π Bug Summary
Using Keyclock auth manager:
https://keycloak-app.****.cld.*****.net/realms/mcpgateway/protocol/openid-connect/auth
https://keycloak-app.****.cld.*****.net/realms/mcpgateway/protocol/openid-connect/token
scopes: openid email profile
https://github.com/IBM/mcp-context-forge/issues/3304
https://github.com/IBM/mcp-context-forge/pull/3319
- We fixed the above issues relating to above mentioned ticket. Now without a bearer token it will not allow initial connection to virtual servers. After the fix, Its not allowing Librechat to connect without a bearer token.
- Now its not connecting with Cursor.
𧩠Affected Component
Select the area of the project impacted:
- [YES ]
mcpgateway - API
- [ YES] Federation or Transports
π Steps to Reproduce
- Create a virtual server with couple of MCP tools
- Add your oauth credential using RFC 9728
- Add URL in cursor (mcp.json) file
π€ Expected Behavior
MCP Virtual Server need to connect with Cursor using keyclock manager
Documentation on the setup in keyclock using RFC 9728 will be helpful
π Logs / Error Output
Cursor Logs:
2026-03-08 17:48:52.074 [warning] Error connecting to streamableHttp server, falling back to SSE: Streamable HTTP error: Error POSTing to endpoint:
<!DOCTYPE html>
<html lang="en">
<head>
<base href="/login/">
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="pragma" content="no-cache">
<title>Access Blocked</title>
<!-- Fonts -->
<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;600&display=swap" rel="stylesheet">
<style>
body {
margin: 0;
font-family: 'PFDinTextPro', sans-serif;
background: linear-gradient(to right, #02080b, #194da8);
color: #f5f5f5;
}
.container {
max-width: 900px;
margin: 60px auto;
padding: 30px;
background: rgba(255, 255, 255, 0.06);
border-radius: 14px;
box-shadow: 0 0 20px rgba(0, 0, 0, 0.35);
}
.logo {
text-align: left;
margin-bottom: 30px;
}
.logo img {
height: 120px;
width: auto;
}
.header {
display: flex;
align-items: center;
gap: 18px;
margin-bottom: 30px;
}
.header img.icon {
width: 60px;
height: 60px;
}
h1 {
color: #ff5252;
font-size: 2.2em;
margin: 0;
}
.content {
text-align: left;
}
.content p {
font-size: 1.05em;
line-height: 1.6em;
margin-bottom: 16px;
color: #e0e0e0;
}
.content b,
.content strong {
color: #ffffff;
}
.response {
background-color: rgba(0, 0, 0, 0.25);
border: 1px solid #4e4e4e;
border-radius: 10px;
padding: 20px;
margin-top: 25px;
color: #f0f0f0;
}
.response p {
margin: 10px 0;
}
.response b {
color: #81d4fa;
}
.btn-wrapper {
margin-top: 20px;
text-align: left;
}
.btn {
background-color: #006DFF;
border: none;
color: #fff;
padding: 12px 22px;
border-radius: 6px;
font-size: 1em;
font-weight: 600;
cursor: pointer;
transition: background 0.3s ease;
text-decoration: none;
display: inline-block;
}
.btn:hover {
background-color: #09F0FF;
}
@media (max-width: 600px) {
.header {
flex-direction: column;
text-align: center;
}
h1 {
font-size: 1.8em;
}
.content {
text-align: center;
}
.btn-wrapper {
text-align: center;
}
.logo {
text-align: center;
}
.logo img {
height: 100px;
}
}
</style>
</head>
<body>
<div class="container">
<div class="logo">
<img src="https://www.*****.com/dtvassets/global/logos/dtv-gnav/GNAV_*****_90x120-1.svg" alt="***** Logo">
</div>
<div class="header">
<img class="icon" src="https://cdn-icons-png.flaticon.com/512/564/564619.png" alt="Blocked Icon">
<h1>This site is currently restricted per ***** security policy.</h1>
</div>
<div class="content">
<p><b>The website you tried to visit is currently restricted as per *****βs cybersecurity policies.</b></p>
<p><strong>This website falls into one or more blocked categories:</strong><br>
- Security threats (e.g., malware, phishing, exploits)<br>
- Inappropriate or non-compliant content<br>
- Not aligned with business use
</p>
<p><strong>Why we block sites:</strong><br>
Protecting our digital environment is critical.
