docs: update configuration documentation with latest options (#74)

hrntknr · web-flow · commit 6ba6c7f99f3c · 2025-08-25T02:30:18.000+09:00
* docs: update configuration documentation with latest options

Add documentation for new configuration options:
- --google-allowed-workspaces: Allow entire Google Workspaces
- --github-allowed-orgs: Allow GitHub organizations and teams (Org:Team format)
- --trusted-proxies: Configure trusted proxy IP ranges for reverse proxy setups

Updated configuration reference, OAuth setup guide, and Docker Compose examples
to reflect these new options and their usage patterns.

* docs: improve OAuth setup code block formatting
diff --git a/docs/docs/configuration.md b/docs/docs/configuration.md
@@ -34,19 +34,21 @@ Complete reference for all MCP Auth Proxy configuration options.
 
 #### Google OAuth
 
-| Option                   | Environment Variable   | Default | Description                                           |
-| ------------------------ | ---------------------- | ------- | ----------------------------------------------------- |
-| `--google-client-id`     | `GOOGLE_CLIENT_ID`     | -       | Google OAuth client ID                                |
-| `--google-client-secret` | `GOOGLE_CLIENT_SECRET` | -       | Google OAuth client secret                            |
-| `--google-allowed-users` | `GOOGLE_ALLOWED_USERS` | -       | Comma-separated list of allowed Google users (emails) |
+| Option                        | Environment Variable        | Default | Description                                           |
+| ----------------------------- | --------------------------- | ------- | ----------------------------------------------------- |
+| `--google-client-id`          | `GOOGLE_CLIENT_ID`          | -       | Google OAuth client ID                                |
+| `--google-client-secret`      | `GOOGLE_CLIENT_SECRET`      | -       | Google OAuth client secret                            |
+| `--google-allowed-users`      | `GOOGLE_ALLOWED_USERS`      | -       | Comma-separated list of allowed Google users (emails) |
+| `--google-allowed-workspaces` | `GOOGLE_ALLOWED_WORKSPACES` | -       | Comma-separated list of allowed Google workspaces     |
 
 #### GitHub OAuth
 
-| Option                   | Environment Variable   | Default | Description                                              |
-| ------------------------ | ---------------------- | ------- | -------------------------------------------------------- |
-| `--github-client-id`     | `GITHUB_CLIENT_ID`     | -       | GitHub OAuth client ID                                   |
-| `--github-client-secret` | `GITHUB_CLIENT_SECRET` | -       | GitHub OAuth client secret                               |
-| `--github-allowed-users` | `GITHUB_ALLOWED_USERS` | -       | Comma-separated list of allowed GitHub users (usernames) |
+| Option                   | Environment Variable   | Default | Description                                                                                                                      |
+| ------------------------ | ---------------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------- |
+| `--github-client-id`     | `GITHUB_CLIENT_ID`     | -       | GitHub OAuth client ID                                                                                                           |
+| `--github-client-secret` | `GITHUB_CLIENT_SECRET` | -       | GitHub OAuth client secret                                                                                                       |
+| `--github-allowed-users` | `GITHUB_ALLOWED_USERS` | -       | Comma-separated list of allowed GitHub users (usernames)                                                                         |
+| `--github-allowed-orgs`  | `GITHUB_ALLOWED_ORGS`  | -       | Comma-separated list of allowed GitHub organizations. You can also restrict access to specific teams using the format `Org:Team` |
 
 #### Generic OIDC
 
@@ -74,5 +76,6 @@ Complete reference for all MCP Auth Proxy configuration options.
 | ---------------------- | -------------------- | ------- | ----------------------------------------------------------------------------------------------------- |
 | `--proxy-bearer-token` | `PROXY_BEARER_TOKEN` | -       | Bearer token to add to Authorization header when proxying requests                                    |
 | `--proxy-headers`      | `PROXY_HEADERS`      | -       | Comma-separated list of headers to add when proxying requests (format: Header1:Value1,Header2:Value2) |
+| `--trusted-proxies`    | `TRUSTED_PROXIES`    | -       | Comma-separated list of trusted proxies (IP addresses or CIDR ranges)                                 |
 
 For practical configuration examples including environment variables, Docker Compose, and Kubernetes deployments, see the [Configuration Examples](./examples.md) page.
diff --git a/docs/docs/examples.md b/docs/docs/examples.md
@@ -37,6 +37,12 @@ services:
       - GOOGLE_CLIENT_ID=your-google-client-id
       - GOOGLE_CLIENT_SECRET=your-google-client-secret
       - GOOGLE_ALLOWED_USERS=user1@example.com,user2@example.com
+      - GOOGLE_ALLOWED_WORKSPACES=workspace1.com,workspace2.com
+      - GITHUB_CLIENT_ID=your-github-client-id
+      - GITHUB_CLIENT_SECRET=your-github-client-secret
+      - GITHUB_ALLOWED_USERS=username1,username2
+      - GITHUB_ALLOWED_ORGS=org1,org2:team1
+      - TRUSTED_PROXIES=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
     volumes:
       - ./data:/data
     command: ["npx", "-y", "@modelcontextprotocol/server-filesystem", "./"]
diff --git a/docs/docs/oauth-setup.md b/docs/docs/oauth-setup.md
@@ -30,6 +30,8 @@ Configure OAuth providers to enable secure authentication for your MCP server.
 
 ### 3. Configure MCP Auth Proxy
 
+#### Allow specific users:
+
 ```bash
 ./mcp-auth-proxy \
   --external-url https://{your-domain} \
@@ -40,6 +42,18 @@ Configure OAuth providers to enable secure authentication for your MCP server.
   -- your-mcp-command
 ```
 
+#### Allow entire Google Workspaces:
+
+```bash
+./mcp-auth-proxy \
+  --external-url https://{your-domain} \
+  --tls-accept-tos \
+  --google-client-id "your-google-client-id" \
+  --google-client-secret "your-google-client-secret" \
+  --google-allowed-workspaces "workspace1.com,workspace2.com" \
+  -- your-mcp-command
+```
+
 ## GitHub OAuth Setup
 
 ### 1. Register OAuth App
@@ -60,6 +74,7 @@ Configure OAuth providers to enable secure authentication for your MCP server.
   --github-client-id "your-github-client-id" \
   --github-client-secret "your-github-client-secret" \
   --github-allowed-users "username1,username2" \
+  --github-allowed-orgs "org1,org2:team1" \
   -- your-mcp-command
 ```
 
@@ -141,10 +156,12 @@ All OAuth settings can be configured using environment variables:
 export GOOGLE_CLIENT_ID="your-google-client-id"
 export GOOGLE_CLIENT_SECRET="your-google-client-secret"
 export GOOGLE_ALLOWED_USERS="user1@example.com,user2@example.com"
+export GOOGLE_ALLOWED_WORKSPACES="workspace1.com,workspace2.com"
 
 export GITHUB_CLIENT_ID="your-github-client-id"
 export GITHUB_CLIENT_SECRET="your-github-client-secret"
 export GITHUB_ALLOWED_USERS="username1,username2"
+export GITHUB_ALLOWED_ORGS="org1,org2:team1"
 
 export OIDC_CONFIGURATION_URL="https://provider.com/.well-known/openid-configuration"
 export OIDC_CLIENT_ID="your-oidc-client-id"
