Auth on NOCFoundry Docshttps://docs.nocfoundry.dev/dev/auth/Recent content in Auth on NOCFoundry DocsHugoenOIDC Endpoint Authhttps://docs.nocfoundry.dev/dev/auth/oidc-endpoint-auth/Mon, 01 Jan 0001 00:00:00 +0000https://docs.nocfoundry.dev/dev/auth/oidc-endpoint-auth/<h1 id="oidc-endpoint-auth">OIDC Endpoint Auth</h1> <p>NOCFoundry can protect the HTTP surfaces themselves, not just individual tool calls.</p> <h2 id="protected-surfaces">Protected surfaces</h2> <ul> <li><code>/api</code></li> <li><code>/mcp</code></li> </ul> <p>These surfaces are configured separately in <code>--server-config</code> and can require different audiences.</p> <h2 id="auth-service-model">Auth service model</h2> <ul> <li>OIDC providers are defined as <code>authServices</code> in tool catalog files</li> <li>the server config references those services by name</li> <li>only auth services selected by server policy can satisfy a protected surface</li> </ul> <h2 id="metadata-and-rfc-9728">Metadata and RFC 9728</h2> <p>NOCFoundry serves protected resource metadata for:</p>UI Login with Keycloakhttps://docs.nocfoundry.dev/dev/auth/ui-login-keycloak/Mon, 01 Jan 0001 00:00:00 +0000https://docs.nocfoundry.dev/dev/auth/ui-login-keycloak/<h1 id="ui-login-with-keycloak">UI Login with Keycloak</h1> <p>NOCFoundry’s browser UI acts as an OIDC public client and uses Authorization Code + PKCE to access the protected <code>/api</code> surface.</p> <h2 id="local-demo-flow">Local demo flow</h2> <ol> <li>Start Keycloak:</li> </ol> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">docker compose -f examples/keycloak/docker-compose.keycloak.yaml up -d </span></span></code></pre></div><ol start="2"> <li>Bootstrap the demo realm and clients:</li> </ol> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">./examples/keycloak/keycloak-setup.sh </span></span></code></pre></div><ol start="3"> <li>Start NOCFoundry with:</li> </ol> <ul> <li><a href="https://github.com/adrien19/noc-foundry/blob/main/examples/tools-configs/keycloak-protected-validation.yaml"><code>examples/tools-configs/keycloak-protected-validation.yaml</code></a></li> <li><a href="https://github.com/adrien19/noc-foundry/blob/main/examples/server-configs/protected-api-mcp-ui.yaml"><code>examples/server-configs/protected-api-mcp-ui.yaml</code></a></li> </ul> <h2 id="important-client-details">Important client details</h2> <p>The setup script creates:</p> <ul> <li><code>noc-foundry</code> for the resource-side auth service</li> <li><code>noc-foundry-ui</code> for the browser PKCE client</li> </ul> <p>The UI client must:</p>