Add scopes field to MCPServer CRD for OIDC config (#2988)

Add Scopes field to InlineOIDCConfig in MCPServer, MCPRemoteProxy, and
VirtualMCPServer CRDs. This allows operators to configure custom OAuth
scopes that will be advertised in the well-known endpoint.

Example usage in MCPServer:
  oidcConfig:
    type: inline
    inline:
      issuer: https://accounts.google.com
      scopes:
        - https://www.googleapis.com/auth/drive.readonly

Related: #2783

Co-authored-by: Juan Antonio Osorio <[email protected]>

Author: jhrozek

cmd/thv-operator/api/v1alpha1/mcpserver_types.go

@@ -517,6 +517,11 @@ type InlineOIDCConfig struct {
 	// +kubebuilder:default=false
 	// +optional
 	InsecureAllowHTTP bool `json:"insecureAllowHTTP"`
+
+	// Scopes is the list of OAuth scopes to advertise in the well-known endpoint (RFC 9728)
+	// If empty, defaults to ["openid"]
+	// +optional
+	Scopes []string `json:"scopes,omitempty"`
 }
 
 // AuthzConfigRef defines a reference to authorization configuration

cmd/thv-operator/api/v1alpha1/zz_generated.deepcopy.go

@@ -32,7 +32,6 @@ func AddOIDCConfigOptions(
 	}
 
 	// Add OIDC config to options
-	// Note: Scopes are passed as nil until the operator CRD supports them
 	*options = append(*options, runner.WithOIDCConfig(
 		oidcConfig.Issuer,
 		oidcConfig.Audience,
@@ -45,7 +44,7 @@ func AddOIDCConfigOptions(
 		oidcConfig.ResourceURL,
 		oidcConfig.JWKSAllowPrivateIP,
 		oidcConfig.InsecureAllowHTTP,
-		nil, // Scopes - TODO: add operator CRD support
+		oidcConfig.Scopes,
 	))
 
 	return nil

cmd/thv-operator/pkg/controllerutil/oidc.go

@@ -5,6 +5,7 @@ package oidc
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -35,6 +36,7 @@ type OIDCConfig struct { //nolint:revive // Keeping OIDCConfig name for backward
 	ResourceURL        string
 	JWKSAllowPrivateIP bool
 	InsecureAllowHTTP  bool
+	Scopes             []string
 }
 
 // OIDCConfigurable is an interface for resources that have OIDC configuration
@@ -194,6 +196,9 @@ func (r *resolver) resolveConfigMapConfig(
 		config.InsecureAllowHTTP = true
 	}
 
+	// Handle scopes as comma-separated values
+	config.Scopes = parseCommaSeparatedList(getMapValue(configMap.Data, "scopes"))
+
 	return config, nil
 }
 
@@ -225,6 +230,7 @@ func (*resolver) resolveInlineConfig(
 		ResourceURL:        resourceURL,
 		JWKSAllowPrivateIP: config.JWKSAllowPrivateIP,
 		InsecureAllowHTTP:  config.InsecureAllowHTTP,
+		Scopes:             config.Scopes,
 	}, nil
 }
 
@@ -236,6 +242,28 @@ func getMapValue(data map[string]string, key string) string {
 	return ""
 }
 
+// parseCommaSeparatedList parses a comma-separated string into a slice of strings.
+// It trims whitespace from each element and filters out empty strings.
+func parseCommaSeparatedList(value string) []string {
+	if value == "" {
+		return nil
+	}
+
+	parts := strings.Split(value, ",")
+	result := make([]string, 0, len(parts))
+	for _, part := range parts {
+		trimmed := strings.TrimSpace(part)
+		if trimmed != "" {
+			result = append(result, trimmed)
+		}
+	}
+
+	if len(result) == 0 {
+		return nil
+	}
+	return result
+}
+
 // createServiceURL creates a service URL from MCPServer details
 func createServiceURL(name, namespace string, port int32) string {
 	if port == 0 {

