content: Add Descope under Integrations / Authentication & identity#619
Conversation
3174bb6 to
9685937
Compare
| policies: | ||
| mcpAuthentication: | ||
| mode: strict | ||
| issuer: https://api.descope.com/<YOUR_PROJECT_ID> |
There was a problem hiding this comment.
The issuer would be the MCP server Issuer and not this format right?
There was a problem hiding this comment.
Yep, good catch!
| exposeHeaders: ["Mcp-Session-Id"] | ||
| mcpAuthentication: | ||
| mode: strict | ||
| issuer: https://api.descope.com/<YOUR_PROJECT_ID> |
| mcpAuthentication: | ||
| mode: strict | ||
| issuer: https://api.descope.com/<YOUR_PROJECT_ID> | ||
| audiences: [<YOUR_AUDIENCE>] |
There was a problem hiding this comment.
This should be the audience of the resource correct?
|
|
||
| 3. Create an application or flow that issues access tokens with the appropriate audience and scopes for your use case. | ||
|
|
||
| 4. For machine-to-machine access, create an access key under **Access Keys** in the console. |
There was a problem hiding this comment.
We should use Inbound Apps or Clients, as opposed to using Access Keys here.
|
|
||
| ```bash | ||
| curl -X POST \ | ||
| https://<your-descope-base-url>/oauth2/v1/apps/token/oauth2/v1/apps/token \ |
There was a problem hiding this comment.
This is a duplicated URL, it should be https://<your-descope-base-url>/oauth2/v1/apps/token
| -d "grant_type=client_credentials" \ | ||
| -d "client_id=YOUR_CLIENT_ID" \ | ||
| -d "client_secret=YOUR_CLIENT_SECRET" \ | ||
| -d "scope=..." |
There was a problem hiding this comment.
You can also include audience here as well (which should be the audience of the MCP resource you're connecting to)
| exposeHeaders: ["Mcp-Session-Id"] | ||
| mcpAuthentication: | ||
| mode: strict | ||
| issuer: https://api.descope.com/<YOUR_PROJECT_ID> |
| jwks: | ||
| url: https://api.descope.com/<YOUR_PROJECT_ID>/.well-known/jwks.json | ||
| resourceMetadata: | ||
| resource: http://localhost:3000/mcp |
There was a problem hiding this comment.
Shouldn't this be the MCP server URL, not always localhost:3000/mcp?
|
|
||
| 3. Create an application or flow that issues access tokens with the appropriate audience and scopes for your use case. | ||
|
|
||
| 4. For machine-to-machine access, create an access key under **Access Keys** in the console. |
There was a problem hiding this comment.
You should link to docs on these various features as well.
There was a problem hiding this comment.
You should also mention the plugin as well.
There was a problem hiding this comment.
Add Descope as a reference here: https://agentgateway.dev/docs/standalone/latest/mcp/mcp-authn/#idp
Also add a guide under here, including references to Descope: https://agentgateway.dev/docs/kubernetes/latest/mcp/auth/about/#supported-idps
ed00b75 to
9a1b3b3
Compare
| mcpAuthentication: | ||
| mode: strict | ||
| issuer: <YOUR_ISSUER_URL> | ||
| audiences: [https://<YOUR_MCP_SERVER_URL>/mcp] |
There was a problem hiding this comment.
| audiences: [https://<YOUR_MCP_SERVER_URL>/mcp] | |
| audiences: [<YOUR_MCP_SERVER_URL>] |
| ### Using the token | ||
|
|
||
| ```bash | ||
| curl https://<YOUR_MCP_SERVER_URL>/mcp \ |
There was a problem hiding this comment.
| curl https://<YOUR_MCP_SERVER_URL>/mcp \ | |
| curl https://mcp.example.com/mcp \ |
|
|
||
| - `<YOUR_ISSUER_URL>`: Copy this from the Descope Console under your **Inbound Apps** → **App** → **Connection Information** → **Issuer**. The exact format is system-generated and varies by integration type. | ||
| - `<YOUR_PROJECT_ID>`: Found in the Descope Console under **Project Settings**. The JWKS URL always uses the project ID. | ||
| - `<YOUR_MCP_SERVER_URL>`: Your MCP server's public URL. The `audiences` value must match the `aud` claim in Descope-issued tokens, which equals your MCP server's resource URL. |
There was a problem hiding this comment.
| - `<YOUR_MCP_SERVER_URL>`: Your MCP server's public URL. The `audiences` value must match the `aud` claim in Descope-issued tokens, which equals your MCP server's resource URL. | |
| - `<YOUR_MCP_SERVER_URL>`: Your MCP server's public URL, that typically ends in `/mcp`. The `audiences` value must match the `aud` claim in Descope-issued tokens, which equals your MCP server's resource URL. |
| mcpAuthentication: | ||
| mode: strict | ||
| issuer: <YOUR_ISSUER_URL> | ||
| audiences: [https://<YOUR_MCP_SERVER_URL>/mcp] |
There was a problem hiding this comment.
