Document vMCP embedded auth server and upstream token injection#643
Document vMCP embedded auth server and upstream token injection#643
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Pull request overview
Updates ToolHive documentation to describe vMCP’s embedded authorization server capabilities (including multi-upstream flows) and how upstream tokens can be forwarded/exchanged for backend authentication, plus adds a Redis Sentinel session storage guide.
Changes:
- Document vMCP “upstream token injection” (
upstreamInject) and token exchange with upstream subject tokens (subjectProviderName). - Add embedded authorization server documentation for vMCP (flow, differences vs MCPServer, config examples, and end-to-end walkthrough).
- Add a new Redis Sentinel session storage tutorial and cross-link it from related docs/sidebars.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| sidebars.ts | Adds the new Redis session storage guide to the K8s guides sidebar. |
| docs/toolhive/guides-vmcp/authentication.mdx | Main vMCP auth guide expansion: upstream injection, upstream-subject token exchange, and embedded auth server docs. |
| docs/toolhive/guides-k8s/redis-session-storage.mdx | New end-to-end tutorial for Redis Sentinel-backed session storage. |
| docs/toolhive/guides-k8s/auth-k8s.mdx | Adds a “Configure session storage” section and links to the new Redis guide. |
| docs/toolhive/concepts/vmcp.mdx | Mentions embedded auth server support and fixes benefit count wording. |
| docs/toolhive/concepts/backend-auth.mdx | Updates statements about upstream provider limits and adds cross-references to vMCP docs + session storage docs. |
Add a new how-to guide at docs/toolhive/guides-k8s/redis-session-storage.mdx that walks through deploying Redis Sentinel as the session storage backend for the embedded authorization server. The guide uses self-contained Kubernetes manifests instead of the Bitnami Helm chart, which Broadcom moved behind a paid subscription in August 2025. No maintained, freely available Helm chart with Sentinel support exists as a replacement, so the manifests are provided inline. Also adds TLS configuration documentation for Redis connections (both master and Sentinel), updates the auth-k8s guide's session storage snippet for consistency, and resolves a merge conflict in backend-auth.mdx. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Replace <REDIS_ACL_PASSWORD> with YOUR_REDIS_ACL_PASSWORD (no angle brackets) to avoid confusing ><PLACEHOLDER> syntax in Redis ACL entries. Remove unused vercel.json redirect since the page was never published at the old integrations/ path. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Closes #642 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- ephemeral key warning - snippet showing how to override the authorization endpoint URL when the browser-facing endpoint is on a different host - tokenResponseMapping tip
- missing `type: external_auth_config_ref` for backend auth config - note about requiring `jwksAllowPrivateIP` for cluster-internal addresses only - note about redis replicas and failover
tgrunnagle
force-pushed
the
vmcp-authserver
branch
from
02c0ff1 to
e3889e6
Compare
jerm-dro
left a comment
jerm-dro
left a comment
There was a problem hiding this comment.
Rendering looks good from a quick check. Two minor suggestions inline.
| ## Core value propositions | ||
|
|
||
| vMCP delivers four key benefits: | ||
| vMCP delivers five key benefits: |
There was a problem hiding this comment.
suggestion: The paragraph added below elaborates on benefit #2 (authentication boundary separation) rather than introducing a distinct fifth benefit. The original four — reduce complexity, simplify auth, secure by default, unified management — are still the four listed. Consider reverting this to "four key benefits" or restructuring the list if the embedded auth server really is a separate value prop.
There was a problem hiding this comment.
This seems to be a fix since there were already five benefits listed
| externalAuthConfigRef: | ||
| name: exchange-okta | ||
| ``` | ||
|
|
There was a problem hiding this comment.
suggestion: With stacklok/toolhive#4526 (merged), the embedded auth server resolves JWKS keys in-process — so jwksAllowPrivateIP: true is no longer necessary when the issuer is the embedded auth server itself. Worth adding a note here that this flag is only needed when the OIDC issuer is an external provider resolving to a private IP, and can be omitted when using the embedded auth server's own issuer.
- note about `jwksAllowPrivateIP: true`
Summary
upstream_injectoutgoing auth strategy (vMCP-only)subjectProviderNameon token exchange for hybrid deploymentsCloses #642
Changes
docs/toolhive/guides-vmcp/authentication.mdx(main work):upstreamInjectoutgoing auth strategy)subjectProviderName)docs/toolhive/concepts/vmcp.mdx:docs/toolhive/concepts/backend-auth.mdx:docs/toolhive/guides-k8s/auth-k8s.mdx:Test plan
npm run buildpasses🤖 Generated with Claude Code