Skip to main content

OAuth IdP

The OAuth IdP screen lets you configure Kuroco to act as an OAuth 2.0 / OpenID Connect identity provider (IdP). You can issue authorization codes and access tokens to external OAuth clients (including MCP clients). Each OAuth IdP setting can have multiple OAuth IdP clients registered under it.

OAuth IdP list

Accessing the screen

In the left sidebar menu, under "SETTINGS", click [External system integration] -> [OAuth IdP].

Field descriptions

FieldDescription
EnabledStatus of the OAuth IdP.
Image (fetched from Gyazo): Enabled
Image (fetched from Gyazo): Disabled
NameName of the OAuth IdP. Click it to open the editor.
Target DomainThe target domain (purpose) of this IdP: one of API / Management / AdminMCP.
OAuth IdP ClientClick [Manage Clients] to open the list of clients bound to this IdP.
Updated onDate and time of the last update.

On the list screen, you can enable, disable, or delete the IdPs selected with the checkboxes in bulk.

OAuth IdP editor

Accessing the screen

In the left sidebar menu, under "SETTINGS", click [External system integration] -> [OAuth IdP]. To create a new IdP, click [Add] at the top right of the list screen. To edit an existing setting, click the [Name] of the IdP you want to edit on the list screen.

Item descriptions

OAuth IdP editor

ItemDescription
NameName of the OAuth IdP. (Required)
Target DomainPurpose of this IdP.
API: member-facing IdP.
Management: admin-facing IdP.
AdminMCP: admin-facing IdP whose tokens are bound to the Admin MCP resource.
(Required)
Note: The target domain cannot be changed after creation. The editor shows a [Can't edit] badge. Changing it would desync the stored allowed scopes, grant types, and resource binding.
Client ID Metadata Documents (URL client IDs)When enabled, an HTTPS URL is accepted as client_id and the client metadata is fetched from that URL. The metadata (such as the app name) is self-declared by the client and is not verified; the consent screen shows the URL as the trust anchor.
Supported Grant TypesCheck the OAuth grant types this IdP supports (at least one required).
authorization_code: authorization code flow.
refresh_token: reissue via refresh token.
client_credentials: token issuance via client credentials.
By default, authorization_code and refresh_token are selected.
Allowed ScopesCheck the scopes this IdP is allowed to issue (the upper bound a client may request). Only the selected scopes can be assigned to clients and granted in tokens. Be sure to select the scopes you intend to use — if none are selected, no scope can be assigned to a client. The available scopes depend on the target domain (see Scope list).
OAuth IdP ClientClick [Manage Clients] to open the list of clients bound to this IdP. (Shown only for saved IdPs.)
API endpointLists the API endpoints whose MCP server is bound to this IdP. Click an API to open its editor. (Shown only for a saved IdP with target domain API.)
Access Token TTLLifetime of the access token, in seconds (minimum 60). Default is 3600 seconds.
Refresh Token TTLLifetime of the refresh token, in seconds (minimum 60). Default is 2592000 seconds.
Authorization Code TTLLifetime of the authorization code, in seconds (minimum 10). Default is 60 seconds.
SortDisplay order in the list, as a number.
EnabledCheck to enable this setting.
Login Page URLFor target domain API, the path of the login page used for sign-in (e.g. /login/). (Required when the target domain is API.)
For Management / AdminMCP, this field is hidden and the admin panel login URL is used automatically.
Issuer URLIssuer URL of this IdP (read-only). Shown only for saved IdPs.
Metadata URLURL of this IdP's metadata (Authorization Server Metadata) (read-only). Shown only for saved IdPs.

Actions

ButtonDescription
UpdateSave the entered content.
DeleteDelete the OAuth IdP setting shown.

Scope list

The scopes available under "Allowed Scopes" depend on the target domain.

