@tideorg/mcp 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/GAP_REGISTER.md +117 -0
- package/README.md +38 -0
- package/adapters/AGENTS.md +241 -0
- package/adapters/CLAUDE.md +146 -0
- package/adapters/replit.md +224 -0
- package/canon/anti-patterns.md +2133 -0
- package/canon/concepts.md +816 -0
- package/canon/custom-contracts.md +533 -0
- package/canon/delegation.md +195 -0
- package/canon/feature-mapping.md +637 -0
- package/canon/framework-matrix.md +1125 -0
- package/canon/invariants.md +851 -0
- package/canon/redirect-handler.md +254 -0
- package/canon/tidecloak-bootstrap.md +287 -0
- package/canon/tidecloak-endpoints.md +294 -0
- package/canon/troubleshooting.md +1494 -0
- package/canon/version-policy.md +89 -0
- package/mcp-server/dist/index.d.ts +2 -0
- package/mcp-server/dist/index.js +605 -0
- package/package.json +45 -0
- package/playbooks/add-auth-nextjs-existing.md +799 -0
- package/playbooks/add-auth-nextjs-fresh.md +654 -0
- package/playbooks/add-rbac-nextjs.md +190 -0
- package/playbooks/bootstrap-realm-from-template.md +170 -0
- package/playbooks/configure-e2ee-roles-and-policies.md +196 -0
- package/playbooks/deploy-tidecloak-docker.md +792 -0
- package/playbooks/diagnose-broken-login.md +234 -0
- package/playbooks/diagnose-missing-roles-or-claims.md +253 -0
- package/playbooks/initialize-admin-and-link-account.md +235 -0
- package/playbooks/migrate-from-existing-auth.md +198 -0
- package/playbooks/protect-api-nextjs.md +451 -0
- package/playbooks/protect-routes-nextjs.md +544 -0
- package/playbooks/setup-forseti-e2ee.md +756 -0
- package/playbooks/setup-iga-admin-panel.md +344 -0
- package/playbooks/setup-server-delegation.md +142 -0
- package/playbooks/start-tidecloak-dev.md +130 -0
- package/playbooks/verify-jwt-server-side.md +439 -0
- package/prompts/add-admin-approval-flow.md +50 -0
- package/prompts/build-private-customer-portal.md +85 -0
- package/prompts/migrate-generic-auth-to-tide.md +67 -0
- package/prompts/secure-existing-app.md +80 -0
- package/reference-apps/INDEX.md +87 -0
- package/reference-apps/encrypted-communication/anti-patterns.md +123 -0
- package/reference-apps/encrypted-communication/bootstrap-sequence.md +152 -0
- package/reference-apps/encrypted-communication/manifest.yaml +100 -0
- package/reference-apps/encrypted-communication/role-policy-matrix.md +80 -0
- package/reference-apps/encrypted-communication/scenario.md +134 -0
- package/reference-apps/git-pr-signing-service/anti-patterns.md +61 -0
- package/reference-apps/git-pr-signing-service/bootstrap-sequence.md +157 -0
- package/reference-apps/git-pr-signing-service/manifest.yaml +80 -0
- package/reference-apps/git-pr-signing-service/role-policy-matrix.md +99 -0
- package/reference-apps/git-pr-signing-service/scenario.md +169 -0
- package/reference-apps/iga-admin-governance/anti-patterns.md +133 -0
- package/reference-apps/iga-admin-governance/bootstrap-sequence.md +153 -0
- package/reference-apps/iga-admin-governance/manifest.yaml +87 -0
- package/reference-apps/iga-admin-governance/role-policy-matrix.md +67 -0
- package/reference-apps/iga-admin-governance/scenario.md +126 -0
- package/reference-apps/organisation-password-manager/anti-patterns.md +71 -0
- package/reference-apps/organisation-password-manager/bootstrap-sequence.md +127 -0
- package/reference-apps/organisation-password-manager/manifest.yaml +86 -0
- package/reference-apps/organisation-password-manager/role-policy-matrix.md +59 -0
- package/reference-apps/organisation-password-manager/scenario.md +107 -0
- package/reference-apps/policy-governed-signing/anti-patterns.md +67 -0
- package/reference-apps/policy-governed-signing/bootstrap-sequence.md +128 -0
- package/reference-apps/policy-governed-signing/manifest.yaml +78 -0
- package/reference-apps/policy-governed-signing/role-policy-matrix.md +62 -0
- package/reference-apps/policy-governed-signing/scenario.md +113 -0
- package/skills/tide-diagnostics/SKILL.md +99 -0
- package/skills/tide-integration/SKILL.md +136 -0
- package/skills/tide-learning-capture/SKILL.md +174 -0
- package/skills/tide-rbac-and-e2ee/SKILL.md +214 -0
- package/skills/tide-reviewer/SKILL.md +133 -0
- package/skills/tide-route-and-api-protection/SKILL.md +201 -0
- package/skills/tide-scenario-resolver/SKILL.md +81 -0
- package/skills/tide-setup/SKILL.md +218 -0
- package/skills/tide-solutions-architect/SKILL.md +130 -0
|
@@ -0,0 +1,294 @@
|
|
|
1
|
+
# TideCloak Extension Endpoints - Canon
|
|
2
|
+
|
|
3
|
+
Complete reference of all REST endpoints added by TideCloak extensions. These are in addition to standard Keycloak endpoints.
