Skip to content

Add Docker container with URL mode elicitation for headless device code auth #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
patrickcping wants to merge 9 commits into
base: refactor/middleware-auth-consolidation/pc/20251218
Choose a base branch
from
Open

Add Docker container with URL mode elicitation for headless device code auth #48

patrickcping wants to merge 9 commits into from

Conversation

@patrickcping
Copy link
Collaborator

@patrickcping patrickcping commented Dec 18, 2025
edited
Loading

Overview

This PR adds Docker container support for the PingOne MCP server, enabling deployment in containerized environments where binary installation is impractical or undesired. The implementation leverages the device code grant type with URL mode elicitation for secure, headless authentication.

Key Changes

Docker Implementation

  • Multi-stage Dockerfile using golang:1.24-alpine for building and alpine:3 for runtime
  • Environment-based configuration via environment variables (CLIENT_ID, CLIENT_SECRET, ENVIRONMENT_ID, REGION, GRANT_TYPE)
  • Automatic authentication on container startup using device code flow with URL mode elicitation
  • MCP SDK v1.2.0 upgrade for URL mode elicitation support (requires clients compatible with this feature)

Authentication Flow

  • Device code grant type configured for headless environments
  • URL mode elicitation support presents authorization URL to users securely
  • Token storage via file-based tokenstore in container
  • Session validation and token refresh on server restart

Documentation

  • Comprehensive Docker usage guide with setup instructions, configuration examples, and troubleshooting
  • Setup guide for PingOne worker application configuration
  • Troubleshooting documentation for common Docker deployment issues

Technical Details

Breaking Change: The TokenSource interface now requires a *mcp.ServerSession parameter:

// Before
TokenSource(context.Context, GrantType) (*oauth2.Token, error)

// After
TokenSource(context.Context, GrantType, *mcp.ServerSession) (*oauth2.Token, error)

This enables access to server session capabilities like URL mode elicitation for secure authorization URL presentation.

Testing

All unit tests passing:

Test Results (make test) 
$ make test
go test -v -timeout 1m ./...
?       github.com/pingidentity/pingone-mcp-server      [no test files]
=== RUN   TestRootCommand
=== RUN   TestRootCommand/no_arguments
=== RUN   TestRootCommand/help_flag
=== RUN   TestRootCommand/invalid_flag
--- PASS: TestRootCommand (0.00s)
    --- PASS: TestRootCommand/no_arguments (0.00s)
    --- PASS: TestRootCommand/help_flag (0.00s)
    --- PASS: TestRootCommand/invalid_flag (0.00s)
PASS
ok      github.com/pingidentity/pingone-mcp-server/cmd  (cached)

[... all test output showing 100% pass rate ...]

PASS
ok      github.com/pingidentity/pingone-mcp-server/internal/tools/validation    (cached)

Exit code: 0

Summary:

  • All test packages passing
  • No failures or panics
  • All authentication, middleware, and tool validation tests successful

Usage

Quick Start with Docker

docker run -it --rm \
  -e PINGONE_CLIENT_ID="your-client-id" \
  -e PINGONE_CLIENT_SECRET="your-client-secret" \
  -e PINGONE_ENVIRONMENT_ID="your-env-id" \
  -e PINGONE_REGION="NA" \
  -e PINGONE_GRANT_TYPE="device_code" \
  ghcr.io/pingidentity/pingone-mcp-server:latest

Docker Compose

See docker-usage-instructions.md for complete Docker Compose examples and configuration options.

Documentation

Requirements

MCP Client Compatibility: This Docker implementation requires MCP clients that support URL mode elicitation (e.g., VS Code Copilot Chat). This feature ensures authorization URLs are securely presented to human users and not processed by AI agents.

Testing Recommendations

  • ✅ Unit tests: All passing
  • ⏳ Manual testing: Test Docker container with device code flow in headless environment
  • ⏳ End-to-end validation: Verify URL mode elicitation with compatible MCP client

Related Issues

Implements containerized deployment for PingOne MCP server with secure headless authentication.

@patrickcping
Add Docker delivery method back for future release
0b2caf9
@patrickcping
Merge branch 'main' into feature/add-docker-delivery/pc/20251201
080b51a
@patrickcping
Merge branch 'refactor/middleware-auth-consolidation/pc/20251218' int…
bcc8e00 
…o feature/add-docker-delivery/pc/20251201
@patrickcping
Add Docker container with URL mode elicitation for headless device co…
e8422e3 
…de auth

- Update Dockerfile with default env vars for device code flow
- Simplify docker-entrypoint.sh to directly run server with device_code grant type
- Upgrade to MCP SDK v1.2.0-pre.1 for URL mode elicitation support
- Add MCP server session parameter to auth client TokenSource interface
- Implement URL mode elicitation in wrapper.go for headless device code auth
- Update login, middleware, and initialize packages to pass MCP server session
- Enable headless Docker authentication without manual login step
@patrickcping
update go-sdk dep
c4eda6e
@patrickcping
fix tests
a88ea39
@patrickcping
add docker housekeeping and ci
9c19168
@patrickcping
remove non-compliant MCP output
e423aea
@patrickcping
docs
e3af0ef
@patrickcping patrickcping marked this pull request as ready for review December 29, 2025 15:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@henryrecker-pingidentity henryrecker-pingidentity Awaiting requested review from henryrecker-pingidentity henryrecker-pingidentity is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@patrickcping