OAuth IdP
The OAuth IdP screen lets you configure Kuroco to act as an OAuth 2.0 / OpenID Connect identity provider (IdP). You can issue authorization codes and access tokens to external OAuth clients (including MCP clients). Each OAuth IdP setting can have multiple OAuth IdP clients registered under it.
OAuth IdP list
Accessing the screen
In the left sidebar menu, under "SETTINGS", click [External system integration] -> [OAuth IdP].
Field descriptions
| Field | Description |
|---|---|
| Enabled | Status of the OAuth IdP. : Enabled : Disabled |
| Name | Name of the OAuth IdP. Click it to open the editor. |
| Target Domain | The target domain (purpose) of this IdP: one of API / Management / AdminMCP. |
| OAuth IdP Client | Click [Manage Clients] to open the list of clients bound to this IdP. |
| Updated on | Date and time of the last update. |
On the list screen, you can enable, disable, or delete the IdPs selected with the checkboxes in bulk.
OAuth IdP editor
Accessing the screen
In the left sidebar menu, under "SETTINGS", click [External system integration] -> [OAuth IdP]. To create a new IdP, click [Add] at the top right of the list screen. To edit an existing setting, click the [Name] of the IdP you want to edit on the list screen.
Item descriptions
OAuth IdP editor
| Item | Description |
|---|---|
| Name | Name of the OAuth IdP. (Required) |
| Target Domain | Purpose of this IdP.API: member-facing IdP.Management: admin-facing IdP.AdminMCP: admin-facing IdP whose tokens are bound to the Admin MCP resource.(Required) Note: The target domain cannot be changed after creation. The editor shows a [Can't edit] badge. Changing it would desync the stored allowed scopes, grant types, and resource binding. |
| Client ID Metadata Documents (URL client IDs) | When enabled, an HTTPS URL is accepted as client_id and the client metadata is fetched from that URL. The metadata (such as the app name) is self-declared by the client and is not verified; the consent screen shows the URL as the trust anchor. |
| Supported Grant Types | Check the OAuth grant types this IdP supports (at least one required).authorization_code: authorization code flow.refresh_token: reissue via refresh token.client_credentials: token issuance via client credentials.By default, authorization_code and refresh_token are selected. |
| Allowed Scopes | Check the scopes this IdP is allowed to issue (the upper bound a client may request). Only the selected scopes can be assigned to clients and granted in tokens. Be sure to select the scopes you intend to use — if none are selected, no scope can be assigned to a client. The available scopes depend on the target domain (see Scope list). |
| OAuth IdP Client | Click [Manage Clients] to open the list of clients bound to this IdP. (Shown only for saved IdPs.) |
| API endpoint | Lists the API endpoints whose MCP server is bound to this IdP. Click an API to open its editor. (Shown only for a saved IdP with target domain API.) |
| Access Token TTL | Lifetime of the access token, in seconds (minimum 60). Default is 3600 seconds. |
| Refresh Token TTL | Lifetime of the refresh token, in seconds (minimum 60). Default is 2592000 seconds. |
| Authorization Code TTL | Lifetime of the authorization code, in seconds (minimum 10). Default is 60 seconds. |
| Sort | Display order in the list, as a number. |
| Enabled | Check to enable this setting. |
| Login Page URL | For target domain API, the path of the login page used for sign-in (e.g. /login/). (Required when the target domain is API.)For Management / AdminMCP, this field is hidden and the admin panel login URL is used automatically. |
| Issuer URL | Issuer URL of this IdP (read-only). Shown only for saved IdPs. |
| Metadata URL | URL of this IdP's metadata (Authorization Server Metadata) (read-only). Shown only for saved IdPs. |
Actions
| Button | Description |
|---|---|
| Update | Save the entered content. |
| Delete | Delete the OAuth IdP setting shown. |
Scope list
The scopes available under "Allowed Scopes" depend on the target domain.
