@tideorg/mcp 1.4.1 → 1.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +81 -0
- package/GAP_REGISTER.md +19 -9
- package/PRIVACY.md +41 -0
- package/README.md +204 -120
- package/adapters/AGENTS.md +3 -2
- package/adapters/CLAUDE.md +1 -1
- package/adapters/replit.md +0 -0
- package/canon/anti-patterns.md +55 -62
- package/canon/concepts.md +46 -34
- package/canon/custom-contracts.md +12 -8
- package/canon/feature-mapping.md +27 -75
- package/canon/framework-matrix.md +69 -22
- package/canon/hosting-options.md +111 -0
- package/canon/iga-change-requests-api.md +211 -0
- package/canon/invariants.md +33 -35
- package/canon/redirect-handler.md +0 -0
- package/canon/security-gap-mapping.md +506 -0
- package/canon/security-runtime-probes.md +177 -0
- package/canon/tidecloak-bootstrap.md +84 -15
- package/canon/tidecloak-endpoints.md +60 -98
- package/canon/troubleshooting.md +201 -53
- package/canon/version-policy.md +8 -12
- package/mcp-server/dist/http.d.ts +2 -0
- package/mcp-server/dist/http.js +46 -0
- package/mcp-server/dist/index.d.ts +0 -0
- package/mcp-server/dist/index.js +2 -601
- package/mcp-server/dist/server.d.ts +2 -0
- package/mcp-server/dist/server.js +617 -0
- package/package.json +48 -45
- package/playbooks/add-auth-nextjs-existing.md +33 -17
- package/playbooks/add-auth-nextjs-fresh.md +1 -1
- package/playbooks/add-rbac-nextjs.md +7 -2
- package/playbooks/bootstrap-realm-from-template.md +33 -18
- package/playbooks/configure-e2ee-roles-and-policies.md +0 -0
- package/playbooks/deploy-tidecloak-docker.md +31 -28
- package/playbooks/diagnose-broken-login.md +0 -0
- package/playbooks/diagnose-missing-roles-or-claims.md +2 -2
- package/playbooks/initialize-admin-and-link-account.md +22 -19
- package/playbooks/migrate-from-existing-auth.md +0 -0
- package/playbooks/protect-api-nextjs.md +40 -1
- package/playbooks/protect-aspnet-core-asgard.md +313 -0
- package/playbooks/protect-routes-nextjs.md +24 -10
- package/playbooks/provision-tidecloak-skycloak.md +213 -0
- package/playbooks/setup-forseti-e2ee.md +32 -50
- package/playbooks/setup-iga-admin-panel.md +113 -171
- package/playbooks/start-tidecloak-dev.md +0 -0
- package/playbooks/verify-jwt-server-side.md +20 -1
- package/prompts/add-admin-approval-flow.md +0 -0
- package/prompts/build-private-customer-portal.md +1 -1
- package/prompts/migrate-generic-auth-to-tide.md +0 -0
- package/prompts/secure-existing-app.md +0 -0
- package/prompts/security-gap-analysis.md +55 -0
- package/reference-apps/INDEX.md +0 -0
- package/reference-apps/encrypted-communication/anti-patterns.md +3 -3
- package/reference-apps/encrypted-communication/bootstrap-sequence.md +2 -2
- package/reference-apps/encrypted-communication/manifest.yaml +0 -0
- package/reference-apps/encrypted-communication/role-policy-matrix.md +0 -0
- package/reference-apps/encrypted-communication/scenario.md +2 -2
- package/reference-apps/git-pr-signing-service/anti-patterns.md +0 -0
- package/reference-apps/git-pr-signing-service/bootstrap-sequence.md +8 -8
- package/reference-apps/git-pr-signing-service/manifest.yaml +0 -0
- package/reference-apps/git-pr-signing-service/role-policy-matrix.md +0 -0
- package/reference-apps/git-pr-signing-service/scenario.md +0 -0
- package/reference-apps/iga-admin-governance/anti-patterns.md +18 -16
- package/reference-apps/iga-admin-governance/bootstrap-sequence.md +10 -5
- package/reference-apps/iga-admin-governance/manifest.yaml +0 -0
- package/reference-apps/iga-admin-governance/role-policy-matrix.md +12 -13
- package/reference-apps/iga-admin-governance/scenario.md +15 -13
