Skip to content

Add Keycloak OAuth Authentication Provider leveraging Dynamic Client Registration (DCR) #1918

New issue
New issue
Open
#1937
Open
Add Keycloak OAuth Authentication Provider leveraging Dynamic Client Registration (DCR)#1918
#1937
Labels
authRelated to authentication (Bearer, JWT, OAuth, WorkOS) for client or server.enhancementImprovement to existing functionality. For issues and smaller PR improvements.
@stephaneberle9

Description

@stephaneberle9
stephaneberle9
opened on Sep 25, 2025

Enhancement

Problem

FastMCP currently supports authentication with a variety of OAuth established providers like AWS Cognito, Google, and others. However, it lacks support for Keycloak, one of the most popular open-source identity and access management solutions widely used in enterprise environments and local development workflows.

Keycloak is particularly valuable for:

  • Enterprise SSO Integration: Widely deployed in corporate environments for centralized identity management
  • Local Development & Testing: Developers frequently use Keycloak with Docker Compose as a lightweight substitute for cloud identity providers
    during development, avoiding the need for complex cloud provider setups or API quotas during testing

Keycloak natively supports Dynamic Client Registration (DCR), which aligns perfectly with FastMCP's architecture that provides the necessary base services for DCR-enabled OAuth flows. This makes Keycloak an ideal candidate for integration using this relatively modern OAuth capability, eliminating the need for pre-registered clients and enabling seamless, automated authentication flows.

Without FastMCP providing any dedicated auth provider for Keycloak, users wanting to integrate FastMCP with existing Keycloak infrastructure or set up local OAuth testing currently have to:

  • Implement custom authentication logic
  • Work around CORS limitations when FastMCP and Keycloak are on different origins
  • Manually handle Dynamic Client Registration (DCR)
  • Deal with token endpoint authentication method incompatibilities
  • Inject server-required scopes into client registrations manually

Minimal Reproducible Example

Current workaround (complex and error-prone):

from fastmcp.server.auth.providers.jwt import JWTVerifier
from fastmcp.server.auth import RemoteAuthProvider

# Manual setup with multiple configuration steps
verifier = JWTVerifier(
    jwks_uri="https://keycloak.example.com/realms/myrealm/.well-known/jwks.json",
    issuer="https://keycloak.example.com/realms/myrealm",
    algorithm="RS256",
    required_scopes=["openid", "profile"],
)

auth = RemoteAuthProvider(
    token_verifier=verifier,
    authorization_servers=["https://your-fastmcp-server.com"],
    base_url="https://your-fastmcp-server.com",
)
# Still need to handle DCR, CORS, scope injection, etc. manually

Proposed implementation (simple and robust):

from fastmcp.server.auth.providers.keycloak import KeycloakAuthProvider

# Method 1: Direct configuration
auth = KeycloakAuthProvider(
    realm_url="https://keycloak.example.com/realms/myrealm",
    base_url="https://your-fastmcp-server.com",
    required_scopes=["openid", "profile"],
)

# Method 2: Environment variables (even simpler)
# Set: FASTMCP_SERVER_AUTH_KEYCLOAK_REALM_URL=https://keycloak.example.com/realms/myrealm
# Set: FASTMCP_SERVER_AUTH_KEYCLOAK_BASE_URL=https://your-fastmcp-server.com
# Set: FASTMCP_SERVER_AUTH_KEYCLOAK_REQUIRED_SCOPES=openid,profile
auth = KeycloakAuthProvider()

mcp = FastMCP("My App", auth=auth)

Proposed Solution

Add a new KeycloakAuthProvider class in src/fastmcp/server/auth/providers/keycloak.py that:

  1. Extends RemoteAuthProvider - follows the same pattern as other OAuth providers
  2. Automatic OIDC Discovery - discovers endpoints from /.well-known/openid-configuration
  3. Dynamic Client Registration Support - handles DCR with proper scope injection
  4. FastMCP Compatibility Fixes - modifies client registration responses to fix authentication method and response type incompatibilities
  5. Authorization Server Proxy - acts as a proxy to inject required scopes and prevent CORS issues
  6. JWT Token Verification - automatically configures JWT verifier with Keycloak's JWKS endpoint

Benefits

  • Enterprise Readiness: Keycloak is widely used in enterprise environments for SSO and identity management
  • Developer Experience: Simple configuration with sensible defaults and automatic endpoint discovery
  • Local Testing: Perfect for Docker Compose setups during development, eliminating need for cloud provider accounts
  • Modern OAuth Standards: Leverages Dynamic Client Registration for seamless, automated authentication flows
  • Zero Breaking Changes: New optional provider following existing patterns
  • Security: Proper JWT verification with JWKS key rotation support
  • CORS Compatibility: Proxy design prevents CORS issues in complex deployment scenarios
  • Production Ready: Includes comprehensive example with Docker setup and documentation
  • Consistency: Follows the same patterns and conventions as existing auth providers

Metadata

Metadata

Assignees

No one assigned

    Labels

    authRelated to authentication (Bearer, JWT, OAuth, WorkOS) for client or server.enhancementImprovement to existing functionality. For issues and smaller PR improvements.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions