chore: add browser based auth config docs for MCP servers and generalise MCP auth docs #285
Conversation
📝 WalkthroughWalkthroughAdded a new exported constant Changes
Sequence Diagram(s)sequenceDiagram
participant User as User
participant Browser as Browser
participant Assistant as AI_Assistant
participant IdP as IdentityProvider
participant API as ThunderServer
User->>Browser: Initiates login (Auth Code flow)
Browser->>IdP: Request authorization (PKCE, client_id, code_challenge)
IdP-->>Browser: Authorization code
Browser->>Assistant: Redirect with code
Assistant->>IdP: Exchange code + code_verifier for token
IdP-->>Assistant: access_token
Assistant->>API: Call AI endpoints with access_token
API-->>Assistant: AI responses
sequenceDiagram
participant Service as Service (Client)
participant IdP as IdentityProvider
participant API as ThunderServer
Service->>IdP: Request token (Client Credentials grant)
IdP-->>Service: access_token
Service->>API: Call AI endpoints with access_token
API-->>Service: AI responses
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
No actionable comments were generated in the recent review. 🎉 Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In `@docs/reference/mcp-servers/mcp-ai-configuration.mdx`:
- Around line 5-8: The docs currently hardcode admin credentials
("admin"/"admin") in the curl auth examples; replace those literals with the
imported shared defaultCredentials so copy/paste works: update the Client
Credentials and Authorization Code tab blocks that build ADMIN_TOKEN_RESPONSE
(and use ADMIN_TOKEN) to substitute username and password with
${defaultCredentials.username} and ${defaultCredentials.password} (or
placeholders that reference defaultCredentials) instead of "admin" and "admin",
ensuring the curl payload in the flow/execute request uses the shared
defaultCredentials values.
| import Tabs from '@theme/Tabs'; | ||
| import TabItem from '@theme/TabItem'; | ||
| import {defaultCredentials} from '../../_constants.mdx'; | ||
|
|
There was a problem hiding this comment.
Replace hardcoded admin/admin with the centralized default credentials.
You already import defaultCredentials, but both auth-method tabs still say admin/admin and embed those values in the admin-token request. With the new defaults, copy/paste will fail. Please update both tabs to use the shared defaults (or placeholders tied to them).
🛠️ Example update for the Client Credentials tab (apply similarly to the Authorization Code tab)
import Tabs from '@theme/Tabs';
import TabItem from '@theme/TabItem';
+import CodeBlock from '@theme/CodeBlock';
import {defaultCredentials} from '../../_constants.mdx';
@@
-> **Note**: Default credentials are `admin` / `admin`
+> **Note**: Default credentials are <code>{defaultCredentials.username}</code> / <code>{defaultCredentials.password}</code>
@@
-```bash
-ADMIN_TOKEN_RESPONSE=$(curl -k -s -X POST "${THUNDER_URL}/flow/execute" \
- -H 'Content-Type: application/json' \
- -d '{
- "applicationId": "'"${APPLICATION_ID}"'",
- "flowType": "AUTHENTICATION",
- "inputs": {
- "username": "admin",
- "password": "admin",
- "requested_permissions": "system"
- }
- }')
-
-ADMIN_TOKEN=$(echo $ADMIN_TOKEN_RESPONSE | jq -r '.assertion')
-```
+<CodeBlock language="bash">
+{`ADMIN_TOKEN_RESPONSE=$(curl -k -s -X POST "${THUNDER_URL}/flow/execute" \\
+ -H 'Content-Type: application/json' \\
+ -d '{
+ "applicationId": "'"${APPLICATION_ID}"'",
+ "flowType": "AUTHENTICATION",
+ "inputs": {
+ "username": "${defaultCredentials.username}",
+ "password": "${defaultCredentials.password}",
+ "requested_permissions": "system"
+ }
+ }')
+
+ADMIN_TOKEN=$(echo $ADMIN_TOKEN_RESPONSE | jq -r '.assertion')`}
+</CodeBlock>Also applies to: 60-98, 167-205
🤖 Prompt for AI Agents
In `@docs/reference/mcp-servers/mcp-ai-configuration.mdx` around lines 5 - 8, The
docs currently hardcode admin credentials ("admin"/"admin") in the curl auth
examples; replace those literals with the imported shared defaultCredentials so
copy/paste works: update the Client Credentials and Authorization Code tab
blocks that build ADMIN_TOKEN_RESPONSE (and use ADMIN_TOKEN) to substitute
username and password with ${defaultCredentials.username} and
${defaultCredentials.password} (or placeholders that reference
defaultCredentials) instead of "admin" and "admin", ensuring the curl payload in
the flow/execute request uses the shared defaultCredentials values.
