Generic OIDC (#212)

* (wip): setting up entra-id

* fixing entra id generate token workflow

* m2m auth

* added token gen

* commented out the github env variable

* one server only

* fixing merge conflicts overwrting

* resolving merge conflicts overwrite

* removed from scopes.yml

* updated readme

* added reverted changes to scopes.yml

* added reverted changes to scopes.yml

* added reverted changes to scopes.yml - 1

* committed my_agent.json by mistake

* marking 128 as complete in readme

---------

Co-authored-by: Nisha Deborah Philips <nishdeb@amazon.com>

Author: nishadeborahphilips

.env.example

@@ -30,7 +30,7 @@ AUTH_SERVER_EXTERNAL_URL=https://your-domain.com
 # =============================================================================
 # AUTHENTICATION PROVIDER CONFIGURATION
 # =============================================================================
-# Choose authentication provider: 'cognito' or 'keycloak'
+# Choose authentication provider: 'cognito', 'keycloak', or 'entra'
 AUTH_PROVIDER=keycloak
 
 # =============================================================================
@@ -109,14 +109,42 @@ AWS_REGION=us-east-1
 # Format: {region}_{random_string}
 COGNITO_USER_POOL_ID=us-east-1_XXXXXXXXX
 
-# Cognito App Client ID  
+# Cognito App Client ID
 # Get this from Amazon Cognito console > User Pools > App Integration > App clients
 COGNITO_CLIENT_ID=your_cognito_client_id_here
 
 # Cognito App Client Secret
 # Get this from Amazon Cognito console > User Pools > App Integration > App clients
 COGNITO_CLIENT_SECRET=your_cognito_client_secret_here
 
+# =============================================================================
+# MICROSOFT ENTRA ID CONFIGURATION (if AUTH_PROVIDER=entra)
+# =============================================================================
+
+# Azure AD Tenant ID (Directory/tenant ID from Azure Portal)
+# Format: GUID (e.g., 12345678-1234-1234-1234-123456789012)
+# Get from: Azure Portal → Azure Active Directory → Overview → Tenant ID
+ENTRA_TENANT_ID=your-tenant-id-here
+
+# Entra ID Application (client) ID
+# Format: GUID (e.g., 87654321-4321-4321-4321-210987654321)
+# Get from: Azure Portal → App registrations → Your App → Application (client) ID
+ENTRA_CLIENT_ID=your-client-id-here
+
+# Entra ID Client Secret (Application secret value)
+# Get from: Azure Portal → App registrations → Your App → Certificates & secrets
+# NOTE: Copy the secret VALUE immediately after creation (not the secret ID)
+ENTRA_CLIENT_SECRET=your-client-secret-here
+
+# Enable Entra ID in OAuth2 providers (set to true when using Entra ID)
+ENTRA_ENABLED=false
+
+# Azure AD Group Object IDs for authorization (configured in scopes.yml)
+# Admin Group Example
+ENTRA_GROUP_ADMIN_ID=your-admin-group-object-id-here
+# Users Group Example
+ENTRA_GROUP_USERS_ID=your-users-group-object-id-here
+
 # =============================================================================
 # APPLICATION SECURITY
 # =============================================================================
@@ -170,9 +198,9 @@ DOCKERHUB_TOKEN=your_dockerhub_access_token
 # GITHUB_USERNAME=your_github_username
 # GITHUB_TOKEN=your_github_personal_access_token
 
-# Container registry organization names
-DOCKERHUB_ORG=mcpgateway
-GITHUB_ORG=agentic-community
+# # Container registry organization names
+# DOCKERHUB_ORG=mcpgateway
+# GITHUB_ORG=agentic-community
 
 # =============================================================================
 # EXTERNAL REGISTRY CONFIGURATION

README.md

@@ -130,6 +130,7 @@ Interactive terminal interface for chatting with AI models and discovering MCP t
 ## What's New
 