|
|
4
|
+
|
|
5
|
+
Admin endpoints require a Bearer token with `manage-realm` or `manage-users` permission.
|
|
6
|
+
Public endpoints require no authentication.
|
|
7
|
+
|
|
8
|
+
---
|
|
9
|
+
|
|
10
|
+
## URL Patterns
|
|
11
|
+
|
|
12
|
+
- Admin API: `/admin/realms/{realm}/{provider-id}/{path}`
|
|
13
|
+
- Public realm: `/realms/{realm}/{provider-id}/{path}`
|
|
14
|
+
|
|
15
|
+
---
|
|
16
|
+
|
|
17
|
+
## App Developer Endpoints
|
|
18
|
+
|
|
19
|
+
These are the endpoints app developers interact with most frequently.
|
|
20
|
+
|
|
21
|
+
### Adapter JSON Export
|
|
22
|
+
|
|
23
|
+
```
|
|
24
|
+
GET /admin/realms/{realm}/vendorResources/get-installations-provider
|
|
25
|
+
?clientId={uuid}&providerId=keycloak-oidc-keycloak-json
|
|
26
|
+
```
|
|
27
|
+
|
|
28
|
+
Returns the client adapter JSON with Tide-specific fields (`jwk`, `vendorId`, `homeOrkUrl`, `client-origin-auth-*`). The `jwk` field is only present when IGA is enabled. Save as `data/tidecloak.json`.
|
|
29
|
+
|
|
30
|
+
### Public Tide Config
|
|
31
|
+
|
|
32
|
+
```
|
|
33
|
+
GET /realms/{realm}/public/get-tide-config?clientId={clientId}
|
|
34
|
+
```
|
|
35
|
+
|
|
36
|
+
Public endpoint. Returns `vendorId`, `homeOrkUrl`, client auth origins, and branding URLs for a client. No auth required.
|
|
37
|
+
|
|
38
|
+
### Admin Policy (for E2EE)
|
|
39
|
+
|
|
40
|
+
```
|
|
41
|
+
GET /realms/{realm}/tide-policy-resources/admin-policy
|
|
42
|
+
```
|
|
43
|
+
|
|
44
|
+
Public endpoint. Returns the base64-encoded admin policy needed for policy-based encryption operations. Also available as `/admin-policy/bytes` (raw) and `/admin-policy/display` (human-readable).
|
|
45
|
+
|
|
46
|
+
### Role Policy
|
|
47
|
+
|
|
48
|
+
```
|
|
49
|
+
GET /realms/{realm}/tide-policy-resources/policy?roleId={id}&clientId={id}
|
|
50
|
+
```
|
|
51
|
+
|
|
52
|
+
Public endpoint. Returns the Midgard policy for a specific role on a client.
|
|
53
|
+
|
|
54
|
+
### Vouchers
|
|
55
|
+
|
|
56
|
+
```
|
|
57
|
+
POST /realms/{realm}/tidevouchers/fromUserSession?sessionId={sid}
|
|
58
|
+
```
|
|
59
|
+
|
|
60
|
+
Gets vouchers for a user session. Role-based: `signin`/`updateaccount` always allowed; `vendorsign` requires `_tide_*` or authorizer role; `vendordecrypt` requires `_tide_*.selfdecrypt` role. The SDK constructs this URL internally.
|
|
61
|
+
|
|
62
|
+
```
|
|
63
|
+
POST /realms/{realm}/tidevouchers/fromAuthSession?sessionId={sid}&tabId={tab}&clientId={id}
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
Gets vouchers during authentication flow (login).
