials](https://console.cloud.google.com/apis/credentials) page.
+2.  Click **Create Credentials** > **OAuth client ID**.
+3.  Select **Web application** as the application type.
+4.  **Authorized JavaScript origins:** Add the public URL of your MCP server (e.g., `https://mcp.yourdomain.com`).
+5.  **Authorized redirect URIs:** Since the MCP server acts as a **Protected Resource**, it doesn't handle the user login redirect itself. However, your **MCP Client** (e.g., VS Code or a custom UI) will need a redirect URI.
+6.  Click **Create** and note your **Client ID** and **Client Secret**.
+
+---
+
+## Step 2: Configure the MCP Server
+
+Update your `.env` file or IaC environment variables.
+
+### Using OIDC Discovery (Recommended)
+Google provides a standard OIDC discovery endpoint. This is the easiest way to configure the server.
+
+```env
+TRANSPORT=sse
+SSE_PORT=3000
+HOST=mcp.yourdomain.com
+
+# OIDC Discovery
+AUTH_ISSUER_URL=https://accounts.google.com
+OAUTH_CLIENT_ID=your-google-client-id.apps.googleusercontent.com
+OAUTH_CLIENT_SECRET=your-google-client-secret
+```
+
+### Protocol Awareness
+Ensure `HOST` is set correctly. If your server is behind a load balancer with SSL termination, ensure `HOST` does not include the protocol unless you want to force one. The server will default to `https` for any host other than `localhost`.
+
+---
+
+## Step 3: Technical Nuances
+
+### Token Introspection
+Unlike Keycloak, Google does not strictly adhere to the RFC 7662 introspection spec for all token types in the same way. However, for **OpenID Connect**, the MCP SDK handles the validation of the Bearer token. 
+
+### Audience (aud) Validation
+Google ID Tokens include the `aud` field, which matches your `OAUTH_CLIENT_ID`. The Neo.mjs MCP server will validate that the incoming token's audience is authorized to access the resource.
+
+> **Note:** In complex scenarios where the client and server use different GCP projects, you may need to configure additional audience mappings in your GCP project.
+
+---
+
+## Step 4: Testing with a Client
+
+When connecting an MCP client (like VS Code) to your server:
+
+1.  The client will hit `https://mcp.yourdomain.com/.well-known/oauth-protected-resource`.
+2.  It will discover that the server requires authorization from `https://accounts.google.com`.
+3.  The client will initiate the OAuth flow with Google.
+4.  Once authorized, the client will send requests with the header:
+    `Authorization: Bearer <google_access_token>`
+
+---
+
+## Troubleshooting
+
+### 401 Unauthorized
+Verify that the `OAUTH_CLIENT_ID` in your server config matches the one used by the client to obtain the token.
+
+### OIDC Discovery Failure
+If the server logs `Failed to fetch OIDC discovery document`, ensure the server has outbound internet access to reach `https://accounts.google.com/.well-known/openid-configuration`.

learn/tree.json

@@ -128,6 +128,7 @@
             {"name": "The Neural Link Server",                         "parentId": "guides/mcp",                                          "id": "guides/mcp/NeuralLink"},
             {"name": "The GitHub Workflow Server",                     "parentId": "guides/mcp",                                          "id": "guides/mcp/GitHubWorkflow"},
             {"name": "Server Authorization",                           "parentId": "guides/mcp",                                          "id": "guides/mcp/Authorization"},
+            {"name": "Google OAuth Demo",                              "parentId": "guides/mcp",                                          "id": "guides/mcp/GoogleAuthDemo"},
             {"name": "Code Execution",                                 "parentId": "guides/mcp",                                          "id": "guides/mcp/CodeExecution"},
         {"name": "AI",                                                 "parentId": "guides",                             "isLeaf": false, "id": "guides/ai", "collapsed": true},
             {"name": "Strategic Workflows",                            "parentId": "guides/ai",                                           "id": "guides/ai/StrategicWorkflows"},