[FEATURE][AUTH]: OAuth 2.0 authentication for MCP clients with browser-based SSO

[AmshegaR]

I want MCP clients (like Claude Code) to authenticate to Context Forge Virtual Servers using OAuth 2.0 with browser-based IDP SSO, instead of pre-generated JWT bearer tokens.

I've reviewed the docs on [OAuth 2.0 Integration](https://ibm.github.io/mcp-context-forge/manage/oauth), [SSO](https://ibm.github.io/mcp-context-forge/manage/sso), and [DCR](https://ibm.github.io/mcp-context-forge/manage/dcr), but couldn't figure out how to configure this.
The OAuth docs cover gateway-to-backend auth, and SSO appears to be for Admin UI only.

Claude Code → Context Forge (401 + discovery) → Browser → IDP → Token → Context Forge

Per the [MCP Authorization spec](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization), this requires RFC 9728 Protected Resource Metadata (/.well-known/oauth-protected-resource).

Is this currently possible? If so, how?

[jonpspri]

Thank you for the detailed question and for referencing the relevant specs.

Short answer: This is not currently supported. MCP clients accessing Virtual Servers must authenticate using pre-generated JWT tokens, Basic Auth, or session cookies—there is no browser-based OAuth flow for MCP client authentication to the gateway itself.

Current State

Context Forge has two OAuth-related capabilities, but neither addresses your use case:

1. Gateway-to-Upstream OAuth — When Context Forge connects to upstream MCP servers that require OAuth, it supports Authorization Code, Client Credentials, and PKCE flows. This is documented in the OAuth 2.0 Integration docs you reviewed.

2. Admin UI SSO — OIDC/OAuth2 providers (GitHub, Google, Okta, Keycloak, etc.) can authenticate users to the Admin UI. This is the SSO feature—but it's scoped to the web UI, not MCP protocol clients.

What's Missing for Your Use Case

To support the MCP Authorization spec flow you described:

MCP Client → Gateway (401 + discovery) → Browser → IDP → Token → Gateway

We will need to implement:

• /.well-known/oauth-protected-resource (RFC 9728 Protected Resource Metadata)
• 401 responses with WWW-Authenticate headers containing authorization server discovery info
• Client-facing OAuth authorization/token endpoints (separate from gateway-to-server OAuth)

Current Workaround

For now, you can:

1. Generate a JWT token using python -m mcpgateway.utils.create_jwt_token
2. Configure your MCP client to include the token in the Authorization: Bearer header

Next Steps

We're converting this to a feature request and targeting it for 1.0.0-BETA2. Implementation would involve adding RFC 9728 support to enable MCP Authorization spec compliance for client authentication. Our current target date for 1.0.0-BETA2 is 20 January. Watch this issue if you want to catch the feature when it's available in the main branch.

[jonpspri]

@AmshegaR Please take a look at #2029 to see if it works for you. We've unit tested but not performed full integration tests.