feat: add TLS support for gRPC connections to Dex

norajam · norajam · commit 24b48fc1afe3 · 2025-12-02T15:12:32.000-08:00
diff --git a/config/config.go b/config/config.go
@@ -7,6 +7,9 @@ import (
 	"net/url"
 	"os"
 
+	"crypto/tls"
+	"crypto/x509"
+
 	"gopkg.in/yaml.v3"
 )
 
@@ -45,7 +48,10 @@ type DynamicClientRegistration struct {
 }
 
 type DexGRPCClient struct {
-	Addr string `yaml:"addr"`
+	Addr        string `yaml:"addr"`
+	TLSCert     string `yaml:"tlsCert,omitempty"`
+	TLSKey      string `yaml:"tlsKey,omitempty"`
+	TLSClientCA string `yaml:"tlsClientCA,omitempty"`
 }
 
 type Proxy struct {
@@ -133,6 +139,50 @@ func (c *Config) YAMLString() (string, error) {
 	}
 }
 
+func (g *DexGRPCClient) ClientTLSConfig() (*tls.Config, error) {
+	// Check if TLS fields are set - must be all or nothing
+	tlsFieldsSet := 0
+	if g.TLSCert != "" {
+		tlsFieldsSet++
+	}
+	if g.TLSKey != "" {
+		tlsFieldsSet++
+	}
+	if g.TLSClientCA != "" {
+		tlsFieldsSet++
+	}
+
+	if tlsFieldsSet == 0 {
+		// No TLS configured - return nil for insecure connection
+		return nil, nil
+	}
+
+	if tlsFieldsSet != 3 {
+		return nil, fmt.Errorf("all three TLS fields (tlsCert, tlsKey, tlsClientCA) must be set together or all left empty")
+	}
+
+	// All three fields are set - configure mTLS
+	cPool := x509.NewCertPool()
+	caCert, err := os.ReadFile(g.TLSClientCA)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read TLS client CA: %w", err)
+	}
+	if !cPool.AppendCertsFromPEM(caCert) {
+		return nil, fmt.Errorf("failed to append TLS client CA certificate")
+	}
+
+	clientCert, err := tls.LoadX509KeyPair(g.TLSCert, g.TLSKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load TLS certificate and key: %w", err)
+	}
+
+	clientTLSConfig := &tls.Config{
+		RootCAs:      cPool,
+		Certificates: []tls.Certificate{clientCert},
+	}
+	return clientTLSConfig, nil
+}
+
 func (c *Config) Validate() error {
 	if c.Host == nil {
 		return fmt.Errorf("host is required")
@@ -150,6 +200,12 @@ func (c *Config) Validate() error {
 		if c.DexGRPCClient == nil || c.DexGRPCClient.Addr == "" {
 			return fmt.Errorf("dexGRPCClient is required when dynamicClientRegistrationEnabled is true")
 		}
+
+		_, err := c.DexGRPCClient.ClientTLSConfig()
+		if err != nil {
+			return fmt.Errorf("dexGRPCClient TLS configuration is invalid: %w", err)
+		}
+
 	}
 
 	return nil
diff --git a/examples/who-am-i/config.yaml b/examples/who-am-i/config.yaml
@@ -8,6 +8,9 @@ authorization:
     publicClient: true
 dexGRPCClient:
   addr: dex:5557
+  tlsCert: /certs/client.crt
+  tlsKey: /certs/client.key
+  tlsClientCA: /certs/ca.crt
 proxy:
   - path: /who-am-i/mcp
     http:
diff --git a/examples/who-am-i/docker-compose.yaml b/examples/who-am-i/docker-compose.yaml
@@ -1,4 +1,4 @@
-name: who-am-i-gateway
+name: demo-tls-grpc
 
 services:
   dex:
@@ -14,6 +14,11 @@ services:
     configs:
       - source: dex-config.yaml
         target: /config.yaml
+    volumes:
+      - type: bind
+        source: ./certs
+        target: /certs
+        read_only: true
     env_file:
       - .dex.secret.env
 
@@ -47,28 +52,24 @@ services:
 configs:
   dex-config.yaml:
     content: |
-      issuer: http://localhost:5556
+      issuer: http://10.239.117.77:5556
       web:
         http: 0.0.0.0:5556
         allowedOrigins: ['*']
       grpc:
         addr: 0.0.0.0:5557
+        tlsCert: /server.crt
+        tlsKey: /server.key
+        tlsClientCA: /ca.crt
       storage:
         type: memory
       oauth2:
         skipApprovalScreen: true
-      enablePasswordDB: true
-      staticPasswords:
-        - email: "admin@example.com"
-          # bcrypt hash of the string "password" for user admin: $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
-          hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
-          username: "admin"
-          userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
       connectors:
       - type: github
         id: github
         name: GitHub
         config:
-          clientID: {{ .Env.GITHUB_CLIENT_ID }}
-          clientSecret: {{ .Env.GITHUB_CLIENT_SECRET }}
-          redirectURI: http://localhost:5556/callback
+          clientID: 898c3748f5d34f9d8aa6
+          clientSecret: f79cc67c564c6ac912e108cbefe289d8a5c042f4
+          redirectURI: http://10.239.117.77:5556/callback
diff --git a/oauth/dynamic_client_registration.go b/oauth/dynamic_client_registration.go
@@ -11,6 +11,7 @@ import (
 	"github.com/hyprmcp/mcp-gateway/config"
 	"github.com/hyprmcp/mcp-gateway/log"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 )
 
@@ -27,9 +28,22 @@ type ClientInformation struct {
 }
 
 func NewDynamicClientRegistrationHandler(config *config.Config, meta map[string]any) (http.Handler, error) {
+	clientTLSConfig, err := config.DexGRPCClient.ClientTLSConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	var creds credentials.TransportCredentials
+
+	if clientTLSConfig != nil {
+		creds = credentials.NewTLS(clientTLSConfig)
+	} else {
+		creds = insecure.NewCredentials()
+	}
+
 	grpcClient, err := grpc.NewClient(
 		config.DexGRPCClient.Addr,
-		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.WithTransportCredentials(creds),
 	)
 	if err != nil {
 		return nil, err
