Initial commit

skills/mxcp-expert/assets/project-templates/keycloak/README.md

@@ -0,0 +1,76 @@
+# Keycloak Authentication Example
+
+This example demonstrates how to configure MXCP with Keycloak authentication.
+
+## Prerequisites
+
+1. A running Keycloak server (see quick start below)
+2. MXCP installed (`pip install mxcp`)
+
+## Quick Start with Docker
+
+Run Keycloak using Docker:
+
+```bash
+docker run -p 8080:8080 \
+  -e KC_BOOTSTRAP_ADMIN_USERNAME=admin \
+  -e KC_BOOTSTRAP_ADMIN_PASSWORD=admin \
+  quay.io/keycloak/keycloak:latest start-dev
+```
+
+## Keycloak Setup
+
+1. Access the admin console at http://localhost:8080/admin
+2. Login with username: `admin`, password: `admin`
+3. Create a new realm (or use the default `master` realm)
+4. Create a new client:
+   - Client ID: `mxcp-demo`
+   - Client authentication: ON
+   - Valid redirect URIs: `http://localhost:8000/*`
+5. Copy the client secret from the Credentials tab
+
+## Configuration
+
+Set environment variables:
+
+```bash
+export KEYCLOAK_CLIENT_ID="mxcp-demo"
+export KEYCLOAK_CLIENT_SECRET="your-client-secret"
+export KEYCLOAK_REALM="master"  # or your custom realm
+export KEYCLOAK_SERVER_URL="http://localhost:8080"
+```
+
+## Running the Example
+
+1. Start the MXCP server:
+   ```bash
+   cd examples/keycloak
+   mxcp serve --debug
+   ```
+
+2. In another terminal, connect with the MCP client:
+   ```bash
+   mcp connect http://localhost:8000
+   ```
+
+3. You'll be redirected to Keycloak for authentication
+
+## Testing Tools
+
+Once authenticated, try running these example tools:
+
+```bash
+# Get current user info
+mcp run tool get_user_info
+
+# Query data with user context
+mcp run resource user_data
+```
+
+## Production Considerations
+
+- Use HTTPS for all URLs in production
+- Configure proper redirect URIs
+- Set up appropriate Keycloak realm roles and permissions
+- Enable refresh token rotation
+- Configure session timeouts 

skills/mxcp-expert/assets/project-templates/keycloak/config.yml

@@ -0,0 +1,26 @@
+mxcp: 1
+projects:
+  keycloak-demo:
+    profiles:
+      dev:
+        secrets:
+          - name: keycloak_creds
+            type: oauth
+            parameters:
+              provider: keycloak
+        auth:
+          provider: keycloak
+          keycloak:
+            client_id: "${KEYCLOAK_CLIENT_ID}"
+            client_secret: "${KEYCLOAK_CLIENT_SECRET}"
+            realm: "${KEYCLOAK_REALM}"
+            server_url: "${KEYCLOAK_SERVER_URL}"
+            scope: "openid profile email"
+            callback_path: "/keycloak/callback"
+          clients:
+            - client_id: "mcp-cli"
+              name: "MCP CLI Client"
+              redirect_uris:
+                - "http://127.0.0.1:49153/oauth/callback"
+              scopes:
+                - "mxcp:access" 

skills/mxcp-expert/assets/project-templates/keycloak/mxcp-site.yml

@@ -0,0 +1,5 @@
+mxcp: 1
+project: keycloak-demo
+profile: dev
+secrets:
+  - keycloak_creds 

skills/mxcp-expert/assets/project-templates/keycloak/tools/get_user_info.yml

@@ -0,0 +1,23 @@
+mxcp: 1
+tool:
+  name: get_user_info
+  description: "Get information about the authenticated user"
+  parameters: []
+  return:
+    type: object
+    properties:
+      username:
+        type: string
+        description: "Username of the authenticated user"
+      email:
+        type: string
+        description: "Email of the authenticated user"
+      provider:
+        type: string
+        description: "Authentication provider used"
+  source:
+    code: |
+      SELECT 
+        get_username() as username,
+        get_user_email() as email,
+        get_user_provider() as provider