[Feature Request]: Investigate Bearer Token Validation in MCP/Forge with Keycloak JWT #1122
Description
We need to understand how MCP/Forge validates access tokens issued by Keycloak. Our tokens follow this structure:
{
"exp": <expiration_timestamp>,
"iat": <issued_at_timestamp>,
"jti": "<token_id>",
"iss": "<issuer_url>",
"sub": "<user_id>",
"typ": "Bearer",
"azp": "<authorized_party_client_id>",
"session_state": "<session_state_id>",
"scope": "",
"sid": "<session_id>",
"email_verified": ,
"user_name": "<user_name>",
"organization": "<organization_id>",
"preferred_username": "<preferred_username>",
"authorities": ["<roles_or_permissions>"]
}
Objectives:
Identify which JWT claims MCP/Forge validates:
iss (issuer)
azp or aud (authorized party / audience)
exp / iat (token expiry / issued at)
scope / authorities
organization / tenant-specific claims
Understand why valid Keycloak tokens might fail in Forge.
Document the expected token format and the necessary Forge configuration for successful validation.