Support for OAuth 2.0

[giacomobartoli]

Hi,
My clients has already in place an apigateway that mediates all the interaction with their backend system.
Supposing this component evolves and adopt mcp-context-forge, so that agents can interact with their backend, how is handled the authentication part using OAuth 2.0?

The flow is the following
client --> present client_id, secret to the IdP
IdP --> checks the data and returns a JWT
client --> send a request with the given JWT into the header to the apigateway that validates the request

[crivetimihai]

Hi, this is detailed in our roadmap: https://ibm.github.io/mcp-context-forge/architecture/roadmap/ with features to support end-to-end OAuth 2.1 part of 0.5.0, 0.6.0, and 0.7.0 - though it will likely take another release or two to fully mature. Feel free to comment on the proposed implementation described in the various tickets:

Release 0.5.0 (Due: August 5, 2025)

Enterprise Authentication Features:

• #220 - Authentication & Authorization - SSO + Identity-Provider Integration
• #277 - Authentication & Authorization - GitHub SSO Integration Tutorial (Depends on [AUTH FEATURE]: Authentication & Authorization - SSO + Identity-Provider Integration #220)
• #278 - Authentication & Authorization - Google SSO Integration Tutorial (Depends on [AUTH FEATURE]: Authentication & Authorization - SSO + Identity-Provider Integration #220)
• #284 - LDAP / Active-Directory Integration
• #87 - Epic: JWT Token Catalog with Per-User Expiry and Revocation

Release 0.6.0 (Due: August 19, 2025)

API Authentication:

• #282 - Per-Virtual-Server API Keys with Scoped Access
• #208 - HTTP Header Passthrough (Critical for passing auth tokens/headers)

Release 0.7.0 (Due: September 2, 2025)

Access Control:

• #283 - Role-Based Access Control (RBAC) - User/Team/Global Scopes for full multi-tenancy support