|
|
67
|
+
|
|
68
|
+
### DPoP Auth Page
|
|
69
|
+
|
|
70
|
+
```
|
|
71
|
+
GET /realms/{realm}/tide-idp-resources/clientIframe/iss/{iss}/aud/{aud}/tide_dpop_auth.html
|
|
72
|
+
```
|
|
73
|
+
|
|
74
|
+
Serves the DPoP authentication iframe HTML. `iss` and `aud` are hex-encoded. The SDK uses this internally.
|
|
75
|
+
|
|
76
|
+
### Token Exchange (Delegation)
|
|
77
|
+
|
|
78
|
+
```
|
|
79
|
+
POST /realms/{realm}/protocol/openid-connect/token
|
|
80
|
+
```
|
|
81
|
+
|
|
82
|
+
Standard OIDC token endpoint used for delegation token exchange:
|
|
83
|
+
- `grant_type=urn:ietf:params:oauth:grant-type:token-exchange`
|
|
84
|
+
- `subject_token=<user access token>`
|
|
85
|
+
- `actor_token=<browser-signed delegation request>`
|
|
86
|
+
- `dpop_approval=<session key approval>`
|
|
87
|
+
- `DPoP` header: server's DPoP proof
|
|
88
|
+
|
|
89
|
+
See `canon/delegation.md` for full flow.
|
|
90
|
+
|
|
91
|
+
---
|
|
92
|
+
|
|
93
|
+
## Bootstrap Endpoints
|
|
94
|
+
|
|
95
|
+
Used during realm initialization. Typically called by the init script, not by app code.
|
|
96
|
+
|
|
97
|
+
### Realm Setup
|
|
98
|
+
|
|
99
|
+
```
|
|
100
|
+
POST /admin/realms/{realm}/vendorResources/setUpTideRealm
|
|
101
|
+
Content-Type: application/x-www-form-urlencoded
|
|
102
|
+
Body: email=admin@yourorg.com
|
|
103
|
+
```
|
|
104
|
+
|
|
105
|
+
Full Tide realm setup: creates IDP, key provider, gets free-tier license. `isRagnarokEnabled` optional (default true). Content-Type MUST be form-encoded, not JSON.
|
|
106
|
+
|
|
107
|
+
### Enable IGA
|
|
108
|
+
|
|
109
|
+
```
|
|
110
|
+
POST /admin/realms/{realm}/tide-admin/toggle-iga
|
|
111
|
+
Content-Type: application/x-www-form-urlencoded
|
|
112
|
+
Body: isIGAEnabled=true
|
|
113
|
+
```
|
|
114
|
+
|
|
115
|
+
Enables IGA governance for the realm. Sets EdDSA signature algorithm, configures Tide protocol mappers.
|
|
116
|
+
|
|
117
|
+
### Sign IDP Settings
|
|
118
|
+
|
|
119
|
+
```
|
|
120
|
+
POST /admin/realms/{realm}/vendorResources/sign-idp-settings
|
|
121
|
+
```
|
|
122
|
+
|
|
123
|
+
Signs all Tide IDP settings with the VRK. Required after any IDP config change (logo, background, admin domain, client origins). Without this, the ORK enclave rejects settings as unsigned.
|
|
124
|
+
|
|
125
|
+
### Admin Invite Link
|
|
126
|
+
|
|
127
|
+
```
|
|
128
|
+
POST /admin/realms/{realm}/tideAdminResources/get-required-action-link
|
|
129
|
+
?userId={id}&redirectUri={uri}&clientId={id}&lifespan=43200
|
|
130
|
+
Body: ["link-tide-account-action"]
|
|
131
|
+
```
|
|
132
|
+
|
|
133
|
+
Generates a link for the admin user to link their Tide account. Time-limited (default 12 hours).
|
|
134
|
+
|
|
135
|
+
---
|
|
136
|
+
|
|
137
|
+
## IGA Change-Set Endpoints
|
|
138
|
+
|
|
139
|
+
Used for multi-admin governance approval flows.