cmd/thv-operator/pkg/oidc/resolver.go

@@ -261,6 +261,114 @@ func TestResolve_ConfigMapType(t *testing.T) {
 				InsecureAllowHTTP:  true,
 			},
 		},
+		{
+			name: "configmap with scopes",
+			mcpServer: &mcpv1alpha1.MCPServer{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "scopes-server",
+					Namespace: "test-ns",
+				},
+				Spec: mcpv1alpha1.MCPServerSpec{
+					Port: 8080,
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
+						Type: mcpv1alpha1.OIDCConfigTypeConfigMap,
+						ConfigMap: &mcpv1alpha1.ConfigMapOIDCRef{
+							Name: "scopes-config",
+						},
+					},
+				},
+			},
+			configMap: &corev1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "scopes-config",
+					Namespace: "test-ns",
+				},
+				Data: map[string]string{
+					"issuer":   "https://auth.example.com",
+					"audience": "test-audience",
+					"scopes":   "https://www.googleapis.com/auth/drive.readonly,https://www.googleapis.com/auth/documents.readonly",
+				},
+			},
+			expected: &OIDCConfig{
+				Issuer:      "https://auth.example.com",
+				Audience:    "test-audience",
+				ResourceURL: "http://scopes-server.test-ns.svc.cluster.local:8080",
+				Scopes: []string{
+					"https://www.googleapis.com/auth/drive.readonly",
+					"https://www.googleapis.com/auth/documents.readonly",
+				},
+			},
+		},
+		{
+			name: "configmap with scopes containing whitespace",
+			mcpServer: &mcpv1alpha1.MCPServer{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "whitespace-scopes-server",
+					Namespace: "test-ns",
+				},
+				Spec: mcpv1alpha1.MCPServerSpec{
+					Port: 8080,
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
+						Type: mcpv1alpha1.OIDCConfigTypeConfigMap,
+						ConfigMap: &mcpv1alpha1.ConfigMapOIDCRef{
+							Name: "whitespace-scopes-config",
+						},
+					},
+				},
+			},
+			configMap: &corev1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "whitespace-scopes-config",
+					Namespace: "test-ns",
+				},
+				Data: map[string]string{
+					"issuer":   "https://auth.example.com",
+					"audience": "test-audience",
+					"scopes":   "scope1 , scope2,  scope3  ",
+				},
+			},
+			expected: &OIDCConfig{
+				Issuer:      "https://auth.example.com",
+				Audience:    "test-audience",
+				ResourceURL: "http://whitespace-scopes-server.test-ns.svc.cluster.local:8080",
+				Scopes:      []string{"scope1", "scope2", "scope3"},
+			},
+		},
+		{
+			name: "configmap with empty scopes",
+			mcpServer: &mcpv1alpha1.MCPServer{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "empty-scopes-server",
+					Namespace: "test-ns",
+				},
+				Spec: mcpv1alpha1.MCPServerSpec{
+					Port: 8080,
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
+						Type: mcpv1alpha1.OIDCConfigTypeConfigMap,
+						ConfigMap: &mcpv1alpha1.ConfigMapOIDCRef{
+							Name: "empty-scopes-config",
+						},
+					},
+				},
+			},
+			configMap: &corev1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "empty-scopes-config",
+					Namespace: "test-ns",
+				},
+				Data: map[string]string{
+					"issuer":   "https://auth.example.com",
+					"audience": "test-audience",
+					"scopes":   "",
+				},
+			},
+			expected: &OIDCConfig{
+				Issuer:      "https://auth.example.com",
+				Audience:    "test-audience",
+				ResourceURL: "http://empty-scopes-server.test-ns.svc.cluster.local:8080",
+				Scopes:      nil,
+			},
+		},
 		{
 			name: "configmap not found",
 			mcpServer: &mcpv1alpha1.MCPServer{
@@ -430,6 +538,32 @@ func TestResolve_InlineType(t *testing.T) {
 				InsecureAllowHTTP:  true,
 			},
 		},
+		{
+			name: "inline with scopes",
+			mcpServer: &mcpv1alpha1.MCPServer{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "scopes-inline-server",
+					Namespace: "test-ns",
+				},
+				Spec: mcpv1alpha1.MCPServerSpec{
+					Port: 8080,
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
+						Type: mcpv1alpha1.OIDCConfigTypeInline,
+						Inline: &mcpv1alpha1.InlineOIDCConfig{
+							Issuer:   "https://auth.example.com",
+							Audience: "test-audience",
+							Scopes:   []string{"openid", "profile", "email"},
+						},
+					},
+				},
+			},
+			expected: &OIDCConfig{
+				Issuer:      "https://auth.example.com",
+				Audience:    "test-audience",
+				ResourceURL: "http://scopes-inline-server.test-ns.svc.cluster.local:8080",
+				Scopes:      []string{"openid", "profile", "email"},
+			},
+		},
 		{
 			name: "nil inline config returns nil",
 			mcpServer: &mcpv1alpha1.MCPServer{
@@ -619,3 +753,62 @@ func TestResolve_InlineWithClientSecretRef(t *testing.T) {
 		})
 	}
 }
+
+func TestParseCommaSeparatedList(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name     string
+		input    string
+		expected []string
+	}{
+		{
+			name:     "empty string",
+			input:    "",
+			expected: nil,
+		},
+		{
+			name:     "single value",
+			input:    "scope1",
+			expected: []string{"scope1"},
+		},
+		{
+			name:     "multiple values",
+			input:    "scope1,scope2,scope3",
+			expected: []string{"scope1", "scope2", "scope3"},
+		},
+		{
+			name:     "values with whitespace",
+			input:    " scope1 , scope2 , scope3 ",
+			expected: []string{"scope1", "scope2", "scope3"},
+		},
+		{
+			name:     "values with URLs",
+			input:    "https://www.googleapis.com/auth/drive.readonly,https://www.googleapis.com/auth/documents.readonly",
+			expected: []string{"https://www.googleapis.com/auth/drive.readonly", "https://www.googleapis.com/auth/documents.readonly"},
+		},
+		{
+			name:     "empty values filtered out",
+			input:    "scope1,,scope2,  ,scope3",
+			expected: []string{"scope1", "scope2", "scope3"},
+		},
+		{
+			name:     "only commas and whitespace",
+			input:    ", , ,  ",
+			expected: nil,
+		},
+		{
+			name:     "single whitespace-only value",
+			input:    "   ",
+			expected: nil,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			result := parseCommaSeparatedList(tt.input)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}