There was a problem hiding this comment.
admin/admin credentials are for thunder. They are used to login to thunder developer console and obtain thunder admin tokens.
defaultCredentials store the openchoreo controlplane related admin credentials -- which are used to login to the openchoreo backstage UI and to login to the MCP servers.
There was a problem hiding this comment.
@chathuranga95, thank you for the clarification! You're absolutely right—I misunderstood the distinction between the two credential sets.
Thunder credentials (admin/admin) are used for authenticating to the Thunder identity provider to create OAuth2 applications and obtain admin tokens (Steps 1-3), while defaultCredentials are specifically for logging into the OpenChoreo Backstage UI and MCP servers (Step 4 in the authorization code flow).
The current implementation is correct as-is. I apologize for the confusion!
__ __
>(o.o)<
( )
" "
✏️ Learnings added
Learnt from: chathuranga95
Repo: openchoreo/openchoreo.github.io PR: 285
File: docs/reference/mcp-servers/mcp-ai-configuration.mdx:5-8
Timestamp: 2026-02-11T08:01:01.992Z
Learning: In OpenChoreo documentation, Thunder authentication uses `admin/admin` credentials to login to the Thunder developer console and obtain Thunder admin tokens. The `defaultCredentials` constant (adminopenchoreo.dev / Admin123) is used specifically for OpenChoreo Backstage UI login and MCP server authentication, not for Thunder operations.
Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.
🧠 Learnings used
Learnt from: chathuranga95
Repo: openchoreo/openchoreo.github.io PR: 283
File: versioned_docs/version-v0.14.x/reference/mcp-servers/mcp-ai-configuration.mdx:116-118
Timestamp: 2026-02-10T07:12:30.528Z
Learning: For Asgardeo Thunder in OpenChoreo, the OAuth2 token issuer value should be set to the Thunder base URL (e.g., `${THUNDER_URL}`), not the token endpoint path (`${THUNDER_URL}/oauth2/token`).
|
These documentations are written only focussing Thunder as the identity provider. But OC can be configured against any identity provider as the authentication service and Thunder is only the default IdP for OC. Hence, shouldn't we also have generic docs on these as well considering any generic OAuth2/OIDC compliant IdP? WDYT? |
Agreed. I'll update the documentation considering a generic OAuth2/OIDC compliant IdP |
Signed-off-by: chathuranga95 <siriwardhanachathuranga@gmail.com>
Signed-off-by: chathuranga95 <siriwardhanachathuranga@gmail.com>
Signed-off-by: chathuranga95 <siriwardhanachathuranga@gmail.com>
chathuranga95
force-pushed
the
mcp-auth-code
branch
from
52cfd6a to
52c4684
Compare
chathuranga95
changed the title
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Fix all issues with AI agents
In `@docs/_constants.mdx`:
- Around line 10-13: The defaultCredentials constant sets the example login
password incorrectly; update the password property on defaultCredentials from
'Admin@123' to 'Admin123' (remove the '@' character) so the Backstage UI and MCP
server examples use the correct credential format; locate the defaultCredentials
object and change the password value accordingly.