|
|
140
|
+
|
|
141
|
+
### List Pending Changes
|
|
142
|
+
|
|
143
|
+
```
|
|
144
|
+
GET /admin/realms/{realm}/tide-admin/change-set/users/requests
|
|
145
|
+
GET /admin/realms/{realm}/tide-admin/change-set/roles/requests
|
|
146
|
+
GET /admin/realms/{realm}/tide-admin/change-set/clients/requests
|
|
147
|
+
GET /admin/realms/{realm}/tide-admin/change-set/groups/requests
|
|
148
|
+
GET /admin/realms/{realm}/tide-admin/change-set/all/requests
|
|
149
|
+
GET /admin/realms/{realm}/tide-admin/change-set/counts
|
|
150
|
+
```
|
|
151
|
+
|
|
152
|
+
### Sign and Commit
|
|
153
|
+
|
|
154
|
+
```
|
|
155
|
+
POST /admin/realms/{realm}/tide-admin/change-set/sign
|
|
156
|
+
Body: { "changeSetId": "...", "changeSetType": "...", "actionType": "..." }
|
|
157
|
+
|
|
158
|
+
POST /admin/realms/{realm}/tide-admin/change-set/commit
|
|
159
|
+
Body: { "changeSetId": "...", "changeSetType": "...", "actionType": "..." }
|
|
160
|
+
```
|
|
161
|
+
|
|
162
|
+
Batch variants: `/sign/batch` and `/commit/batch` with `{ "changeSets": [...] }`.
|
|
163
|
+
|
|
164
|
+
### Cancel
|
|
165
|
+
|
|
166
|
+
```
|
|
167
|
+
POST /admin/realms/{realm}/tide-admin/change-set/cancel
|
|
168
|
+
Body: { "changeSetId": "...", "changeSetType": "...", "actionType": "..." }
|
|
169
|
+
```
|
|
170
|
+
|
|
171
|
+
### Approve/Reject (multi-admin)
|
|
172
|
+
|
|
173
|
+
```
|
|
174
|
+
POST /admin/realms/{realm}/tideAdminResources/add-review
|
|
175
|
+
Content-Type: multipart/form-data
|
|
176
|
+
Fields: changeSetId, changeSetType, actionType, requests
|
|
177
|
+
|
|
178
|
+
POST /admin/realms/{realm}/tide-admin/add-rejection
|
|
179
|
+
Content-Type: multipart/form-data
|
|
180
|
+
Fields: changeSetId, actionType, changeSetType
|
|
181
|
+
```
|
|
182
|
+
|
|
183
|
+
Note: `add-review` and `add-rejection` use `multipart/form-data`. All other change-set endpoints use JSON.
|
|
184
|
+
|
|
185
|
+
### Activity and Comments
|
|
186
|
+
|
|
187
|
+
```
|
|
188
|
+
GET /admin/realms/{realm}/tide-admin/change-set/{id}/activity
|
|
189
|
+
POST /admin/realms/{realm}/tide-admin/change-set/{id}/comments
|
|
190
|
+
Body: { "comment": "..." }
|
|
191
|
+
```
|
|
192
|
+
|
|
193
|
+
---
|
|
194
|
+
|
|
195
|
+
## Policy and Contract Endpoints
|
|
196
|
+
|
|
197
|
+
### Policy Templates
|
|
198
|
+
|
|
199
|
+
```
|
|
200
|
+
POST /admin/realms/{realm}/tide-admin/policy-templates
|
|
201
|
+
GET /admin/realms/{realm}/tide-admin/policy-templates
|
|
202
|
+
PUT /admin/realms/{realm}/tide-admin/policy-templates/{id}
|
|
203
|
+
DELETE /admin/realms/{realm}/tide-admin/policy-templates/{id}
|
|
204
|
+
```
|
|
205
|
+
|
|
206
|
+
Body: `{ name, description, contractCode, modelId, parameters }`
|
|
207
|
+
|
|
208
|
+
### Realm Policy
|
|
209
|
+
|
|
210
|
+
```
|
|
211
|
+
GET /admin/realms/{realm}/tide-admin/realm-policy
|
|
212
|
+
POST /admin/realms/{realm}/tide-admin/realm-policy/pending
|
|
213
|
+
POST /admin/realms/{realm}/tide-admin/realm-policy/commit
|
|
214
|
+
POST /admin/realms/{realm}/tide-admin/realm-policy/request-delete
|
|
215
|
+
POST /admin/realms/{realm}/tide-admin/realm-policy/commit-delete
