Skip to main content
Configure your identity provider to authenticate users accessing in-house MCP servers through Golf Gateway. Golf Gateway supports Auth0, Microsoft Entra ID (Azure AD), and Descope.

When IdP Configuration is Required

The IdP configuration in the Connections page is required when you have in-house MCP servers where you control the identity provider. In this scenario:
  1. Users authenticate with your IdP and receive a JWT token
  2. MCP clients present this token to Golf Gateway
  3. Gateway validates the token using your IdP’s JWKS endpoint
  4. Gateway extracts user identity for RBAC and audit logging
For third-party MCP servers that have their own OAuth authorization, users authenticate through Golf Gateway’s Authorization Server, which proxies the OAuth flow between the MCP client and the upstream server. The IdP configuration in Connections is not used in this flow.

Prerequisites

Create a Single Page Application or Regular Web Application in Auth0.Required:
  • Domain (e.g., your-tenant.auth0.com)
  • JWKS endpoint URL (e.g., https://your-tenant.auth0.com/.well-known/jwks.json)
For Capability Discovery (Optional):
  • Machine-to-Machine Application
  • Client ID and Client Secret for the M2M app

When Capability Discovery Credentials Are Needed

Capability discovery credentials (M2M tokens) enable the gateway to fetch MCP server capabilities autonomously. These are optional but required in specific scenarios:
When you enable automatic capability refresh for an MCP server, the gateway periodically connects to discover tools, prompts, and resources. Since no user is present during these background jobs, M2M credentials authenticate the gateway as a service account.
When capability_versioning_enabled is set on a server, the gateway tracks changes to capabilities over time. New or modified tools are flagged for approval before becoming available. M2M credentials enable the gateway to discover these changes automatically.
For advanced RBAC that uses tool annotations (read-only, destructive, etc.), the gateway needs capability schemas to enforce policies. M2M credentials allow the gateway to fetch and cache these schemas for runtime access control decisions.
You don’t need capability discovery credentials if:
  • You only use manual, user-initiated capability discovery
  • You use simple server-level RBAC without capability granularity
  • You don’t need scheduled refresh

Configure via Control Plane

  1. Navigate to Connections in the sidebar
  2. In the Identity Providers section, click Add identity provider
  3. Select Auth0
  4. Configure the following sections:
User Identity Extraction (Required)These fields are required to validate JWT tokens from your MCP clients.
FieldDescriptionExample
Display nameFriendly name for this IdPProduction Auth0
JWKS endpointAuth0 JWKS URL for token validationhttps://your-tenant.auth0.com/.well-known/jwks.json
Token Audience Validation (Optional)Configure audience validation to ensure tokens are intended for your API.
FieldDescriptionExample
API identifiersList of valid audience valueshttps://api.example.com
API identifiers must match the aud claim in your JWT tokens. Add multiple identifiers if your tokens may have different audiences.
Capability Discovery (Optional)These M2M credentials allow the gateway to discover MCP server capabilities on behalf of users.
FieldDescriptionExample
Client IDM2M application Client IDabc123...
Client secretM2M application Client Secret***
ScopesOAuth scopesopenid (default)
  1. Click Save

Configure via YAML (Distributed Mode)

identity_providers:
  - name: auth0
    type: auth0
    issuer: https://YOUR_TENANT.auth0.com/
    jwks_uri: https://YOUR_TENANT.auth0.com/.well-known/jwks.json
    api_identifiers:
      - https://your-api.example.com
    # Optional: M2M credentials for capability discovery
    client_id: ${AUTH0_CLIENT_ID}
    client_secret: ${AUTH0_CLIENT_SECRET}

Authentication Flows

Golf Gateway supports two authentication scenarios depending on the MCP server type:

In-House Servers (Direct IdP Validation)

For MCP servers you own and control, users authenticate with your IdP:
  1. User authenticates with your IdP (Auth0, Entra ID, Descope)
  2. MCP client receives JWT token
  3. Client presents token to Golf Gateway
  4. Gateway validates token using IdP’s JWKS endpoint (configured in Connections)
  5. Gateway extracts user identity and applies RBAC policies
  6. Request is forwarded to the in-house MCP server
This is when IdP configuration in Connections is required.

Third-Party Servers (Gateway Authorization Server)

For third-party MCP servers with their own OAuth requirements, Golf Gateway acts as an OAuth 2.0 Authorization Server that proxies authentication between MCP clients and upstream servers:
  1. MCP client discovers OAuth endpoints via the gateway
  2. Gateway redirects user to authenticate with your platform SSO
  3. After authentication, user separately authorizes with the third-party MCP server
  4. Gateway stores the user’s OAuth token for that server
  5. On subsequent requests, gateway injects the stored token when proxying to the upstream server
IdP configuration in Connections is NOT used in this flow.

Linking IdP to MCP Servers

After configuring an IdP, link it to your in-house MCP servers:
  1. Go to Connections > MCP Servers
  2. Create or edit an MCP server
  3. Set Server type to In-house
  4. Select your IdP from the Identity provider dropdown
  5. Save
The gateway will now validate tokens for that server using the selected IdP configuration.

Troubleshooting

Token validation fails

  • Verify JWKS endpoint is accessible from your gateway
  • Check that API identifiers match the aud claim in your tokens
  • Ensure the token hasn’t expired

User identity not extracted

  • Verify the JWT contains expected claims (sub, email, name)
  • Check gateway logs for token validation errors

RBAC not working as expected

  • Verify group names in RBAC policies match JWT claims exactly (case-sensitive)
  • Check the 3-layer policy hierarchy (org → gateway → server)
  • Use audit logs to see which user identity was extracted

Next Steps