In `@docs/user-guide/ci/external-ci.mdx`:
- Around line 49-51: The docs currently reference defaultCredentials for logging
into the Thunder Developer Portal which is incorrect; update the step that logs
into the Thunder Developer Portal (the line using
<code>{defaultCredentials.username}</code> /
<code>{defaultCredentials.password}</code>) to explicitly state the Thunder
admin credentials (admin / admin) and remove/replace the defaultCredentials
reference so readers use Thunder admin credentials rather than the Backstage/MCP
defaultCredentials constant.
🧹 Nitpick comments (1)
docs/reference/mcp-servers/mcp-ai-configuration.mdx (1)
40-112: Clarify which credentials are for Thunder vs Backstage.This page now mentions both Thunder admin (
admin/admin) and Backstage defaults. A short credential-scope note would prevent users from mixing them.✍️ Suggested clarification
**Default Login Credentials:** - Username: <code>{defaultCredentials.username}</code> - Password: <code>{defaultCredentials.password}</code> + +:::note Credential scope +Use the Backstage defaults above only for Backstage UI login and MCP server authentication. Use your IdP admin credentials (e.g., Thunder `admin/admin`) only for the developer portal. +:::Based on learnings: In docs/reference/mcp-servers/mcp-ai-configuration.mdx, specify that Thunder authentication uses Thunder admin tokens obtained via the Thunder developer console, and that the defaultCredentials (adminopenchoreo.dev / Admin123) are only for OpenChoreo Backstage UI login and MCP server authentication. Do not document or imply using admin/admin for Thunder operations.
| export const defaultCredentials = { | ||
| username: 'admin@openchoreo.dev', | ||
| password: 'Admin@123', | ||
| }; |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Search for credential definitions across the repository
echo "=== Searching for credential references ==="
rg -n "admin@openchoreo|Admin@123|Admin123" -S --type mdx --type md --type js --type ts --type yaml --type json 2>/dev/null | head -50
echo -e "\n=== Checking for helm/config files with defaults ==="
find . -type f \( -name "*.yaml" -o -name "*.yml" -o -name "values*.yaml" -o -name "*.json" \) -path "*/helm/*" -o -path "*/config/*" | head -20Repository: openchoreo/openchoreo.github.io
Length of output: 593
🏁 Script executed:
#!/bin/bash
# Search more broadly without case sensitivity
echo "=== Searching for 'admin' in documentation ==="
rg -i "admin" docs/_constants.mdx -A 5 -B 5
echo -e "\n=== Searching for 'defaultCredentials' ==="
rg "defaultCredentials" -n
echo -e "\n=== Searching for 'password' in constants/config files ==="
rg "password" docs/_constants.mdx -n
echo -e "\n=== Checking git history for this file ==="
git log --oneline -n 20 docs/_constants.mdx 2>/dev/null || echo "Git history not available"Repository: openchoreo/openchoreo.github.io
Length of output: 2149
🏁 Script executed:
#!/bin/bash
# Check the mcp-ai-configuration.mdx file that was mentioned in the learning
echo "=== Checking mcp-ai-configuration.mdx content ==="
cat -n docs/reference/mcp-servers/mcp-ai-configuration.mdx | head -30
echo -e "\n=== Look for any password/credential references ==="
rg -i "admin|password|credential" docs/reference/mcp-servers/mcp-ai-configuration.mdx -B 2 -A 2
echo -e "\n=== Check if there's a values.yaml or similar that defines actual defaults ==="
find . -name "values.yaml" -o -name "values*.yaml" 2>/dev/null | xargs grep -l "admin\|password" 2>/dev/null || echo "No values files found with credentials"Repository: openchoreo/openchoreo.github.io
Length of output: 4002
Update defaultCredentials password to Admin123.
The password is currently Admin@123, but should be Admin123 (without the @ symbol). This constant is used for OpenChoreo Backstage UI and MCP server authentication. Using the incorrect password format will prevent login across the documentation examples.
Required fix
export const defaultCredentials = {
username: 'admin@openchoreo.dev',
- password: 'Admin@123',
+ password: 'Admin123',
};📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| export const defaultCredentials = { | |
| username: 'admin@openchoreo.dev', | |
| password: 'Admin@123', | |
| }; | |
| export const defaultCredentials = { | |
| username: 'admin@openchoreo.dev', | |
| password: 'Admin123', | |
| }; |
🤖 Prompt for AI Agents
In `@docs/_constants.mdx` around lines 10 - 13, The defaultCredentials constant
sets the example login password incorrectly; update the password property on
defaultCredentials from 'Admin@123' to 'Admin123' (remove the '@' character) so
the Backstage UI and MCP server examples use the correct credential format;
locate the defaultCredentials object and change the password value accordingly.
There was a problem hiding this comment.
The correct password is Admin@123. Check: https://github.com/openchoreo/openchoreo/blob/main/install/helm/openchoreo-control-plane/values.yaml#L4026
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Fetch the values.yaml file from the openchoreo repository to verify the password
echo "=== Fetching values.yaml from openchoreo repository ==="
curl -s "https://raw.githubusercontent.com/openchoreo/openchoreo/main/install/helm/openchoreo-control-plane/values.yaml" | sed -n '4020,4035p'
echo -e "\n=== Searching for backstage admin password in values.yaml ==="
curl -s "https://raw.githubusercontent.com/openchoreo/openchoreo/main/install/helm/openchoreo-control-plane/values.yaml" | grep -n -i "admin.*password\|password.*admin" | head -20
Length of output: 606
@chathuranga95, you're absolutely right, and I apologize for the incorrect suggestion. I've verified the values.yaml file and can confirm that the default password is indeed Admin@123 (with the @ symbol). The constant in this PR is correct as-is.
Thank you for catching my error and providing the source reference!
✏️ Learnings added
Learnt from: chathuranga95
Repo: openchoreo/openchoreo.github.io PR: 285
File: docs/_constants.mdx:10-13
Timestamp: 2026-02-11T12:34:31.778Z
Learning: In OpenChoreo, the default Backstage admin credentials are username: `adminopenchoreo.dev` and password: `Admin123` (with @ symbol). These credentials are defined in the openchoreo-control-plane Helm chart values.yaml and used for OpenChoreo Backstage UI login and MCP server authentication.
Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.
⛔ Learnings removed
Learnt from: chathuranga95
Repo: openchoreo/openchoreo.github.io PR: 285
File: docs/reference/mcp-servers/mcp-ai-configuration.mdx:5-8
Timestamp: 2026-02-11T08:01:01.992Z
Learning: In OpenChoreo documentation, Thunder authentication uses `admin/admin` credentials to login to the Thunder developer console and obtain Thunder admin tokens. The `defaultCredentials` constant (adminopenchoreo.dev / Admin123) is used specifically for OpenChoreo Backstage UI login and MCP server authentication, not for Thunder operations.
🧠 Learnings used
Learnt from: chathuranga95
Repo: openchoreo/openchoreo.github.io PR: 285
File: docs/reference/mcp-servers/mcp-ai-configuration.mdx:5-8
Timestamp: 2026-02-11T08:01:01.992Z
Learning: In OpenChoreo documentation, Thunder authentication uses `admin/admin` credentials to login to the Thunder developer console and obtain Thunder admin tokens. The `defaultCredentials` constant (adminopenchoreo.dev / Admin123) is used specifically for OpenChoreo Backstage UI login and MCP server authentication, not for Thunder operations.
Signed-off-by: chathuranga95 <siriwardhanachathuranga@gmail.com>
2 participants
Purpose
Currently, the MCP auth docs only includes client credential based configs. This PR adds the auth code based configs as well.
Related Issues
N/A
Checklist
sidebars.tsif adding a new documentation pagenpm run startto preview the changes locallynpm run buildto ensure the build passes without errorsSummary by CodeRabbit