Skip to content

OpenAM MCP server #935

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
maximthomas wants to merge 27 commits into
base: master
Choose a base branch
from
Open

OpenAM MCP server #935

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
b037c11
Add OpenAM MCP Server to the OpenAM Tools list
maximthomas Nov 5, 2025
04a7d19
OpenAM MCP Server: authentication configuration
maximthomas Nov 7, 2025
deeee5c
OpenAM MCP Server: authentication configuration modules
maximthomas Nov 10, 2025
6c242f6
OpenAM MCP Server: update Spring AI, add copyright
maximthomas Nov 10, 2025
0bd6e47
Merge remote-tracking branch 'origin/master' into openam-mcp-server
maximthomas Nov 10, 2025
dd315fd
Merge branch 'master' into openam-mcp-server
maximthomas Nov 12, 2025
efd2618
Update OpenAM parent version for MCP Server
maximthomas Nov 12, 2025
f99534a
Update README.md
maximthomas Nov 12, 2025
4ea608a
Move OpenAM MCP server to root project
maximthomas Nov 12, 2025
b6dd003
OpenAM MCP Server: update Spring Boot and Spring AI
maximthomas Dec 24, 2025
2771dd9
Update openam-mcp-server/README.md
maximthomas Mar 27, 2026
4e9c188
Merge remote-tracking branch 'origin/master' into openam-mcp-server
maximthomas Mar 27, 2026
b12dcc8
Update parent version for openam-mcp-server
maximthomas Mar 27, 2026
47fee25
Apply suggestions from code review
maximthomas Mar 27, 2026
9e6920a
Apply suggestions from code review
maximthomas Mar 27, 2026
c1ab9e1
fix compilation error
maximthomas Mar 27, 2026
0a83382
change default password for the admin user
maximthomas Mar 27, 2026
8cb18ad
OpenAM MCP Server: update Spring Boot and Spring AI
maximthomas Mar 30, 2026
499b1c1
Add AuthInterceptorTest
maximthomas Mar 30, 2026
2113f19
fix failing tests
maximthomas Mar 30, 2026
4f3107c
add create user tests
maximthomas Mar 30, 2026
c966d81
Extend IGNORE_HEADERS list for OAuth2Controller
maximthomas Mar 30, 2026
133509c
Prevent preHandleOAuth recursion for AuthInterceptor
maximthomas Mar 30, 2026
96c5160
Encode path parameters for UserService
maximthomas Mar 30, 2026
fb5c92f
Apply suggestions from code review
maximthomas Mar 31, 2026
9be7128
getAvailableModuleListTest
maximthomas Mar 31, 2026
9ec20d5
Encode path parameters for AuthenticationConfigService
maximthomas Mar 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
346 changes: 346 additions & 0 deletions openam-mcp-server/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,346 @@
# OpenAM MCP Server

OpenAM MCP Server is a lightweight management service for OpenAM user accounts. It allows administrators to create, update, delete, and reset passwords for users, as well as retrieve authentication modules and chains configurations.

## Prerequisites
* JDK 17+
* [OpenAM](http://github.com/OpenIdentityPlatform/OpenAM) installed

## Quick Start
Set the `OPENAM_URL` environment variable, i.e., http://openam.example.org:8080/openam
Set the `OPENAM_ADMIN_USERNAME` (i.e., `amadmin`) and the `OPENAM_ADMIN_PASSWORD` environment variables (i.e., `passw0rd`).

```bash
export OPENAM_URL=http://openam.example.org:8080/openam
export OPENAM_ADMIN_USERNAME=amadmin
export OPENAM_ADMIN_PASSWORD=passw0rd
```

Clone and run from source:

```bash
mvn spring-boot:run
```
Or build and run the JAR:

```bash
cd openam-mcp-server
mvn package -DskipTests=true && java -jar ./target/openam-mcp-server-*.jar
```

## Advanced Authentication

> [!IMPORTANT]
> UUsing administrative credentials directly in the MCP server can be insecure. This server therefore supports OpenAM's OAuth 2.0 protocol.
protocol.