| audiences: [https://<YOUR_MCP_SERVER_URL>/mcp] | |
| audiences: [<YOUR_MCP_SERVER_URL>] |
| - **Enterprise SSO** - [SAML and OIDC-based SSO](https://docs.descope.com/auth-methods/sso) for B2B use cases | ||
| - **No-code flows** - Build auth flows visually without writing backend code | ||
|
|
||
| ## Descope MCP Server |
There was a problem hiding this comment.
| ## Descope MCP Server |
|
|
||
| ## Descope MCP Server | ||
|
|
||
| Descope also offers a hosted [MCP Server](https://docs.descope.com/mcp/mcp-server) at `https://mcp.descope.com`. Connect it to your MCP client to manage your Descope project — users, tenants, flows, audit logs, and more — using natural language. No installation required. |
There was a problem hiding this comment.
| Descope also offers a hosted [MCP Server](https://docs.descope.com/mcp/mcp-server) at `https://mcp.descope.com`. Connect it to your MCP client to manage your Descope project — users, tenants, flows, audit logs, and more — using natural language. No installation required. |
|
|
||
| ## Learn more | ||
|
|
||
| - [Descope Inbound Apps](https://docs.descope.com/identity-federation/inbound-apps) |
There was a problem hiding this comment.
| - [Descope Inbound Apps](https://docs.descope.com/identity-federation/inbound-apps) | |
| - [Descope Clients](https://docs.descope.com/agentic-identity-hub/core-components/clients) |
| ### Using the token | ||
|
|
||
| ```bash | ||
| curl https://<YOUR_MCP_SERVER_URL>/mcp \ |
There was a problem hiding this comment.
| curl https://<YOUR_MCP_SERVER_URL>/mcp \ | |
| curl https://mcp.example.com/mcp \ |
| - **Enterprise SSO** - [SAML and OIDC-based SSO](https://docs.descope.com/auth-methods/sso) for B2B use cases | ||
| - **No-code flows** - Build auth flows visually without writing backend code | ||
|
|
||
| ## Descope MCP Server |
There was a problem hiding this comment.
| ## Descope MCP Server |
|
|
||
| ## Descope MCP Server | ||
|
|
||
| Descope also offers a hosted [MCP Server](https://docs.descope.com/mcp/mcp-server) at `https://mcp.descope.com`. Connect it to your MCP client to manage your Descope project — users, tenants, flows, audit logs, and more — using natural language. No installation required. |
There was a problem hiding this comment.
| Descope also offers a hosted [MCP Server](https://docs.descope.com/mcp/mcp-server) at `https://mcp.descope.com`. Connect it to your MCP client to manage your Descope project — users, tenants, flows, audit logs, and more — using natural language. No installation required. |
| ### Supported IdPs for MCP Auth {#idp} | ||
|
|
||
| Agentgateway currently includes built-in support for Keycloak and Auth0 as identity providers. Other IdPs that fully comply with the OAuth 2.0 specs might also work but are not tested.{{< conditional-text include-if="kubernetes" >}} For more information, see [Supported identity providers]({{< link-hextra path="/mcp/about/#supported-idps" >}}).{{< /conditional-text >}} | ||
| Agentgateway currently includes built-in support for Keycloak and Auth0 as identity providers. Descope works via the standard resource server configuration using its JWKS endpoint as described in the [Descope integration guide]({{< link-hextra path="/integrations/auth/descope" >}}). Other IdPs that fully comply with the OAuth 2.0 specs might also work but are not tested.{{< conditional-text include-if="kubernetes" >}} For more information, see [Supported identity providers]({{< link-hextra path="/mcp/about/#supported-idps" >}}).{{< /conditional-text >}} |
There was a problem hiding this comment.
| Agentgateway currently includes built-in support for Keycloak and Auth0 as identity providers. Descope works via the standard resource server configuration using its JWKS endpoint as described in the [Descope integration guide]({{< link-hextra path="/integrations/auth/descope" >}}). Other IdPs that fully comply with the OAuth 2.0 specs might also work but are not tested.{{< conditional-text include-if="kubernetes" >}} For more information, see [Supported identity providers]({{< link-hextra path="/mcp/about/#supported-idps" >}}).{{< /conditional-text >}} | |
| Agentgateway currently includes built-in support for Keycloak and Auth0 as identity providers. Other IdPs that fully comply with the OAuth 2.0 specs might also work but are not tested.{{< conditional-text include-if="kubernetes" >}} For more information, see [Supported identity providers]({{< link-hextra path="/mcp/about/#supported-idps" >}}).{{< /conditional-text >}} |
|
@artberger this is ready for review. Could you please review this for us, we appreciate it! |
|
@artberger are you the right person to tag on this? Would love to see this merged soon if possible. |
|
Hey @artberger, sorry for the bother again but if you are a repo reviewer would you mind slotting our PR in to your schedule? Apologies, since it's not clear from the repo README who to contact for this. Thank you! |
howardjohn
left a comment
There was a problem hiding this comment.
overall lgtm just one small note
cc @artberger
| | Keycloak | Adapts non-standard endpoints such as JWKS certificate paths. | | ||
| | Auth0 | Uses standard well-known JWKS endpoint. | | ||
| | Auth0 | Uses standard well-known JWKS endpoint. | | ||
| | Descope | Uses standard well-known JWKS endpoint. | |
There was a problem hiding this comment.
