Skip to content

Remove keycloak dcr workaround #71

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
madebygps merged 5 commits into from
Apr 14, 2026
Merged

Remove keycloak dcr workaround #71

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
5daf0bf
WIP: Remove DCR workaround (awaiting Keycloak 26.6.0)
madebygps Feb 3, 2026
d3bd083
Merge branch 'Azure-Samples:main' into remove-keycloak-dcr-workaround
madebygps Apr 14, 2026
bf8cea8
Remove Keycloak DCR workaround, use FastMCP built-in KeycloakAuthProv…
madebygps Apr 14, 2026
04ae98b
Remove Keycloak DCR workaround, use FastMCP built-in KeycloakAuthProv…
madebygps Apr 14, 2026
4e464ef
remove deployed url
madebygps Apr 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion .vscode/mcp.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,11 @@
"0.0.0.0:5678",
"servers/basic_mcp_stdio.py"
]
},
"keycloak-deployed": {
"url": "https://mcproutes.thankfulmeadow-cebb0cbb.eastus2.azurecontainerapps.io/mcp",
Comment thread
madebygps marked this conversation as resolved.
Outdated
"type": "http"
}

},
"inputs": []
}
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -394,7 +394,7 @@ This project supports deploying with OAuth 2.0 authentication using Keycloak as

| Component | Description |
| --------- | ----------- |
| **Keycloak Container App** | Keycloak 26.0 with pre-configured realm |
| **Keycloak Container App** | Keycloak 26.6.0 with pre-configured realm |
| **HTTP Route Configuration** | Rule-based routing: `/auth/*` → Keycloak, `/*` → MCP Server |
| **OAuth-protected MCP Server** | FastMCP with JWT validation against Keycloak's JWKS endpoint |

Expand Down
8 changes: 4 additions & 4 deletions keycloak/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
# Keycloak container with pre-built themes and realm import
# Based on: https://www.keycloak.org/server/containers
FROM quay.io/keycloak/keycloak:26.0 AS builder
# Requires 26.6.0+ for DCR fix: https://github.com/keycloak/keycloak/issues/44403
FROM quay.io/keycloak/keycloak:26.6.0 AS builder
Copy link
Copy Markdown
Collaborator Author

@madebygps madebygps Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No. This is a demo repo, not a production app. Pinning digests adds maintenance burden for little benefit here. The tag 26.6.0 is already a specific version (not latest)


# Copy the MCP realm configuration for import
COPY keycloak/realm.json /opt/keycloak/data/import/mcp-realm.json
Expand All @@ -9,7 +10,7 @@ COPY keycloak/realm.json /opt/keycloak/data/import/mcp-realm.json
RUN /opt/keycloak/bin/kc.sh build

# Production image with pre-built themes
FROM quay.io/keycloak/keycloak:26.0
FROM quay.io/keycloak/keycloak:26.6.0
Copy link
Copy Markdown
Collaborator Author

@madebygps madebygps Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a demo repo, not a production app. Pinning digests adds maintenance burden for little benefit here. The tag 26.6.0 is already a specific version (not latest)


# Copy built Keycloak with consistent theme cache hashes
COPY --from=builder /opt/keycloak/ /opt/keycloak/
Expand All @@ -24,5 +25,4 @@ ENTRYPOINT ["/opt/keycloak/bin/kc.sh"]
# --hostname-strict=false allows dynamic hostname resolution from proxy headers
# --http-relative-path=/auth sets the base path so Keycloak serves all content under /auth/*
# --import-realm imports the MCP realm on startup
# --import-strategy=overwrite-existing ensures realm.json changes are applied even if the realm exists
CMD ["start-dev", "--http-port=8080", "--proxy-headers=xforwarded", "--hostname-strict=false", "--http-relative-path=/auth", "--import-realm", "--import-strategy=overwrite-existing"]
CMD ["start-dev", "--http-port=8080", "--proxy-headers=xforwarded", "--hostname-strict=false", "--http-relative-path=/auth", "--import-realm"]
Copy link
Copy Markdown
Collaborator Author

@madebygps madebygps Apr 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is intentional. Keycloak 26.6.0 removed --import-strategy from start-dev. For this demo repo, users do fresh deploys, so the default import behavior works fine.

2 changes: 1 addition & 1 deletion pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ description = "Demonstration of Python FastMCP servers"
readme = "README.md"
requires-python = "==3.13.*"
dependencies = [
"fastmcp>=3.0.0",
"fastmcp>=3.2.4",
"debugpy>=1.8.0",
"langchain-core>=1.2.26",
"mcp>=1.3.0",
Expand Down
6 changes: 3 additions & 3 deletions servers/auth_keycloak_mcp.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,9 @@
from azure.monitor.opentelemetry import configure_azure_monitor
from dotenv import load_dotenv
from fastmcp import Context, FastMCP
from fastmcp.server.auth.providers.keycloak import KeycloakAuthProvider
from fastmcp.server.dependencies import get_access_token
from fastmcp.server.middleware import Middleware, MiddlewareContext
from keycloak_provider import KeycloakAuthProvider
from opentelemetry.instrumentation.starlette import StarletteInstrumentor
from opentelemetry.sdk.resources import Resource
from rich.console import Console
Expand Down Expand Up @@ -77,7 +77,7 @@
cosmos_db = cosmos_client.get_database_client(os.environ["AZURE_COSMOSDB_DATABASE"])
cosmos_container = cosmos_db.get_container_client(os.environ["AZURE_COSMOSDB_USER_CONTAINER"])

# Configure Keycloak authentication using KeycloakAuthProvider with DCR support
# Configure Keycloak authentication using FastMCP's built-in KeycloakAuthProvider
KEYCLOAK_REALM_URL = os.environ["KEYCLOAK_REALM_URL"]
if RUNNING_IN_PRODUCTION:
keycloak_base_url = os.environ["KEYCLOAK_MCP_SERVER_BASE_URL"]
Expand All @@ -93,7 +93,7 @@
audience=keycloak_audience,
)
logger.info(
"Using Keycloak DCR auth for server %s and realm %s (audience=%s)",
"Using Keycloak auth for server %s and realm %s (audience=%s)",
keycloak_base_url,
KEYCLOAK_REALM_URL,
keycloak_audience,
Expand Down
225 changes: 0 additions & 225 deletions servers/keycloak_provider.py
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion spanish/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -390,7 +390,7 @@ Este proyecto soporta desplegar con autenticación OAuth 2.0 usando Keycloak com

| Componente | Descripción |
| ---------- | ----------- |
| **Container App de Keycloak** | Keycloak 26.0 con realm preconfigurado |
| **Container App de Keycloak** | Keycloak 26.6.0 con realm preconfigurado |
| **Configuración de rutas HTTP** | Enrutamiento basado en reglas: `/auth/*` → Keycloak, `/*` → Servidor MCP |
| **Servidor MCP protegido con OAuth** | FastMCP con validación JWT contra el endpoint JWKS de Keycloak |

Expand Down
18 changes: 14 additions & 4 deletions uv.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.