improve the token url elicitatoin demo by enabling authpolicies to be…

[maleck13]

This PR updates the demo users can do to use token url elicitation. It allows the host to be specified and generates the resources with that value.

Summary by CodeRabbit

• Configuration & Improvements

  • Demo now supports configurable OIDC issuer, external URL, and client ID; policies are rendered from templates and applied at deploy time.
  • Demo script accepts flags for environment values and derives gateway URLs from the configured external URL.

• Behavior & Security

  • Redirect handling tightened to mitigate open-redirects.
  • Cookie domain and Secure attribute are now configurable/conditional.

• Chores

  • Added a utility to generate environment-specific AuthPolicy manifests.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 26db9938-16e2-49a3-bafe-b00b78a9b53a

📥 Commits

Reviewing files that changed from the base of the PR and between 7010887 and 080db01.

📒 Files selected for processing (4)

• demos/url-elicitation-github/authpolicy-callback.yaml
• demos/url-elicitation-github/authpolicy-tokens.yaml
• demos/url-elicitation-github/mcpserverregistration.yaml
• scripts/generate-oidc-authpolicies.sh

✅ Files skipped from review due to trivial changes (1)

• demos/url-elicitation-github/mcpserverregistration.yaml

🚧 Files skipped from review as they are similar to previous changes (3)

• scripts/generate-oidc-authpolicies.sh
• demos/url-elicitation-github/authpolicy-tokens.yaml
• demos/url-elicitation-github/authpolicy-callback.yaml

---

📝 Walkthrough

Walkthrough

This PR parameterizes the URL-elicitation demo: adds an OIDC callback AuthPolicy with OPA redirect/token-exchange logic, adds a template renderer script, replaces hardcoded issuer/domain values with template variables in existing AuthPolicies, updates mcpserverregistration to use templated token URL, and makes demo.sh render and apply the generated manifests.

Changes

OIDC Demo Parameterization

Layer / File(s)	Summary
AuthPolicy template generator scripts/generate-oidc-authpolicies.sh	Adds a Bash renderer that substitutes {{ EXTERNAL_URL }}, {{ EXTERNAL_HOST }}, {{ REDIRECT_URI_ENCODED }}, {{ ISSUER_URL }}, {{ CLIENT_ID }}, {{ COOKIE_SECURE }} into template files and writes rendered YAML to an output directory.
Parameterize Gateway and Tokens Policies demos/url-elicitation-github/authpolicy-gateway.yaml, demos/url-elicitation-github/authpolicy-tokens.yaml	Replace hardcoded Keycloak/URL/domain values with template variables and convert unauthenticated headers to expression-based values that interpolate {{ EXTERNAL_URL }} and other template variables.
OIDC Callback AuthPolicy Implementation demos/url-elicitation-github/authpolicy-callback.yaml	New mcp-tokens-oidc-callback policy: OPA default-deny and cookie parsing, safe relative-target checks, computed redirect locations, token-exchange POST when code present, and 302 unauthorized response that sets jwt cookie (domain from {{ EXTERNAL_HOST }}).
Demo Script: generation & deployment demos/url-elicitation-github/demo.sh	Add --external-url, --issuer-url, --client-id flags; derive GATEWAY_URL from EXTERNAL_URL; invoke the generator to render AuthPolicies into a temp directory; apply mcpserverregistration.yaml via sed substitution; apply generated AuthPolicies; update OIDC well-known check and printed instructions.
Server Registration Token URL Parameterization demos/url-elicitation-github/mcpserverregistration.yaml	spec.tokenURLElicitation.url changed to {{ EXTERNAL_URL }}/tokens.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Kuadrant/mcp-gateway#931: Updates GitHub demo AuthPolicy configs including callback policy and token elicitation flow; closely related to these changes.

Suggested labels

review-effort/medium, high-risk

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title is incomplete and partially covers the main change. It mentions improving the token URL elicitation demo and enabling authpolicies to be configurable, which matches the PR objective, but the title is cut off mid-sentence.	Complete the title to clearly state what authpolicies are being enabled to do (e.g., 'improve the token url elicitation demo by enabling authpolicies to be configurable via templates').

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@demos/url-elicitation-github/authpolicy-callback.yaml`:
- Around line 37-43: encoded_callback (computed in the rego snippet) is used as
the redirect_uri in the auth request (auth_url) but the token-exchange uses the
template variable {{ REDIRECT_URI_ENCODED }}, which can diverge and cause
redirect_uri mismatch; ensure both encodings are identical by replacing the
template var usage with the same rego-computed encoded_callback (or derive
REDIRECT_URI_ENCODED from the same base + "/auth/callback" encoding logic), so
the token exchange and auth request use the exact same encoded redirect URI
(symbols to locate: encoded_callback, auth_url, redirect_uri, {{
REDIRECT_URI_ENCODED }}, base).
- Around line 89-96: The jwt Set-Cookie in the unauthorized response includes
the Secure attribute which prevents browsers from storing the cookie when the
gateway uses http (default EXTERNAL_URL); change the headers.set-cookie
expression in the unauthorized block so the cookie omits Secure for non-HTTPS
origins (make Secure conditional based on EXTERNAL_URL/EXTERNAL_HOST or an
EXTERNAL_SCHEME env var) or remove Secure during local/dev, and apply the same
change to the target cookie in authpolicy-tokens.yaml (the target cookie at the
referenced line 28) so both cookies are only marked Secure when the gateway uses
https.
- Around line 46-67: When authenticated and has_target are true but target_safe
is false, location is left undefined; add a fallback rule to set location to a
safe path (e.g., concat("", [base, request.path]) or base + request.path) for
the case authenticated and has_target and not target_safe so the redirect always
has a Location header. Update the policy where location is defined (rules
referencing authenticated, has_target, target_safe, cookies.target, base,
auth_url) to include this fallback branch that uses request.path instead of the
unsafe cookies.target.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4c00ff7f-8465-4662-a14a-06e4bd990813

📥 Commits

Reviewing files that changed from the base of the PR and between 8139fc6 and e84fadd.

📒 Files selected for processing (6)

• demos/url-elicitation-github/authpolicy-callback.yaml
• demos/url-elicitation-github/authpolicy-gateway.yaml
• demos/url-elicitation-github/authpolicy-tokens.yaml
• demos/url-elicitation-github/callback-authpolicy.yaml
• demos/url-elicitation-github/demo.sh
• demos/url-elicitation-github/mcpserverregistration.yaml

💤 Files with no reviewable changes (1)

• demos/url-elicitation-github/callback-authpolicy.yaml

[coderabbitai]

Actionable comments posted: 4

♻️ Duplicate comments (1)

demos/url-elicitation-github/authpolicy-callback.yaml (1)

37-43: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Redirect URI encodings still diverge.

encoded_callback (line 38) only escapes :, /, =, while the token exchange uses {{ REDIRECT_URI_ENCODED }} (line 85) from jq @uri``. If the rego auth_url path is taken, OIDC will reject the token exchange on a `redirect_uri` mismatch unless the two encodings are byte-identical.

Also applies to line 85.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@demos/url-elicitation-github/authpolicy-callback.yaml` around lines 37 - 43,
The redirect URI encoding in the Rego snippet is inconsistent: encoded_callback
(constructed via chained replace calls) will differ from the
REDIRECT_URI_ENCODED produced by jq `@uri`, causing token exchange failures;
update the Rego logic so both flows use the same encoded value — either accept
REDIRECT_URI_ENCODED into the policy and use it for auth_url, or replace the
chained replace logic in encoded_callback with a proper percent-encoding routine
that matches jq `@uri` (RFC3986-style) so auth_url and the token-exchange
REDIRECT_URI_ENCODED are byte-identical (modify identifiers encoded_callback and
auth_url accordingly, or reference REDIRECT_URI_ENCODED in the Rego template).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@demos/url-elicitation-github/authpolicy-callback.yaml`:
- Line 89: The YAML value for the url key (the line containing url: {{
ISSUER_URL }}/protocol/openid-connect/token) is being parsed as a flow mapping
because the scalar starts with '{'; fix it by quoting the templated URL value
(e.g., wrap the entire {{ ISSUER_URL }}/protocol/openid-connect/token in single
or double quotes) so YAML parsers and sed substitutions handle it correctly;
update the url entry where it appears in authpolicy-callback.yaml accordingly.

In `@demos/url-elicitation-github/authpolicy-tokens.yaml`:
- Line 16: The YAML emitter is treating the unquoted template as a flow mapping;
update the issuerUrl field to be a quoted scalar so the template renders and
lints correctly — change the issuerUrl entry that currently reads issuerUrl: {{
ISSUER_URL }} to use quotes around the templated value (issuerUrl: "{{
ISSUER_URL }}"), referencing the issuerUrl key and ISSUER_URL variable in the
fix.

In `@demos/url-elicitation-github/mcpserverregistration.yaml`:
- Line 16: The YAML line url: {{ EXTERNAL_URL }}/tokens is invalid as written;
wrap the templated URL in quotes (e.g., set url: "{{ EXTERNAL_URL }}/tokens") so
the file parses as valid YAML, and also ensure the MCPServerRegistration
manifest includes a credentialRef field referencing a Kubernetes Secret (the
credentialRef key in the resource) per the coding guideline.

In `@scripts/generate-oidc-authpolicies.sh`:
- Line 39: EXTERNAL_HOST assignment retains the port when the URL contains a
path because the sed substitutions strip the port only if it comes at the end;
change the sed sequence so the path is removed before stripping the port. Update
the EXTERNAL_HOST line (reference EXTERNAL_HOST and EXTERNAL_URL) to first
remove the scheme, then remove any path segment, then remove a trailing :port,
so domain={{ EXTERNAL_HOST }} receives a bare host without port or path.

---

Duplicate comments:
In `@demos/url-elicitation-github/authpolicy-callback.yaml`:
- Around line 37-43: The redirect URI encoding in the Rego snippet is
inconsistent: encoded_callback (constructed via chained replace calls) will
differ from the REDIRECT_URI_ENCODED produced by jq `@uri`, causing token exchange
failures; update the Rego logic so both flows use the same encoded value —
either accept REDIRECT_URI_ENCODED into the policy and use it for auth_url, or
replace the chained replace logic in encoded_callback with a proper
percent-encoding routine that matches jq `@uri` (RFC3986-style) so auth_url and
the token-exchange REDIRECT_URI_ENCODED are byte-identical (modify identifiers
encoded_callback and auth_url accordingly, or reference REDIRECT_URI_ENCODED in
the Rego template).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e093b63f-ccae-4c84-8f50-ec382d00cb32

📥 Commits

Reviewing files that changed from the base of the PR and between 0ab459e and 7010887.

📒 Files selected for processing (7)

• demos/url-elicitation-github/authpolicy-callback.yaml
• demos/url-elicitation-github/authpolicy-gateway.yaml
• demos/url-elicitation-github/authpolicy-tokens.yaml
• demos/url-elicitation-github/callback-authpolicy.yaml
• demos/url-elicitation-github/demo.sh
• demos/url-elicitation-github/mcpserverregistration.yaml
• scripts/generate-oidc-authpolicies.sh

💤 Files with no reviewable changes (1)

• demos/url-elicitation-github/callback-authpolicy.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• demos/url-elicitation-github/authpolicy-gateway.yaml
• demos/url-elicitation-github/demo.sh

[david-martin]

👀

[david-martin]

verified the script changes locally.