Jan Range (Oct 14 2025 at 14:21): Jan Range (Oct 14 2025 at 14:21):Dear all, I am currently trying to set up OIDC for an MCP server to access datasets in draft state. I am currently using the development compose, which includes Keycloak as IdP. The auth flow through the browser and retrieval of the bearer token works fine. However, once I am trying to use the bearer token in a request header it says it is an unauthorized bearer token.
Is the bearer token returned to a user by KeyCloak generally usable by other resources, or am I missing something? I sense that I may have different expectations of how it works and would be happy about advice. Here is the setup and outputs:
FastMCP OIDC Setup
auth = OIDCProxy(
config_url="http://localhost:8090/realms/test/.well-known/openid-configuration",
client_id="test",
client_secret="<SECRET>",
base_url="http://localhost:8000",
redirect_path="/mcp/auth/callback",
)
Bearer Token Auth
class McpOIDCAuth(Auth):
"""An authentication handler to add an OIDC token as the Authorization header."""
def auth_flow(self, request: Request) -> Generator[Request, Response, None]:
"""Adds the Authorization header with the OIDC token and yields the original :class:`httpx.Request`."""
try:
from fastmcp.server.dependencies import get_http_headers
headers = get_http_headers() # Retrieves the bearer token from the MCP client
except ImportError:
headers = {}
request.headers.update(headers)
yield request
# The header that is provided by the client (e.g. Cursor)
{'authorization': 'Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi [...]
Recognized MCP Tools (Auth working here)
image.png
Error message when sending Bearer
Philip Durbin ๐ (Oct 14 2025 at 14:29):Hmm, @Johannes D might know.
Jan Range (Oct 14 2025 at 14:33):Here is the decoded JWT as well:
{
"exp": 1760444360,
"iat": 1760444060,
"auth_time": 1760442552,
"jti": "onrtac:0b13ddb4-a96b-65a9-883d-0e8e1e0a2645",
"iss": "http://localhost:8090/realms/test",
"aud": "account",
"sub": "e5531496-cfb8-498c-a902-50c98d649e79",
"typ": "Bearer",
"azp": "test",
"sid": "42d4dd12-6a8d-44a5-b9be-f3a231f9aa44",
"acr": "0",
"realm_access": {
"roles": [
"default-roles-test",
"offline_access",
"uma_authorization"
]
},
"resource_access": {
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "profile email",
"email_verified": true,
"name": "Dataverse Curator",
"preferred_username": "curator",
"given_name": "Dataverse",
"family_name": "Curator",
"email": "dataverse-curator@mailinator.com"
}
Does your bearer token work with this /api/users/:me test? https://guides.dataverse.org/en/6.8/api/auth.html#bearer-tokens
Jan Range (Oct 14 2025 at 14:39):No, does not work. Looking at the decoded token I suspect that this might be due to the "localhost" and Dataverse checks for the aliased reference to KeyCloack ร la "https://keycloack:8090" instead of "https://localhost:8090". Could this be the case?
Philip Durbin ๐ (Oct 14 2025 at 14:44):Maybe? 
:thinking:
Jan Range (Oct 14 2025 at 15:19):Well, the actual problem is the human in front of the machine :smile: I have provided an alias on my system for keycloak to have everything in sync, but I havent passed that one to the OIDC Proxy. No wonder it is not working ...
Working now! 
Philip Durbin ๐ (Oct 14 2025 at 15:21):Working now? Great!
Jan Range (Oct 14 2025 at 15:22):Yes, it is working now :raised_hands:
Notification Bot (Oct 14 2025 at 15:23):Jan Range has marked this topic as resolved.
Last updated: Nov 01 2025 at 14:11 UTC