|
|
216
|
+
DELETE /admin/realms/{realm}/tide-admin/realm-policy
|
|
217
|
+
```
|
|
218
|
+
|
|
219
|
+
### SSH Policies (per-role)
|
|
220
|
+
|
|
221
|
+
```
|
|
222
|
+
PUT /admin/realms/{realm}/tide-admin/ssh-policies
|
|
223
|
+
GET /admin/realms/{realm}/tide-admin/ssh-policies
|
|
224
|
+
DELETE /admin/realms/{realm}/tide-admin/ssh-policies?roleId={id}
|
|
225
|
+
```
|
|
226
|
+
|
|
227
|
+
Body: `{ roleId, contractCode, approvalType, executionType, threshold, policyData }`
|
|
228
|
+
|
|
229
|
+
### Forseti Contracts
|
|
230
|
+
|
|
231
|
+
```
|
|
232
|
+
PUT /admin/realms/{realm}/tide-admin/forseti-contracts
|
|
233
|
+
GET /admin/realms/{realm}/tide-admin/forseti-contracts
|
|
234
|
+
```
|
|
235
|
+
|
|
236
|
+
Body: `{ contractCode, name }`
|
|
237
|
+
|
|
238
|
+
### Role Init Cert
|
|
239
|
+
|
|
240
|
+
```
|
|
241
|
+
POST /admin/realms/{realm}/tide-admin/role-policy/{roleId}/init-cert
|
|
242
|
+
Body: { initCert, initCertSig }
|
|
243
|
+
```
|
|
244
|
+
|
|
245
|
+
---
|
|
246
|
+
|
|
247
|
+
## VRK and Licensing Endpoints
|
|
248
|
+
|
|
249
|
+
Infrastructure-level. Used during initial setup and license rotation.
|
|
250
|
+
|
|
251
|
+
```
|
|
252
|
+
POST /admin/realms/{realm}/vendorResources/generate-initial-key
|
|
253
|
+
POST /admin/realms/{realm}/vendorResources/generate-initial-vrk-v1
|
|
254
|
+
POST /admin/realms/{realm}/vendorResources/confirm-initial-vrk
|
|
255
|
+
POST /admin/realms/{realm}/vendorResources/rotate-vrk
|
|
256
|
+
POST /admin/realms/{realm}/vendorResources/switch-vrk
|
|
257
|
+
POST /admin/realms/{realm}/vendorResources/requestFreeTierLicense
|
|
258
|
+
GET /admin/realms/{realm}/vendorResources/isPendingLicenseActive
|
|
259
|
+
GET /admin/realms/{realm}/vendorResources/getLicenseDetails
|
|
260
|
+
GET /admin/realms/{realm}/vendorResources/licenseHistory
|
|
261
|
+
```
|
|
262
|
+
|
|
263
|
+
---
|
|
264
|
+
|
|
265
|
+
## Utility Endpoints
|
|
266
|
+
|
|
267
|
+
```
|
|
268
|
+
POST /admin/realms/{realm}/vendorResources/sign-message
|
|
269
|
+
FormParam: data
|
|
270
|
+
|
|
271
|
+
GET /admin/realms/{realm}/vendorResources/get-tide-jwk
|
|
272
|
+
|
|
273
|
+
POST /admin/realms/{realm}/tide-admin/generate-default-user-context
|
|
274
|
+
Body: [clientId1, clientId2, ...]
|
|
275
|
+
|
|
276
|
+
POST /admin/realms/{realm}/tide-admin/what-if-token
|
|
277
|
+
Body: { changeSetType, actionType, userId, clientId }
|
|
278
|
+
|
|
279
|
+
GET /admin/realms/{realm}/tide-admin/user-context/{userId}/{clientId}
|
|
280
|
+
GET /admin/realms/{realm}/tide-admin/change-set/{changeSetId}/user-context
|
|
281
|
+
```
|
|
282
|
+
|
|
283
|
+
---
|
|
284
|
+
|
|
285
|
+
## Branding Endpoints
|
|
286
|
+
|
|
287
|
+
```
|
|
288
|
+
POST /admin/realms/{realm}/tide-idp-admin-resources/images/upload
|
|
289
|
+
Multipart: fileData, fileName, fileType
|
|
290
|
+
|
|
291
|
+
DELETE /admin/realms/{realm}/tide-idp-admin-resources/images/{type}/delete
|
|
292
|
+
GET /admin/realms/{realm}/tide-idp-admin-resources/images/{type}/name
|
|
293
|
+
GET /realms/{realm}/tide-idp-resources/images/{type}
|
|
294
|
+
```
|