This approach requires additional OpenAM configuration.

### OpenAM OAuth2.0 Service Configuration

1. In the OpenAM admin console, select the root realm.
1. Select **Configure OAuth Provider** → **Configure OAuth2.0**.
1. Leave the settings unchanged and click **Create**.

Configure the OAuth 2.0 Provider with the following settings:

| Setting | Value |
|------------------------------------------------------------------|---------|
| Use Stateless Access & Refresh Tokens | enabled |
| User Profile Attribute(s) the Resource Owner is Authenticated On | uid |
| Supported Scopes | profile |
| OAuth2 Token Signing Algorithm | RS256 |
| Allow Open Dynamic Client Registration | enabled |

For more details, see the OpenAM OAuth 2.0 documentation:: https://doc.openidentityplatform.org/openam/admin-guide/chap-oauth2

### Authentication Chain Configuration

Create an OpenAM OAuth 2.0 authentication chain so the MCP server can exchange an access token for an SSO token to manage identities.

1. In the admin console, select the root realm.
1. In the left menu go to **Authentication** → **Modules** and create a new module with named `oidc` of type `OpenID Connect id_token bearer`.

Configure the `oidc` module as follows:

| Setting | Value |
|----------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|
| OpenID Connect validation configuration value | OpenAM's .well-known/openid-configuration endpoint, i.e., http://openam.example.org:8080/openam/oauth2/.well-known/openid-configuration |
| Name of OpenID Connect ID Token Issuer | http://openam.example.org:8080/openam/oauth2 |
| Mapping of jwt attributes to local LDAP attributes | sub=uid |
| Audience name | Your MCP client's client ID, for example openam-mcp-server |

Create an authentication chain:

1. In the admin console, select the root realm.
1. In the left menu select **Authentication** → **Chains**
1. Create a new chain named `oidc` with the following configuration:

| Module | Criteria |
|--------|------------|
| oidc | REQUISITE |

Finally, enable OAuth 2.0 in the MCP server:

```bash
export OPENAM_USE_OAUTH=true
```

## Available MCP Server Tools

### Authentication Service Tools

```java
@Tool(name = "get_auth_modules", description = "Returns OpenAM authentication modules list")
public List<AuthModule> getAuthModules(@ToolParam(required = false, description = "If not set, uses root realm") String realm)

@Tool(name = "get_auth_chains", description = "Returns OpenAM authentication chains with modules")
public List<AuthChain> getOpenAMAuthChains(@ToolParam(required = false, description = "If not set, uses root realm") String realm)

@Tool(name = "get_available_modules", description = "Returns all available authentication modules")
public List<CoreAuthModule> getAvailableModuleList()


```

### Realm Tools

```java
@Tool(name = "get_realms", description = "Returns OpenAM realm list")
public List<Realm> getRealms()
```

### User Tools

```java
@Tool(name = "get_users", description = "Returns OpenAM user list from the default (root) realm")
public List<User> getUsers(@ToolParam(required = false, description = "If not set, uses root realm") String realm,
@ToolParam(required = false, description = "Username filter") String filter)

@Tool(name = "set_user_attribute", description = "Sets the attribute value for a user")
public User setUserAttribute(@ToolParam(required = false, description = "If not set, uses root realm") String realm,
@ToolParam(description = "username") String username,
@ToolParam(description = "user attribute name") String attribute,
@ToolParam(description = "user attribute value") String value)

@Tool(name = "set_user_password", description = "Sets the password for a user")
public User setUserPassword(@ToolParam(required = false, description = "If not set, uses root realm") String realm,
@ToolParam(description = "username") String username,
@ToolParam(description = "user password") String password)

@Tool(name = "create_user", description = "Creates a new user")
public User createUser(@ToolParam(required = false, description = "If not set, uses root realm") String realm,
@ToolParam(description = "Username (login)") String userName,
@ToolParam(description = "Password (min length 8)") String password,
@ToolParam(required = false, description = "User family name") String familyName,
@ToolParam(required = false, description = "User given name") String givenName,
@ToolParam(required = false, description = "Name") String name,
@ToolParam(required = false, description = "Email") String mail,
@ToolParam(required = false, description = "Phone number") String phone)

@Tool(name = "delete_user", description = "Deletes a user")
public Map<String, String> deleteUser(@ToolParam(required = false, description = "If not set, uses root realm") String realm,
@ToolParam(description = "Username (login)") String username)