This isn't quite accurate in the table - agentgateway can work with Descope, but agw has built in support for only auth0 and keycloak. I mean there is a literal enum auth0 in the codebase but not descope
There was a problem hiding this comment.
Hey @howardjohn, thanks for taking a look! I've also been in the process of adding Descope as a provider in the main agentgateway repo. I believe with that change adding built in support, it should cover what you pointed out. Apologies for not mentioning that in the PR description! As soon as I get an internal review over here I will also mark that PR as ready for review.
There was a problem hiding this comment.
Do you want to hold the docs until Descope is a provider in the code?
There was a problem hiding this comment.
@artberger yes please. looks like John approved that earlier today and it's almost merged (needed to handle DCO). Once the workflow steps are done I'd like to merge that.
There was a problem hiding this comment.
ok, looks like that merged, so I will approve and merge this docs one. Thanks for the contribution!
| 5. For machine-to-machine access, [create a Client](https://docs.descope.com/agentic-identity-hub/core-components/clients#creating-a-client) manually and enable the [**Client Credentials** grant type](https://docs.descope.com/agentic-identity-hub/core-components/clients#client-credentials). Note the generated **Client ID** and **Client Secret**. | ||
|
|
||
| ## Getting a token | ||
|
|
There was a problem hiding this comment.
This "Getting a token" section has two H3s.
- Are these alternate paths or are they really steps that you do in order?
- Is there another flow instead of machine-to-machine to include?
- Typically, we try to make commands copy-paste runnable, but the curls here for example require updating a lot. Possibly these could be set as env vars
There was a problem hiding this comment.
Hey Art. Originally I modeled that section like the docs for the other auth integrations (i.e. Auth0), but I just edited it to add clarity w.r.t. your questions. Let me know how you feel about those changes.
|
|
||
| ```bash | ||
| curl <YOUR_MCP_SERVER_URL> \ | ||
| -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \ |
There was a problem hiding this comment.
Where does the access token come from? is this the output of the previous section? if so, it might be helpful to say that. It also doesn't match the <> formatting for input variables.
| weight: 40 | ||
| description: Integrate agentgateway with Descope for authentication and identity management | ||
| --- | ||
|
|
There was a problem hiding this comment.
similar comments on this main file.
|
|
||
| ## Role-based authorization | ||
|
|
||
| Use Descope roles with agentgateway authorization: |
There was a problem hiding this comment.
Is this a step 3 after getting and using the token? do they have to do this, or is this just an option in case they want to further scope the previous config at the beginning of this doc to their existing Descope roles?
| Use Descope roles with agentgateway authorization: | |
| You can authorization based on your existing Descope roles, such as `Tenant Admin` in the following example. |
| authorization: | ||
| rules: | ||
| # Check for a specific Descope role | ||
| # - '"Tenant Admin" in jwt.roles' |
There was a problem hiding this comment.
I noticed in the descope docs that tenant roles are nested under jwt.tenants.<tenantId>.roles, whereas this just has jwt.roles.
Would it be something like this?
| # - '"Tenant Admin" in jwt.roles' | |
| # - '"Admin" in jwt.tenants["<YOUR TENANT ID>"].roles' |
There was a problem hiding this comment.
This is a good catch. Personally I was referencing https://docs.descope.com/management/token/jwt-templates#authorization-claims-configuration which is specifically for "Current Tenant, No Tenant Reference"; so when the tenant is omitted, then roles becomes a top-level claim.
I'm going to update this section to explain both.
|
@joshwertheim thanks for providing these docs, and my apologies for the late review. I left some review comments and also resolved a merge conflict. If you could also do DCO, that would be great. |
c7a97c4 to
7046b5e
Compare
Signed-off-by: Joshua Wertheim <joshua.wertheim@descope.com>
Signed-off-by: Joshua Wertheim <joshua.wertheim@descope.com>
Signed-off-by: Joshua Wertheim <joshua.wertheim@descope.com>
Co-authored-by: Art <artberger@users.noreply.github.com> Signed-off-by: Joshua Wertheim <joshua.wertheim@descope.com>
Co-authored-by: Art <artberger@users.noreply.github.com> Signed-off-by: Joshua Wertheim <joshua.wertheim@descope.com>
Co-authored-by: Art <artberger@users.noreply.github.com> Signed-off-by: Joshua Wertheim <joshua.wertheim@descope.com>
Co-authored-by: Art <artberger@users.noreply.github.com> Signed-off-by: Joshua Wertheim <joshua.wertheim@descope.com>
Signed-off-by: Joshua Wertheim <joshua.wertheim@descope.com>
7046b5e to
733eab9
Compare
|
thanks so much for the help @artberger |
Summary
Add Descope under Integrations -> Authentication & Identity for both latest and main.
Testing
Started up the local dev server as described under the README and confirmed the doc renders and Descope is now included in the index for that page as shown: