@cdmbase/wiki-browser 12.0.18-alpha.48 → 12.0.18-alpha.49

package/lib/templates/content/docs/adminide-modules/connectors/Connector.md

@@ -1,207 +1,445 @@
-# Application Connectors - OAuth Integration Flow
+# Form Builder Connector Documentation (OAuth and MCP)
 
-This document explains how users connect third-party services like Gmail to the platform.
+## Overview
 
-## How It Works
+This guide explains how to configure connectors in Form Builder Extensions.  
+You can add two connector types:
 
-The connector system uses OAuth 2.0 with PKCE to securely connect external services. When a user connects their Gmail account, we don't store their password. Instead, we get permission tokens directly from Google that allow us to access their account on their behalf.
+- **OAuth App**: Standard OAuth 2.0 based integration (for example Google, GitHub, Slack).
+- **MCP Connector**: Integration with an MCP server, using either OAuth or API Key authentication.
 
-Tokens are stored securely in our vault service, scoped to the user's selected project and environment.
+The goal is to help you understand:
+
+- The end-to-end setup flow in Form Builder.
+- What each connector field means.
+- Why PKCE is important and when to use it.
+- When and why to enable custom OAuth endpoints.
+- How MCP connector flow works.
 
 ---
 
-## The Connect Flow
+## 1) How to reach connector configuration in Form Builder
 
-```
-┌──────────────┐      ┌──────────────┐      ┌──────────────┐      ┌──────────────┐
-│    User      │      │   Platform   │      │    Google    │      │    Vault     │
-└──────┬───────┘      └──────┬───────┘      └──────┬───────┘      └──────┬───────┘
-       │                     │                     │                     │
-       │  1. Click Connect   │                     │                     │
-       │────────────────────>│                     │                     │
-       │                     │                     │                     │
-       │                     │  2. Generate secure │                     │
-       │                     │     state & verifier│                     │
-       │                     │                     │                     │
-       │  3. Open Google     │                     │                     │
-       │     sign-in popup   │                     │                     │
-       │<────────────────────│                     │                     │
-       │                     │                     │                     │
-       │  4. Sign in and     │                     │                     │
-       │     grant access    │                     │                     │
-       │─────────────────────────────────────────>│                     │
-       │                     │                     │                     │
-       │                     │  5. Google sends    │                     │
-       │                     │     auth code back  │                     │
-       │                     │<────────────────────│                     │
-       │                     │                     │                     │
-       │                     │  6. Exchange code   │                     │
-       │                     │     for tokens      │                     │
-       │                     │────────────────────>│                     │
-       │                     │                     │                     │
-       │                     │  7. Receive access  │                     │
-       │                     │     & refresh token │                     │
-       │                     │<────────────────────│                     │
-       │                     │                     │                     │
-       │                     │  8. Store tokens    │                     │
-       │                     │     securely        │                     │
-       │                     │─────────────────────────────────────────>│
-       │                     │                     │                     │
-       │  9. Show connected  │                     │                     │
-       │<────────────────────│                     │                     │
-       │                     │                     │                     │
-```
+Follow this flow:
+
+1. Open **Form Builder**.
+2. From the left sidebar, go to **Extensions**.
+3. Click **Create Extension**.
+4. Fill extension details (name, description, basic metadata).
+5. Open your extension canvas.
+6. Drag and drop form elements into the step.
+7. Drag and drop the **OAuth Connector** component.
+8. Select the connector element and open its settings panel.
+9. You will now see **OAuth Connector Settings** with all connector fields.
 
 ---
 
-## Step-by-Step: Connecting Gmail
+## 2) Connector Type options
 
-### 1. User Opens Connectors Page
+Inside connector settings, choose one connector type:
 
-The user navigates to the Connectors page where they see a list of available integrations. Each connector shows whether it's already connected or available to connect.
+- **OAuth App**
+    - Use this when connecting to OAuth providers directly.
+    - Example providers: Google, GitHub, Slack, Microsoft.
+- **MCP Connector**
+    - Use this when connecting to an MCP server endpoint.
+    - Supports:
+        - MCP with OAuth.
+        - MCP with API Key.
 
-### 2. User Selects Project and Environment
+---
 
-Before connecting any service, the user must select which project and environment the connection belongs to. This determines where the access tokens will be stored and which part of the application can use them.
+## 3) Common fields (shown for both OAuth and MCP)
 
-### 3. User Clicks "Connect" on Gmail
+These fields are available for both connector types:
 
-A confirmation modal appears. The user clicks "Connect" to proceed.
+### Provider ID
 
-### 4. Platform Prepares the Authorization
+- Unique provider selector/identifier.
+- Can be a known provider (pre-configured) or custom.
+- Example: `google`, `github`, `slack`, `custom`.
 
-Behind the scenes, the platform:
+### Display Title
 
-- Generates a unique security code (state) to prevent attacks
-- Creates a PKCE verifier for additional security
-- Temporarily saves this information so we can match it when Google responds
-- Builds the Google authorization URL with all required parameters
+- User-facing connector name in the form.
+- Example: `Connect Slack Workspace`.
 
-### 5. Google Sign-in Popup Opens
+### Connector Description
 
-A popup window opens showing Google's sign-in page. The user enters their Google credentials and sees what permissions the app is requesting (read emails, send emails, etc.).
+- Short text describing what this connector does.
+- Example: `Connect Slack to send notifications from this workflow.`
 
-### 6. User Grants Permission
+### Connector Type
 
-The user clicks "Allow" to grant the requested permissions. Google then redirects the popup back to our callback page with an authorization code.
+- Radio selection:
+    - `OAuth App`
+    - `MCP Connector`
 
-### 7. Callback Page Receives the Code
+### Brand Color
 
-Our callback page receives the authorization code from Google. It retrieves the security information we saved earlier and sends everything to the backend.
+- Controls the connector card accent color in UI.
+- Use provider brand color where possible for recognition.
 
-### 8. Platform Exchanges Code for Tokens
+### Credential Provisioning (Client ID / Client Secret)
 
-The backend contacts Google directly and exchanges the authorization code for actual access tokens. This happens server-to-server, keeping everything secure.
+- Admin-level credentials are stored securely in vault-backed configuration.
+- They are not shown to end users at runtime.
+- For standard OAuth app flow, these are usually required.
+- For some MCP OAuth patterns, they may be optional or dynamically registered.
 
-### 9. Tokens Are Stored in Vault
+---
 
-The access token and refresh token are stored in our secure vault, associated with the user's selected project and environment. The connector record is created in the database.
+## 4) OAuth App fields (detailed explanation)
 
-### 10. Success!
+When **Connector Type = OAuth App**, configure the following:
 
-The popup closes and the Connectors page updates to show Gmail as "Connected".
+### Provider URL
 
----
+- Base URL/issuer for provider discovery.
+- Usually the provider identity domain.
+- Example: `https://accounts.google.com`
+- If provider is pre-configured, this may be auto-filled and read-only.
+
+### Token endpoint client authentication methods
+
+Determines how `client_id` and `client_secret` are sent to token endpoint.
+
+- `client_secret_post` (default)
+    - Sends client credentials in request body.
+    - Common and compatible with many providers.
+- `client_secret_basic`
+    - Sends credentials in `Authorization: Basic ...` header.
+    - Needed by providers expecting HTTP Basic auth.
+
+Use provider documentation to pick the correct method. A mismatch can cause token exchange failures.
+
+### Use PKCE
+
+Enable this only for providers that support the PKCE-based secure Authorization Code flow, since not all providers (such as Discord) support PKCE..
+
+- PKCE adds:
+    - `code_challenge` during authorize request.
+    - `code_verifier` during token request.
+- This protects against authorization code interception attacks.
+- Recommended for browser/public-client style flows.
+
+#### Why PKCE matters
+
+Without PKCE, if someone intercepts the authorization code, they can exchange it for tokens.  
+With PKCE, the intercepted code is useless without the original verifier.
+
+#### PKCE example (Slack)
+
+For a Slack connector, enabling PKCE means:
+
+1. System generates random `code_verifier`.
+2. System derives `code_challenge` (S256).
+3. User is redirected to Slack authorize URL with challenge.
+4. Slack returns authorization code to callback.
+5. Backend sends code + original verifier to Slack token endpoint.
+6. Slack validates verifier and returns tokens.
+
+Result: safer OAuth flow, especially in browser-based integrations.
+
+### Use Custom OAuth Endpoints
+
+Enable this when provider discovery via `Provider URL` is not sufficient.
+
+By default, the system can discover endpoints from provider metadata.  
+When custom endpoints are enabled, you explicitly provide endpoints below.
+
+#### OIDC discovery example (default mode)
+
+If provider URL is `https://accounts.google.com`, the platform can use OIDC discovery metadata from:
+
+- `https://accounts.google.com/.well-known/openid-configuration`
+
+From this metadata, the platform automatically resolves:
+
+- `authorization_endpoint`
+- `token_endpoint`
+- `revocation_endpoint` (if available)
+
+This is important because OIDC discovery:
+
+- reduces manual configuration errors,
+- keeps endpoint configuration consistent with provider updates,
+- improves reliability across environments,
+- and simplifies onboarding for standard providers.
+
+#### Why and when to enable custom endpoints
+
+Enable custom endpoints when OIDC/OAuth discovery cannot provide valid endpoints for your setup, for example:
+
+- provider has no `.well-known` metadata,
+- enterprise/private deployment uses non-public or tenant-specific endpoints,
+- you must override default endpoints for compatibility reasons.
+
+In these cases, manually provide `Authorization URL`, `Token URL`, and optionally `Revocation URL`.
+
+### Authorization URL (required when custom endpoints enabled)
+
+- The provider authorization endpoint.
+- Example: `https://provider.example.com/oauth/authorize`
+
+### Token URL (required when custom endpoints enabled)
 
-## The Disconnect Flow
+- The provider token endpoint for code-to-token exchange.
+- Example: `https://provider.example.com/oauth/token`
 
+### Revocation URL (optional)
+
+- Endpoint used to revoke access/refresh tokens on disconnect.
+- Example: `https://provider.example.com/oauth/revoke`
+
+### Redirect URI
+
+- Callback URI registered in provider app settings.
+- Provider redirects user to this URL after consent.
+- Typical format: `https://<your-client-domain>/connector-callback`
+
+### OAuth Scopes
+
+- Permissions requested from provider.
+- Comma-separated list (if editable).
+- Example: `openid, profile, email, channels:read`
+- For known providers, scopes can be pre-configured and read-only.
+
+### OAuth App connect flow diagram
+
+```text
+┌──────────────┐      ┌──────────────┐      ┌──────────────┐      ┌──────────────┐
+│    User      │      │   Platform   │      │ OAuth Provider│      │    Vault     │
+└──────┬───────┘      └──────┬───────┘      └──────┬───────┘      └──────┬───────┘
+       │                     │                      │                     │
+       │ 1. Click Connect    │                      │                     │
+       │────────────────────>│                      │                     │
+       │                     │ 2. Generate state +  │                     │
+       │                     │    PKCE verifier     │                     │
+       │                     │                      │                     │
+       │ 3. Open authorize   │                      │                     │
+       │    page/popup       │                      │                     │
+       │<────────────────────│                      │                     │
+       │───────────────────────────────────────────>│                     │
+       │                     │                      │                     │
+       │                     │ 4. Provider returns  │                     │
+       │                     │    auth code         │                     │
+       │                     │<─────────────────────│                     │
+       │                     │ 5. Exchange code for │                     │
+       │                     │    tokens (+verifier)│                     │
+       │                     │─────────────────────>│                     │
+       │                     │ 6. Receive tokens    │                     │
+       │                     │<─────────────────────│                     │
+       │                     │ 7. Store tokens      │                     │
+       │                     │───────────────────────────────────────────>│
+       │ 8. Show connected   │                      │                     │
+       │<────────────────────│                      │                     │
 ```
+
+### OAuth App disconnect flow diagram
+
+```text
 ┌──────────────┐      ┌──────────────┐      ┌──────────────┐      ┌──────────────┐
-│    User      │      │   Platform   │      │    Google    │      │    Vault     │
+│    User      │      │   Platform   │      │ OAuth Provider│      │    Vault     │
 └──────┬───────┘      └──────┬───────┘      └──────┬───────┘      └──────┬───────┘
-       │                     │                     │                     │
-       │  1. Click           │                     │                     │
-       │     Disconnect      │                     │                     │
-       │────────────────────>│                     │                     │
-       │                     │                     │                     │
-       │                     │  2. Get tokens      │                     │
-       │                     │     from vault      │                     │
-       │                     │<─────────────────────────────────────────│
-       │                     │                     │                     │
-       │                     │  3. Revoke tokens   │                     │
-       │                     │     with Google     │                     │
-       │                     │────────────────────>│                     │
-       │                     │                     │                     │
-       │                     │  4. Delete tokens   │                     │
-       │                     │     from vault      │                     │
-       │                     │─────────────────────────────────────────>│
-       │                     │                     │                     │
-       │                     │  5. Delete          │                     │
-       │                     │     connector record│                     │
-       │                     │                     │                     │
-       │  6. Show            │                     │                     │
-       │     disconnected    │                     │
-       │<────────────────────│                     │                     │
-       │                     │                     │                     │
+       │                     │                      │                     │
+       │ 1. Click Disconnect │                      │                     │
+       │────────────────────>│                      │                     │
+       │                     │ 2. Read tokens       │                     │
+       │                     │<───────────────────────────────────────────│
+       │                     │ 3. Revoke tokens     │                     │
+       │                     │─────────────────────>│                     │
+       │                     │ 4. Clear secrets     │                     │
+       │                     │───────────────────────────────────────────>│
+       │ 5. Show disconnected│                      │                     │
+       │<────────────────────│                      │                     │
 ```
 
 ---
 
-## Step-by-Step: Disconnecting Gmail
+## 5) When to use custom OAuth endpoints (with example)
+
+Use **Custom OAuth Endpoints** when:
+
+- Provider does not expose standard OIDC/OAuth discovery metadata.
+- Discovery endpoint is disabled, private, or non-standard.
+- You need to use tenant-specific auth/token URLs.
+- You have a custom or self-hosted OAuth server.
+
+### Example scenario
+
+Assume an enterprise provider exposes:
+
+- Authorization: `https://login.acme.internal/oauth2/v1/authorize`
+- Token: `https://login.acme.internal/oauth2/v1/token`
+- Revocation: `https://login.acme.internal/oauth2/v1/revoke`
+
+If discovery is not available, enable custom endpoints and enter these URLs directly.
+
+How it works:
+
+1. Authorize URL is built using your custom authorization endpoint.
+2. User authenticates and provider returns `code`.
+3. Token exchange is sent to your custom token endpoint.
+4. On disconnect, system uses custom revocation endpoint (if provided).
+
+---
+
+## 6) MCP Connector flow
+
+When **Connector Type = MCP Connector**, use these fields:
+
+### MCP URL
 
-### 1. User Clicks "Disconnect"
+- Base URL of MCP server.
+- Example: `https://mcp.example.com/api`
+- For known MCP providers, may be auto-filled.
 
-On the Connectors page, the user clicks the "Disconnect" button on their connected Gmail integration. A confirmation modal appears.
+### Auth Method
 
-### 2. User Confirms
+Choose one:
 
-The user confirms they want to disconnect. This action cannot be undone - they'll need to reconnect if they want to use the integration again.
+- **OAuth**
+    - MCP server uses OAuth flow.
+    - Scopes are required.
+    - PKCE is applied in MCP OAuth flow.
+- **API Key**
+    - MCP server authenticates using an API key/token.
+    - Simpler setup where OAuth is not needed.
 
-### 3. Platform Retrieves Stored Tokens
+### MCP OAuth Scopes
 
-The backend retrieves the access and refresh tokens from the vault for this connector.
+- Required when Auth Method is OAuth.
+- Comma-separated permissions.
+- Example: `read, write, tools:execute`
+- May be read-only for pre-configured providers.
 
-### 4. Tokens Are Revoked with Google
+---
 
-The platform contacts Google to revoke the tokens. This invalidates them immediately - even if someone had copied the tokens, they would no longer work.
+## 7) MCP OAuth flow (what happens internally)
 
-### 5. Tokens Are Deleted from Vault
+For MCP + OAuth, typical flow is:
 
-Both the access token and refresh token are permanently deleted from our vault.
+1. System reads MCP discovery metadata from provider (`.well-known` endpoint).
+2. If required, system performs dynamic OAuth client registration.
+3. System generates state and PKCE challenge.
+4. User is redirected to MCP authorization endpoint.
+5. Provider returns `code` to callback.
+6. Backend exchanges `code` using `code_verifier`.
+7. Access/refresh tokens are stored securely.
 
-### 6. Connector Record Is Deleted
+This allows secure token-based access to MCP tools/services from the connector.
 
-The connector record is removed from the database.
+### MCP OAuth connect flow diagram
 
-### 7. Done
+```text
+┌──────────────┐      ┌──────────────┐      ┌──────────────┐      ┌──────────────┐
+│    User      │      │   Platform   │      │  MCP Server  │      │    Vault     │
+└──────┬───────┘      └──────┬───────┘      └──────┬───────┘      └──────┬───────┘
+       │                     │                      │                     │
+       │ 1. Click Connect    │                      │                     │
+       │────────────────────>│                      │                     │
+       │                     │ 2. Fetch .well-known │                     │
+       │                     │─────────────────────>│                     │
+       │                     │ 3. (Optional) client │                     │
+       │                     │    registration       │                     │
+       │                     │─────────────────────>│                     │
+       │                     │ 4. Save client creds  │                     │
+       │                     │───────────────────────────────────────────>│
+       │                     │ 5. Generate state +   │                     │
+       │                     │    PKCE challenge     │                     │
+       │───────────────────────────────────────────>│                     │
+       │                     │                      │                     │
+       │                     │ 6. Code callback      │                     │
+       │                     │<─────────────────────│                     │
+       │                     │ 7. Token exchange     │                     │
+       │                     │─────────────────────>│                     │
+       │                     │ 8. Store tokens       │                     │
+       │                     │───────────────────────────────────────────>│
+       │ 9. Show connected   │                      │                     │
+       │<────────────────────│                      │                     │
+```
 
-The UI updates to show Gmail as available to connect again.
+### MCP API Key flow diagram
+
+```text
+┌──────────────┐      ┌──────────────┐      ┌──────────────┐
+│    User      │      │   Platform   │      │  MCP Server  │
+└──────┬───────┘      └──────┬───────┘      └──────┬───────┘
+       │                     │                      │
+       │ 1. Provide API key  │                      │
+       │────────────────────>│                      │
+       │                     │ 2. Test connection   │
+       │                     │─────────────────────>│
+       │                     │ 3. Return status     │
+       │                     │<─────────────────────│
+       │ 4. Show connected   │                      │
+       │<────────────────────│                      │
+```
 
 ---
 
-## Security Measures
+## 8) Best practices
 
-**PKCE (Proof Key for Code Exchange)**
-Every authorization request includes a unique cryptographic challenge. This prevents attackers from intercepting the authorization code and using it themselves.
+- Always keep **PKCE enabled** unless provider explicitly does not support it.
+- Use least-privilege scopes (request only what is needed).
+- Verify redirect URI exactly matches provider app configuration.
+- Choose token auth method based on provider docs (`client_secret_post` vs Basic).
+- Enable custom endpoints only when discovery does not work.
 
-**State Parameter**
-A random string is generated for each connection attempt. When Google redirects back, we verify this matches what we sent. This prevents cross-site request forgery attacks.
+---
+
+## 9) How secrets are stored (same model as previous flow)
+
+Secret handling remains the same as your previous connector flow.
+
+### Stored in Vault (encrypted)
+
+- `clientId` and `clientSecret` (connector app credentials).
+- `accessToken` and `refreshToken` (runtime user tokens).
+- Token metadata where applicable (expiry/scope context).
 
-**Temporary State Storage**
-The security information needed during authorization is stored temporarily and automatically deleted after 10 minutes. This ensures no sensitive data lingers if a connection attempt is abandoned.
+### Stored in Database
 
-**Vault Storage**
-Tokens are never stored in plain text in the database. They're kept in our secure vault service, encrypted and access-controlled.
+- Connector metadata (provider, type, status, timestamps).
+- References/pointers to vault-backed secrets.
+- Project and environment association.
 
-**Token Revocation**
-When disconnecting, we don't just delete our copy of the tokens - we also tell Google to invalidate them. This ensures complete disconnection.
+### Temporary during auth
+
+- OAuth `state` and PKCE values used for request validation.
+- Temporary auth request context for callback validation.
+
+No provider passwords are stored in the platform database.
 
 ---
 
-## What Gets Stored Where
+## 10) Quick configuration checklist
 
-**In the Vault (Encrypted)**
+### OAuth App checklist
 
-- Access Token - used to make API calls to Google
-- Refresh Token - used to get new access tokens when they expire
+- Set provider ID and display metadata.
+- Set provider URL.
+- Select token endpoint client authentication method.
+- Keep PKCE enabled.
+- Configure redirect URI.
+- Set scopes.
+- If required, enable custom endpoints and provide authorization/token/revocation URLs.
 
-**In the Database**
+### MCP Connector checklist
 
-- Connector metadata (which service, when connected, status)
-- Reference IDs pointing to the vault secrets
-- Token expiration information
-- Which project and environment the connector belongs to
+- Set provider ID and display metadata.
+- Set MCP URL.
+- Choose auth method (OAuth or API Key).
+- If OAuth, configure MCP scopes.
+- Validate connection flow in preview/runtime.
+
+---
 
-**Temporarily During Connect**
+## 11) Troubleshooting tips
 
-- OAuth state and security codes (auto-deleted after 10 minutes)
+- **Token exchange fails**: check token auth method and token URL.
+- **Invalid redirect URI**: verify exact URI match in provider console.
+- **Insufficient permissions**: add required scopes and reconnect.
+- **Custom provider not working**: verify all custom endpoint URLs are correct and reachable.
+- **MCP OAuth fails early**: check MCP discovery endpoint and OAuth metadata availability.

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@cdmbase/wiki-browser",
-    "version": "12.0.18-alpha.48",
+    "version": "12.0.18-alpha.49",
     "description": "Sample core for higher packages to depend on",
     "license": "ISC",
     "author": "CDMBase LLC",
@@ -28,7 +28,7 @@
         "openai": "^4.52.0"
     },
     "devDependencies": {
-        "common": "12.0.18-alpha.29"
+        "common": "12.0.18-alpha.49"
     },
     "peerDependencies": {
         "@common-stack/client-react": ">0.5.16",
@@ -65,7 +65,7 @@
             }
         ]
     },
-    "gitHead": "696410c4abf236e6bb163f0a557b858a4b73279d",
+    "gitHead": "3c1a1c817bd7a4c486259bba60746627fd9068b8",
     "typescript": {
         "definition": "lib/index.d.ts"
     }