Skip to content

fix(auth): add jwks_uri column to SSOProvider and harden create_provider#3026

Merged
crivetimihai merged 3 commits intomainfrom
sso-providers-kwks_uri-issue
Feb 18, 2026
Merged

fix(auth): add jwks_uri column to SSOProvider and harden create_provider#3026
crivetimihai merged 3 commits intomainfrom
sso-providers-kwks_uri-issue

Conversation

@crivetimihai
Copy link
Copy Markdown
Member

@crivetimihai crivetimihai commented Feb 18, 2026

Summary

  • Add jwks_uri as a first-class optional column on SSOProvider model with Alembic migration, resolving the TypeError: 'jwks_uri' is an invalid keyword argument for SSOProvider crash during SSO bootstrap with Keycloak
  • Make SSOService.create_provider() defensive by filtering provider data to valid column names, preventing any unknown key from crashing the bootstrap
  • Add sso_generic_jwks_uri config setting and update router schemas (SSOProviderCreateRequest, SSOProviderUpdateRequest, SSOProviderResponse) to support jwks_uri

Closes #3010

Test plan

  • 7 new unit tests covering SSOProvider accepting jwks_uri, create_provider handling unknown keys, and generic OIDC jwks_uri support
  • Updated 3 existing tests to include jwks_uri in mock fixtures
  • Full unit test suite passes (11,954 passed, 0 failed)
  • Code formatted with autoflake/isort/black

@crivetimihai
fix(auth): add jwks_uri column to SSOProvider and harden create_provider
0d90fd4 
Add jwks_uri as a first-class column on SSOProvider for standard OIDC
JWKS endpoint support. Make create_provider defensive by filtering
unknown keys to prevent TypeError crashes during SSO bootstrap.

Closes #3010

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai crivetimihai force-pushed the sso-providers-kwks_uri-issue branch from 3ef8fe6 to 0d90fd4 Compare February 18, 2026 08:08
@crivetimihai crivetimihai added this to the Release 1.0.0-RC1 milestone Feb 18, 2026
@crivetimihai
fix(auth): include jwks_uri in bootstrap_db schema check and document…
e5e303e 
… setting

Update _schema_looks_current() to check for sso_providers.jwks_uri,
preventing unversioned databases from being stamped at head without
the new column. Add SSO_GENERIC_JWKS_URI to .env.example.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai
lint
f2ac58e 
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai crivetimihai merged commit fafd219 into main Feb 18, 2026
55 checks passed
@crivetimihai crivetimihai deleted the sso-providers-kwks_uri-issue branch February 18, 2026 10:27
KKNithin pushed a commit to KKNithin/mcp-context-forge that referenced this pull request Feb 19, 2026
@crivetimihai
fix(auth): add jwks_uri column to SSOProvider and harden create_provi…
c735b3e 
…der (IBM#3026)

* fix(auth): add jwks_uri column to SSOProvider and harden create_provider

Add jwks_uri as a first-class column on SSOProvider for standard OIDC
JWKS endpoint support. Make create_provider defensive by filtering
unknown keys to prevent TypeError crashes during SSO bootstrap.

Closes IBM#3010

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* fix(auth): include jwks_uri in bootstrap_db schema check and document setting

Update _schema_looks_current() to check for sso_providers.jwks_uri,
preventing unversioned databases from being stamped at head without
the new column. Add SSO_GENERIC_JWKS_URI to .env.example.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* lint

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

---------

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Signed-off-by: Nithin Katta <Nithin.Katta@ibm.com>
crivetimihai added a commit that referenced this pull request Feb 24, 2026
@crivetimihai
fix(auth): add jwks_uri column to SSOProvider and harden create_provi…
c5e0631 
…der (#3026)

* fix(auth): add jwks_uri column to SSOProvider and harden create_provider

Add jwks_uri as a first-class column on SSOProvider for standard OIDC
JWKS endpoint support. Make create_provider defensive by filtering
unknown keys to prevent TypeError crashes during SSO bootstrap.

Closes #3010

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* fix(auth): include jwks_uri in bootstrap_db schema check and document setting

Update _schema_looks_current() to check for sso_providers.jwks_uri,
preventing unversioned databases from being stamped at head without
the new column. Add SSO_GENERIC_JWKS_URI to .env.example.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* lint

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

---------

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Signed-off-by: Nithin Katta <Nithin.Katta@ibm.com>
cafalchio pushed a commit that referenced this pull request Feb 26, 2026
@crivetimihai
fix(auth): add jwks_uri column to SSOProvider and harden create_provi…
ccdab9c 
…der (#3026)

* fix(auth): add jwks_uri column to SSOProvider and harden create_provider

Add jwks_uri as a first-class column on SSOProvider for standard OIDC
JWKS endpoint support. Make create_provider defensive by filtering
unknown keys to prevent TypeError crashes during SSO bootstrap.

Closes #3010

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* fix(auth): include jwks_uri in bootstrap_db schema check and document setting

Update _schema_looks_current() to check for sso_providers.jwks_uri,
preventing unversioned databases from being stamped at head without
the new column. Add SSO_GENERIC_JWKS_URI to .env.example.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* lint

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

---------

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kevalmahajan kevalmahajan Awaiting requested review from kevalmahajan kevalmahajan is a code owner

@madhav165 madhav165 Awaiting requested review from madhav165 madhav165 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

Release 1.0.0-RC1

Development

Successfully merging this pull request may close these issues.

[BUG]: Failed to bootstrap SSO providers: 'jwks_uri' is an invalid keyword argument for SSOProvider

1 participant

@crivetimihai