feat(ai-gateway): How-to for validating MCP tokens locally with JWK verification#4839
feat(ai-gateway): How-to for validating MCP tokens locally with JWK verification#4839tomek-labuk wants to merge 8 commits intomainfrom
Conversation
✅ Deploy Preview for kongdeveloper ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
Pull request overview
Adds a new MCP how-to guide for validating MCP access tokens locally via JWKS (JWK Set) verification with the AI MCP OAuth2 plugin, using Keycloak as the example authorization server.
Changes:
- Introduces a new how-to page detailing JWKS-based token validation and a local Keycloak setup workflow.
- Adds new Gateway
serviceandrouteentity example YAMLs used by the how-to’s{% entity_examples %}blocks.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| app/_how-tos/mcp/validate-mcp-tokens-with-jwk.md | New how-to describing JWKS-based local JWT validation for MCP using AI MCP OAuth2 + AI MCP Proxy, including validation steps. |
| app/_data/entity_examples/gateway/services/weather-jwk-service.yaml | Adds the upstream WeatherAPI service used by the new how-to. |
| app/_data/entity_examples/gateway/routes/weather-jwk.yaml | Adds the MCP listener route (including the protected-resource metadata path) used by the new how-to. |
| app/_data/entity_examples/gateway/routes/weather-jwk-route.yaml | Adds the conversion-only tools route used by the new how-to. |
| --- | ||
| title: Validate MCP tokens locally with JWK verification | ||
| content_type: how_to | ||
| description: "Configure the AI MCP OAuth2 plugin to validate MCP access tokens locally using the authorization server's published JWK Set instead of token introspection" |
There was a problem hiding this comment.
The linked issue’s DoD calls out adding a reference to this new JWK-validation guide on the MCP landing page, but this PR only adds the how-to and entity examples; please add/update the MCP landing page entry so the new guide is discoverable.
There was a problem hiding this comment.
It's okay for now.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
| works_on: | ||
| - on-prem | ||
| - konnect | ||
| min_version: | ||
| gateway: '3.14' | ||
| plugins: | ||
| - ai-mcp-oauth2 | ||
| - ai-mcp-proxy | ||
| entities: |
There was a problem hiding this comment.
This how-to will be picked up by the automated how-to test runner (products include gateway/ai-gateway) but it depends on an external Keycloak container and manual setup steps, so it should either add an automated prereq that starts/configures Keycloak or set automated_tests: false in frontmatter to avoid CI failures.
Description
Fixes #4820
Preview Links
Checklist
descriptionentry in frontmatter.