cmd/thv-operator/pkg/oidc/resolver_test.go

@@ -2,5 +2,5 @@ apiVersion: v2
 name: toolhive-operator-crds
 description: A Helm chart for installing the ToolHive Operator CRDs into Kubernetes.
 type: application
-version: 0.0.80
+version: 0.0.81
 appVersion: "0.0.1"

deploy/charts/operator-crds/Chart.yaml

@@ -1,6 +1,6 @@
 # ToolHive Operator CRDs Helm Chart
 
-![Version: 0.0.80](https://img.shields.io/badge/Version-0.0.80-informational?style=flat-square)
+![Version: 0.0.81](https://img.shields.io/badge/Version-0.0.81-informational?style=flat-square)
 ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 A Helm chart for installing the ToolHive Operator CRDs into Kubernetes.

deploy/charts/operator-crds/README.md

@@ -211,6 +211,13 @@ spec:
                           ProtectedResourceAllowPrivateIP allows protected resource endpoint on private IP addresses
                           Use with caution - only enable for trusted internal IDPs or testing
                         type: boolean
+                      scopes:
+                        description: |-
+                          Scopes is the list of OAuth scopes to advertise in the well-known endpoint (RFC 9728)
+                          If empty, defaults to ["openid"]
+                        items:
+                          type: string
+                        type: array
                       thvCABundlePath:
                         description: |-
                           ThvCABundlePath is the path to CA certificate bundle file for HTTPS requests

deploy/charts/operator-crds/files/crds/toolhive.stacklok.dev_mcpremoteproxies.yaml

@@ -241,6 +241,13 @@ spec:
                           ProtectedResourceAllowPrivateIP allows protected resource endpoint on private IP addresses
                           Use with caution - only enable for trusted internal IDPs or testing
                         type: boolean
+                      scopes:
+                        description: |-
+                          Scopes is the list of OAuth scopes to advertise in the well-known endpoint (RFC 9728)
+                          If empty, defaults to ["openid"]
+                        items:
+                          type: string
+                        type: array
                       thvCABundlePath:
                         description: |-
                           ThvCABundlePath is the path to CA certificate bundle file for HTTPS requests

deploy/charts/operator-crds/files/crds/toolhive.stacklok.dev_mcpservers.yaml

@@ -537,6 +537,13 @@ spec:
                               ProtectedResourceAllowPrivateIP allows protected resource endpoint on private IP addresses
                               Use with caution - only enable for trusted internal IDPs or testing
                             type: boolean
+                          scopes:
+                            description: |-
+                              Scopes is the list of OAuth scopes to advertise in the well-known endpoint (RFC 9728)
+                              If empty, defaults to ["openid"]
+                            items:
+                              type: string
+                            type: array
                           thvCABundlePath:
                             description: |-
                               ThvCABundlePath is the path to CA certificate bundle file for HTTPS requests