- package/reference-apps/organisation-password-manager/anti-patterns.md +0 -0
- package/reference-apps/organisation-password-manager/bootstrap-sequence.md +5 -6
- package/reference-apps/organisation-password-manager/manifest.yaml +0 -0
- package/reference-apps/organisation-password-manager/role-policy-matrix.md +0 -0
- package/reference-apps/organisation-password-manager/scenario.md +0 -0
- package/reference-apps/policy-governed-signing/anti-patterns.md +0 -0
- package/reference-apps/policy-governed-signing/bootstrap-sequence.md +9 -9
- package/reference-apps/policy-governed-signing/manifest.yaml +0 -0
- package/reference-apps/policy-governed-signing/role-policy-matrix.md +0 -0
- package/reference-apps/policy-governed-signing/scenario.md +0 -0
- package/skills/tide-diagnostics/SKILL.md +1 -1
- package/skills/tide-integration/SKILL.md +9 -18
- package/skills/tide-learning-capture/SKILL.md +0 -0
- package/skills/tide-mcp-qa/SKILL.md +139 -0
- package/skills/tide-rbac-and-e2ee/SKILL.md +5 -5
- package/skills/tide-reviewer/SKILL.md +1 -1
- package/skills/tide-route-and-api-protection/SKILL.md +0 -0
- package/skills/tide-scenario-resolver/SKILL.md +0 -0
- package/skills/tide-security-analyst/SKILL.md +182 -0
- package/skills/tide-setup/SKILL.md +1 -1
- package/skills/tide-solutions-architect/SKILL.md +0 -0
- package/canon/delegation.md +0 -195
- package/playbooks/setup-server-delegation.md +0 -142
|
@@ -1,142 +0,0 @@
|
|
|
1
|
-
# Setup Server-Side Delegation
|
|
2
|
-
|
|
3
|
-
For apps where the backend needs to call TideCloak admin APIs on behalf of authenticated users.
|
|
4
|
-
|
|
5
|
-
---
|
|
6
|
-
|
|
7
|
-
## When to Use
|
|
8
|
-
|
|
9
|
-
- Your server manages users, roles, or policies via TideCloak admin API
|
|
10
|
-
- You need server-side role management or access approvals
|
|
11
|
-
- You want to avoid using master admin credentials from your server
|
|
12
|
-
|
|
13
|
-
---
|
|
14
|
-
|
|
15
|
-
## Prerequisites
|
|
16
|
-
|
|
17
|
-
- TideCloak bootstrapped and running
|
|
18
|
-
- `tidecloak.json` exported with `jwk`, `vendorId`, `homeOrkUrl`
|
|
19
|
-
- App has working Tide login (provider wired, DPoP enabled)
|
|
20
|
-
- Node.js 18+ on the server (Ed25519 support)
|
|
21
|
-
|
|
22
|
-
---
|
|
23
|
-
|
|
24
|
-
## Steps
|
|
25
|
-
|
|
26
|
-
### 1. Install server SDK
|
|
27
|
-
|
|
28
|
-
```bash
|
|
29
|
-
npm install @tidecloak/server
|
|
30
|
-
```
|
|
31
|
-
|
|
32
|
-
### 2. Create delegation instance
|
|
33
|
-
|
|
34
|
-
```ts
|
|
35
|
-
// server/lib/delegation.ts
|
|
36
|
-
import { TideDelegation } from '@tidecloak/server';
|
|
37
|
-
|
|
38
|
-
let _delegation: TideDelegation | null = null;
|
|
39
|
-
|
|
40
|
-
export function getDelegation(): TideDelegation {
|
|
41
|
-
if (!_delegation) {
|
|
42
|
-
_delegation = new TideDelegation({
|
|
43
|
-
tidecloakUrl: process.env.TIDECLOAK_URL || config['auth-server-url'],
|
|
44
|
-
realm: process.env.TIDECLOAK_REALM || config.realm,
|
|
45
|
-
clientId: process.env.TIDECLOAK_CLIENT_ID || config.resource,
|
|
46
|
-
});
|
|
47
|
-
}
|
|
48
|
-
return _delegation;
|
|
49
|
-
}
|
|
50
|
-
```
|
|
51
|
-
|
|
52
|
-
Use a lazy singleton. Do not create a new instance per request.
|
|
53
|
-
|
|
54
|
-
### 3. Wire delegation exchange endpoint
|
|
55
|
-
|
|
56
|
-
```ts
|
|
57
|
-
app.post('/api/delegation', authenticate, getDelegation().handleDelegation());
|
|
58
|
-
```
|
|
59
|
-
|
|
60
|
-
This endpoint receives signed delegation artifacts from the browser and exchanges them with TideCloak for a delegation token.