Target DomainAvailable scopes
APISign-in scopes (openid / profile / email), plus API read access (api:read) and API write access (api:write)
ManagementSign-in scopes only (openid / profile / email)
AdminMCPSign-in scopes, plus the Admin MCP capability level and resource (module / content) scopes

Admin MCP capability levels

When the target domain is AdminMCP, select one Admin MCP capability level from the following.

Capability levelScopeDescription
Read-onlymcp:tools.readCan use read tools.
Read & writemcp:tools.writeCan use read and write tools.
Full accessmcp:adminIncludes all operations such as token generation, and bypasses content/module restrictions.

When "Read-only" or "Read & write" is selected, choose at least one target content or module. To target everything, select "All modules (including ones added later)" or "All content (including ones added later)". When "Full access" is selected, content/module restrictions are bypassed, so these selections are hidden.

caution

Only one IdP with target domain Management and one with AdminMCP can be enabled site-wide at a time, because each resource server resolves exactly one enabled setting. (API may have several, since each MCP-enabled API binds to one IdP individually.)

OAuth IdP Client

Multiple clients can be registered under one OAuth IdP. A client holds the OAuth IdP client ID, secret, redirect URIs, scopes, and so on.

OAuth IdP client list

Accessing the screen

Click [Manage Clients] from the OAuth IdP list screen or the OAuth IdP editor.

Field descriptions

FieldDescription
EnabledStatus of the client.
Image (fetched from Gyazo): Enabled
Image (fetched from Gyazo): Disabled
Client NameName of the client. Click it to open the editor.
Client IDThe client ID.
Token Endpoint Auth MethodThe token endpoint authentication method of the client.
Updated onDate and time of the last update.

OAuth IdP client editor

Accessing the screen

Click [Add] at the top right of the client list screen to create a new client. To edit an existing client, click the [Client Name] on the list screen.

Item descriptions

ItemDescription
Client NameName of the client. (Required)
Client IDThe client ID issued after saving (read-only).
EnabledCheck to enable this client.
Token Endpoint Auth MethodAuthentication method of the client. (Required)
none: public client (PKCE only).
client_secret_basic: sends the client secret in the Basic authentication header.
client_secret_post: sends the client secret in the request body.
Client SecretCheck [Regenerate client secret on save] to generate a new secret on save and show it once on screen. The previous secret is invalidated. (Shown only when editing an existing client.)
Redirect URIsEnter one allowed redirect URI per line. (Required)
Common MCP client callbacks:
https://claude.ai/api/mcp/auth_callback
https://chatgpt.com/connector_platform_oauth_redirect
Service member IDMember ID used as the token subject for client_credentials access tokens. The same permission check as token generation is applied on save. (Shown only when the parent IdP enables client_credentials.)
Allowed ScopesUse the tabs on the left to switch between [Supported Grant Types] and each scope group.
Under [Supported Grant Types], check the grant types this client uses (at least one required). Grant types disabled at the parent IdP are shown as [disabled at IdP level] and cannot be selected.
In each scope group, select the scopes to assign to this client. The selectable scopes are limited to the range allowed by the parent IdP's [Allowed Scopes].

When a new client secret is generated on save, the secret is shown at the top of the screen with the following message.

This client secret is shown only once. Copy and store it securely now — it cannot be retrieved later.

caution

The client secret is shown only once, on save. It cannot be retrieved later, so copy and store it securely when it is shown.

caution

API / MCP clients require at least one access scope. Identity-only scopes (such as openid) cannot reach the API / MCP.

Notes

  • The target domain cannot be changed after the IdP is created. To change the target domain, create a new IdP.
  • Only one IdP with target domain Management and one with AdminMCP can be enabled site-wide at a time.
  • The scopes and grant types assignable to a client are capped by the range allowed at the parent IdP. Scopes and grant types not allowed at the IdP cannot be selected on the client.
  • The client secret is shown only once on save and cannot be retrieved later.

Support

If you have any other questions, please contact us or check out Our Slack Community.