 - **🔗 Agent-to-Agent (A2A) Protocol Support** - Agents can now register, discover, and communicate with other agents through a secure, centralized registry. Enable autonomous agent ecosystems with Keycloak-based access control and fine-grained permissions. [A2A Guide](docs/a2a.md)
+- **🏢 Microsoft Entra ID Integration** - Enterprise SSO with Microsoft Entra ID (Azure AD) authentication. Group-based access control, conditional access policies, and seamless integration with existing Microsoft 365 environments. [Entra ID Setup Guide](docs/entra-id-setup.md)
 - **🤖 Agentic CLI for MCP Registry** - Talk to the Registry in natural language using a Claude Code-like interface. Discover tools, ask questions, and execute MCP commands conversationally. [Learn more](docs/mcp-registry-cli.md)
 - **💬 Interactive MCP-Registry CLI** - Terminal-based chat interface with AI-powered MCP tool discovery. Supports Amazon Bedrock and Anthropic API. [MCP-Registry CLI](docs/mcp-registry-cli.md)
 - **🔒 MCP Server Security Scanning** - Integrated vulnerability scanning with [Cisco AI Defence MCP Scanner](https://github.com/cisco-ai-defense/mcp-scanner). Automatic security scans during server registration, periodic registry-wide scans with detailed markdown reports, and automatic disabling of servers with security issues.
@@ -551,7 +552,7 @@ The following GitHub issues represent our current development roadmap and planne
 - **[#195 - Add A2A (Agent-to-Agent) Protocol Support to Registry](https://github.com/agentic-community/mcp-gateway-registry/issues/195)** ✅ **COMPLETE**
   Agents can now register, discover, and communicate with other agents through the secure registry. Full implementation includes agent lifecycle management, Keycloak-based access control, fine-grained permissions, comprehensive testing, and documentation. [A2A Guide](docs/a2a.md)
 
-- **[#128 - Add Microsoft Entra ID (Azure AD) Authentication Provider](https://github.com/agentic-community/mcp-gateway-registry/issues/128)** 🚧 **IN PROGRESS**
+- **[#128 - Add Microsoft Entra ID (Azure AD) Authentication Provider](https://github.com/agentic-community/mcp-gateway-registry/issues/128)** ✅ **COMPLETE**
   Extend authentication support beyond Keycloak to include Microsoft Entra ID integration. Enables enterprise SSO for organizations using Azure Active Directory.
 
 - **[#170 - Architectural Proposal: Separate Gateway and Registry Containers](https://github.com/agentic-community/mcp-gateway-registry/issues/170)** 🚧 **IN PROGRESS**

auth_server/oauth2_providers.yml

@@ -36,6 +36,25 @@ providers:
     name_claim: "name"
     enabled: true
 
+  entra:
+    display_name: "Microsoft Entra ID"
+    client_id: "${ENTRA_CLIENT_ID}"
+    client_secret: "${ENTRA_CLIENT_SECRET}"
+    auth_url: "https://login.microsoftonline.com/${ENTRA_TENANT_ID}/oauth2/v2.0/authorize"
+    token_url: "https://login.microsoftonline.com/${ENTRA_TENANT_ID}/oauth2/v2.0/token"
+    user_info_url: "https://graph.microsoft.com/oidc/userinfo"
+    logout_url: "https://login.microsoftonline.com/${ENTRA_TENANT_ID}/oauth2/v2.0/logout"
+    # Request basic OIDC scopes - email and groups require optional claims configuration in Azure Portal
+    scopes: ["openid", "email", "profile"]
+    response_type: "code"
+    grant_type: "authorization_code"
+    # Claims mapping for user info
+    username_claim: "preferred_username"
+    groups_claim: "groups"
+    email_claim: "email"
+    name_claim: "name"
+    enabled: true
+
   github:
     display_name: "GitHub"
     client_id: "${GITHUB_CLIENT_ID}"