Added by Abhi Chaturvedi 17 days ago
I am testing the official OpenProject MCP server integrated with OpenWebUI using Keycloak as the OAuth/OIDC provider.
Architecture:
Keycloak → OpenWebUI → OpenProject MCP → OpenProject API v3
The MCP endpoint itself appears healthy and reachable.
Observed behavior:
- OpenWebUI successfully discovers the OpenProject MCP server and tools
- MCP protocol negotiation succeeds
- However, OpenWebUI reports “OAuth connection is not valid”
- MCP tools do not appear to execute successfully
- The LLM falls back to hallucinated/generated responses instead of retrieving OpenProject data
Important observations:
1. MCP endpoint responds correctly over HTTP.
2. Manual requests to the MCP endpoint without authentication return:
unauthorized
which suggests OAuth protection is active and functioning.
3. OpenProject Ruby logs never show downstream API calls such as:
/api/v3/projects
which suggests the failure occurs before actual OpenProject API execution.
Questions:
- Are there any known requirements or caveats when using the OpenProject MCP server with Keycloak/OIDC providers?
- Are specific OAuth scopes, claims, or token formats required for MCP tool execution?
- Has the OpenProject MCP server been validated specifically with OpenWebUI OAuth integrations?
- Are there recommended configurations for delegated OAuth token forwarding to MCP?
Environment:
- Official OpenProject MCP server
- OpenWebUI
- Keycloak OAuth/OIDC provider
- llama3.1:8b
Replies (2)
Hi Abhi Chaturvedi
OAuth/OIDC expectations mismatch (most common issue)
The OpenProject MCP server typically expects:
A valid OAuth 2.0 access token
Proper JWT validation against issuer
Correct audience (aud) claim matching MCP/OpenProject config
Sometimes explicit scopes (depending on configuration)
Keycloak often issues tokens with:
aud = account or client-specific value
scopes not matching backend expectations
Thanks @geometry dash lite