Access controls are in place to help reduce risk, ensure compliance, and maintain the integrity of our systems and data.</p>
<p>If access to this site is essential for your role or project, you may request an exception below.<br>
If access is needed for a <strong>CoPilot or ChatGPT</strong> please use the button below.<br>
If access is need for other GenAI sites, please use the third button below to send an email to the GenAI team.
</p>
</div>
<div class="response">
<p><b>User:</b> my*****\sk8069</p>
<p><b>URL:</b> *****-app.mcp-sf.cld.*****.net/*****/mcp</p>
<p><b>Category:</b> insufficient-content</p>
<div class="btn-wrapper">
<a class="btn" href="https://*****.service-now.com/esc?id=sc_cat_item&sys_id=7bd857fa1b8f5e90fdab9717b04bcbcb" target="_blank">
Raise Exception Request
</a>
<a class="btn" href="https://*****.service-now.com/esc?id=emp_taxonomy_topic&topic_id=cbb753d587e016d4c227b847cebb3505" target="_blank">
CoPilot/ChatGPT Request
</a>
<a class="btn" href="mailto:GenAI@my*****.com?subject=GenAI%20Access%20Request&body=GenAI%20Team,%0D%0APlease%20review%20the%20following%20request%20for%20access%20to%20(insert%20site%20here.)">
Other GenAI Site Request
</a>
</div>
</div>
</div>
</body>
</html>
2026-03-08 17:48:52.074 [info] Connecting to SSE server
2026-03-08 17:48:55.131 [error] Client error for command HTTP 503 trying to load OAuth metadata from http://*****-app.mcp-sf.cld.*****.net/.well-known/oauth-authorization-server
2026-03-08 17:48:55.131 [warning] [V1] initializing -> error: HTTP 503 trying to load OAuth metadata from http://*****-app.mcp-sf.cld.*****.net/.well-known/oauth-authorization-server
2026-03-08 17:48:55.132 [error] Error connecting to SSE server after fallback: HTTP 503 trying to load OAuth metadata from http://*****-app.mcp-sf.cld.*****.net/.well-known/oauth-authorization-server HTTP 503 trying to load OAuth metadata from http://*****-app.mcp-sf.cld.*****.net/.well-known/oauth-authorization-server
π§ Environment Info
You can retrieve most of this from the /version endpoint.
| Key |
Value |
| Version or commit |
12735ab |
| Runtime |
Python 3.12 |
| Platform / OS |
EKS |
| Container |
Podman |
𧩠Additional Context (optional)
Add any configuration details, flags, or related issues.
π Bug Summary
Using Keyclock auth manager:
https://keycloak-app.****.cld.*****.net/realms/mcpgateway/protocol/openid-connect/auth
https://keycloak-app.****.cld.*****.net/realms/mcpgateway/protocol/openid-connect/token
scopes: openid email profile
https://github.com/IBM/mcp-context-forge/issues/3304
https://github.com/IBM/mcp-context-forge/pull/3319
𧩠Affected Component
Select the area of the project impacted:
mcpgateway- APIπ Steps to Reproduce
π€ Expected Behavior
MCP Virtual Server need to connect with Cursor using keyclock manager
Documentation on the setup in keyclock using RFC 9728 will be helpful
π Logs / Error Output
Cursor Logs:
π§ Environment Info
You can retrieve most of this from the
/versionendpoint.𧩠Additional Context (optional)
Add any configuration details, flags, or related issues.