```

In JSON-RPC format:
```json
{
"tools": [
{
"name": "set_user_password",
"description": "Sets the password for a user",
"inputSchema": {
"type": "object",
"properties": {
"arg0": {
"type": "string",
"description": "If not set, uses root realm"
},
"arg1": {
"type": "string",
"description": "username"
},
"arg2": {
"type": "string",
"description": "user password"
}
},
"required": [
"arg1",
"arg2"
],
"additionalProperties": false
}
},
{
"name": "set_user_attribute",
"description": "Sets the attribute value for a user",
"inputSchema": {
"type": "object",
"properties": {
"arg0": {
"type": "string",
"description": "If not set, uses root realm"
},
"arg1": {
"type": "string",
"description": "username"
},
"arg2": {
"type": "string",
"description": "user attribute name"
},
"arg3": {
"type": "string",
"description": "user attribute value"
}
},
"required": [
"arg1",
"arg2",
"arg3"
],
"additionalProperties": false
}
},
{
"name": "get_realms",
"description": "Returns OpenAM realm list",
"inputSchema": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": false
}
},
{
"name": "get_users",
"description": "Returns OpenAM user list from the default (root) realm",
"inputSchema": {
"type": "object",
"properties": {
"arg0": {
"type": "string",
"description": "If not set, uses root realm"
},
"arg1": {
"type": "string",
"description": "Username filter"
}
},
"required": [],
"additionalProperties": false
}
},
{
"name": "get_auth_modules",
"description": "Returns OpenAM authentication modules list",
"inputSchema": {
"type": "object",
"properties": {
"arg0": {
"type": "string",
"description": "If not set, uses root realm"
}
},
"required": [],
"additionalProperties": false
}
},
{
"name": "create_user",
"description": "Creates a new user",
"inputSchema": {
"type": "object",
"properties": {
"arg0": {
"type": "string",
"description": "If not set, uses root realm"
},
"arg1": {
"type": "string",
"description": "Username (login)"
},
"arg2": {
"type": "string",
"description": "Password (min length 8)"
},
"arg3": {
"type": "string",
"description": "User family name"
},
"arg4": {
"type": "string",
"description": "User given name"
},
"arg5": {
"type": "string",
"description": "Name"
},
"arg6": {
"type": "string",
"description": "Email"
},
"arg7": {
"type": "string",
"description": "Phone number"
}
},
"required": [
"arg1",
"arg2"
],
"additionalProperties": false
}
},
{
"name": "delete_user",
"description": "Deletes a user",
"inputSchema": {
"type": "object",
"properties": {
"arg0": {
"type": "string",
"description": "If not set, uses root realm"
},
"arg1": {
"type": "string",
"description": "Username (login)"
}
},
"required": [
"arg1"
],
"additionalProperties": false
}
},
{
"name": "get_available_modules",
"description": "Returns all available authenticaion modules",
"inputSchema": {
"type": "object",
"properties": {},
"required": [],
"additionalProperties": false
}
},
{
"name": "get_auth_chains",
"description": "Returns OpenAM authentication chains with modules",
"inputSchema": {
"type": "object",
"properties": {
"arg0": {
"type": "string",
"description": "If not set, uses root realm"
}
},
"required": [],
"additionalProperties": false
}
}
]
}
```
Loading