|
|
61
|
-
|
|
62
|
-
### 4. Add delegation middleware to admin routes
|
|
63
|
-
|
|
64
|
-
```ts
|
|
65
|
-
app.get('/api/admin/users',
|
|
66
|
-
authenticate,
|
|
67
|
-
requireAdmin,
|
|
68
|
-
getDelegation().requireDelegation(),
|
|
69
|
-
async (req, res) => {
|
|
70
|
-
const adminUrl = `${tidecloakUrl}/admin/realms/${realm}`;
|
|
71
|
-
const users = await req.delegation.fetch(`${adminUrl}/users`);
|
|
72
|
-
res.json(users);
|
|
73
|
-
}
|
|
74
|
-
);
|
|
75
|
-
```
|
|
76
|
-
|
|
77
|
-
The middleware:
|
|
78
|
-
- Checks if a cached delegation token exists for this user session
|
|
79
|
-
- If yes: attaches `req.delegation` with `token` and `fetch()` helper
|
|
80
|
-
- If no: responds 419 with a delegation challenge
|
|
81
|
-
|
|
82
|
-
### 5. Wrap browser fetch with createTideFetch
|
|
83
|
-
|
|
84
|
-
```ts
|
|
85
|
-
import { createTideFetch } from '@tidecloak/js';
|
|
86
|
-
|
|
87
|
-
// Wrap the app's fetch function
|
|
88
|
-
const appFetch = createTideFetch(window.fetch);
|
|
89
|
-
|
|
90
|
-
// Use appFetch for all server calls that may need delegation
|
|
91
|
-
const users = await appFetch('/api/admin/users');
|
|
92
|
-
```
|
|
93
|
-
|
|
94
|
-
`createTideFetch` intercepts 419 responses, handles the delegation signing flow with the browser's DPoP key, and retries the original request.
|
|
95
|
-
|
|
96
|
-
### 6. Optional: scope delegation roles
|
|
97
|
-
|
|
98
|
-
```ts
|
|
99
|
-
// Only include specific roles in the delegation token
|
|
100
|
-
getDelegation().requireDelegation({
|
|
101
|
-
roles: {
|
|
102
|
-
realm: ['admin'],
|
|
103
|
-
clients: { 'my-app': ['manage-users'] }
|
|
104
|
-
}
|
|
105
|
-
})
|
|
106
|
-
```
|
|
107
|
-
|
|
108
|
-
If `roles` is specified, only listed roles appear in the delegation token. Unlisted realms/clients are stripped. Cannot add roles the user does not have.
|
|
109
|
-
|
|
110
|
-
---
|
|
111
|
-
|
|
112
|
-
## Verification
|
|
113
|
-
|
|
114
|
-
- [ ] `@tidecloak/server` in server package.json
|
|
115
|
-
- [ ] `/api/delegation` POST route wired with `handleDelegation()`
|
|
116
|
-
- [ ] Admin routes use `requireDelegation()` middleware
|
|
117
|
-
- [ ] Browser uses `createTideFetch` wrapper
|
|
118
|
-
- [ ] Admin API calls succeed: user list, role management, etc.
|
|
119
|
-
- [ ] 419 responses are handled transparently (no user-visible interruption)
|
|
120
|
-
- [ ] Delegation token is cached (no 419 on every request)
|
|
121
|
-
|
|
122
|
-
---
|
|
123
|
-
|
|
124
|
-
## Troubleshooting
|
|
125
|
-
|
|
126
|
-
**Repeated 419 responses**
|
|
127
|
-
Check that `/api/delegation` is wired correctly and the `authenticate` middleware sets `req.accessToken`.
|
|
128
|
-
|
|
129
|
-
**"No pending delegation challenge"**
|
|
130
|
-
Server restarted between 419 and delegation POST. Browser retries automatically.
|
|
131
|
-
|
|
132
|
-
**"Delegation exchange failed"**
|
|
133
|
-
Check TideCloak has `tide-chain-of-trust` client authenticator enabled and `DelegationToken:1` in VRK model whitelist. A VRK rotation is needed after adding the model ID.
|
|
134
|
-
|
|
135
|
-
**"DPoP is not initialized"**
|
|
136
|
-
`signDelegationRequest` needs the DPoP provider. Ensure `useDPoP` is in the TideCloakProvider config object.
|
|
137
|
-
|
|
138
|
-
**Delegation token has wrong roles**
|
|
139
|
-
If using scoped delegation, everything not listed is excluded. Omit `roles` for full permissions.
|
|
140
|
-
|
|
141
|
-
**Admin API returns 403**
|
|
142
|
-
The user does not have the required role (e.g., `tide-realm-admin` on `realm-management`). Delegation can only use roles the user already has.
|