| Target Domain | Available scopes |
|---|---|
API | Sign-in scopes (openid / profile / email), plus API read access (api:read) and API write access (api:write) |
Management | Sign-in scopes only (openid / profile / email) |
AdminMCP | Sign-in scopes, plus the Admin MCP capability level and resource (module / content) scopes |
Admin MCP capability levels
When the target domain is AdminMCP, select one Admin MCP capability level from the following.
| Capability level | Scope | Description |
|---|---|---|
| Read-only | mcp:tools.read | Can use read tools. |
| Read & write | mcp:tools.write | Can use read and write tools. |
| Full access | mcp:admin | Includes all operations such as token generation, and bypasses content/module restrictions. |
When "Read-only" or "Read & write" is selected, choose at least one target content or module. To target everything, select "All modules (including ones added later)" or "All content (including ones added later)". When "Full access" is selected, content/module restrictions are bypassed, so these selections are hidden.
Only one IdP with target domain Management and one with AdminMCP can be enabled site-wide at a time, because each resource server resolves exactly one enabled setting. (API may have several, since each MCP-enabled API binds to one IdP individually.)
OAuth IdP Client
Multiple clients can be registered under one OAuth IdP. A client holds the OAuth IdP client ID, secret, redirect URIs, scopes, and so on.
OAuth IdP client list
Accessing the screen
Click [Manage Clients] from the OAuth IdP list screen or the OAuth IdP editor.
Field descriptions
| Field | Description |
|---|---|
| Enabled | Status of the client. : Enabled : Disabled |
| Client Name | Name of the client. Click it to open the editor. |
| Client ID | The client ID. |
| Token Endpoint Auth Method | The token endpoint authentication method of the client. |
| Updated on | Date and time of the last update. |
OAuth IdP client editor
Accessing the screen
Click [Add] at the top right of the client list screen to create a new client. To edit an existing client, click the [Client Name] on the list screen.
Item descriptions
| Item | Description |
|---|---|
| Client Name | Name of the client. (Required) |
| Client ID | The client ID issued after saving (read-only). |
| Enabled | Check to enable this client. |
| Token Endpoint Auth Method | Authentication method of the client. (Required)none: public client (PKCE only).client_secret_basic: sends the client secret in the Basic authentication header.client_secret_post: sends the client secret in the request body. |
| Client Secret | Check [Regenerate client secret on save] to generate a new secret on save and show it once on screen. The previous secret is invalidated. (Shown only when editing an existing client.) |
| Redirect URIs | Enter one allowed redirect URI per line. (Required) Common MCP client callbacks: https://claude.ai/api/mcp/auth_callbackhttps://chatgpt.com/connector_platform_oauth_redirect |
| Service member ID | Member ID used as the token subject for client_credentials access tokens. The same permission check as token generation is applied on save. (Shown only when the parent IdP enables client_credentials.) |
| Allowed Scopes | Use the tabs on the left to switch between [Supported Grant Types] and each scope group. Under [Supported Grant Types], check the grant types this client uses (at least one required). Grant types disabled at the parent IdP are shown as [disabled at IdP level] and cannot be selected. In each scope group, select the scopes to assign to this client. The selectable scopes are limited to the range allowed by the parent IdP's [Allowed Scopes]. |
When a new client secret is generated on save, the secret is shown at the top of the screen with the following message.
This client secret is shown only once. Copy and store it securely now — it cannot be retrieved later.
The client secret is shown only once, on save. It cannot be retrieved later, so copy and store it securely when it is shown.
API / MCP clients require at least one access scope. Identity-only scopes (such as openid) cannot reach the API / MCP.
Notes
- The target domain cannot be changed after the IdP is created. To change the target domain, create a new IdP.
- Only one IdP with target domain
Managementand one withAdminMCPcan be enabled site-wide at a time. - The scopes and grant types assignable to a client are capped by the range allowed at the parent IdP. Scopes and grant types not allowed at the IdP cannot be selected on the client.
- The client secret is shown only once on save and cannot be retrieved later.
Related documents
Support
If you have any other questions, please contact us or check out Our Slack Community.
: Enabled
: Disabled