← Back to Jobs

OIDC Bridge + Context Forge MCP Gateway Integration Test

Job ID: b6c458e7-3f20-4931-9e14-5ebefe1c7e2c

pending
high priority

Target

Repository
jetta-oidc-bridge
URL to Test
https://oidc.jettaintelligence.com

Description

End-to-end testing of the new Jetta OIDC Bridge service and IBM Context Forge MCP Gateway integration. This validates that Jetta SSO can now work with any OIDC-compatible client through the bridge, and that the MCP gateway properly authenticates users and provides access to registered MCP servers (mcp-mfiles). **Components Under Test:** 1. **jetta-oidc-bridge** (oidc.jettaintelligence.com) - OIDC provider backed by Jetta SSO 2. **jetta-mcp-gateway** (mcp.jettaintelligence.com) - IBM Context Forge with OIDC auth 3. **Integration** - Full auth flow from gateway → OIDC bridge → Jetta SSO → back to gateway **Architecture:** ``` User → Context Forge (mcp.jettaintelligence.com) ↓ OIDC OIDC Bridge (oidc.jettaintelligence.com) ↓ Cookie/Verify Jetta SSO (login.jettaintelligence.com) ```

Test Steps

## Part 1: OIDC Bridge Health & Discovery

### 1.1 Health Check
1. Navigate to `https://oidc.jettaintelligence.com/health`
2. Verify JSON response with `status: "healthy"`
3. Note the `service` and `issuer` fields

### 1.2 OIDC Discovery Endpoint
1. Navigate to `https://oidc.jettaintelligence.com/.well-known/openid-configuration`
2. Verify JSON response contains:
   - `issuer`: "https://oidc.jettaintelligence.com"
   - `authorization_endpoint`: ends with `/authorize`
   - `token_endpoint`: ends with `/token`
   - `userinfo_endpoint`: ends with `/userinfo`
   - `jwks_uri`: ends with `/.well-known/jwks.json`
   - `response_types_supported`: includes "code"
   - `scopes_supported`: includes "openid", "email", "profile"

### 1.3 JWKS Endpoint
1. Navigate to `https://oidc.jettaintelligence.com/.well-known/jwks.json`
2. Verify JSON response contains `keys` array
3. Each key should have: `kty`, `use`, `alg`, `kid`, `n`, `e` fields
4. `alg` should be "RS256"

---

## Part 2: Context Forge Gateway

### 2.1 Gateway Health Check
1. Navigate to `https://mcp.jettaintelligence.com/health`
2. Verify service is responding
3. Note any version or status information

### 2.2 Gateway Admin UI Access (Unauthenticated)
1. Navigate to `https://mcp.jettaintelligence.com`
2. Should redirect to OIDC authorization
3. Verify redirect URL contains `oidc.jettaintelligence.com/authorize`
4. Verify `client_id`, `redirect_uri`, `response_type=code` in URL params

---

## Part 3: Full OIDC Authentication Flow

### 3.1 Initiate Login
1. Navigate to `https://mcp.jettaintelligence.com`
2. Click login or wait for redirect
3. Should arrive at `https://oidc.jettaintelligence.com/authorize?...`

### 3.2 OIDC Bridge → Jetta SSO Redirect
1. OIDC Bridge should redirect to `https://login.jettaintelligence.com/login`
2. Verify `redirect_uri` parameter points back to OIDC bridge callback

### 3.3 Authenticate with Jetta SSO
1. Log in using Google OAuth (or available method)
2. Use an allowed domain email (jettaoperating.com, aicholdings.com, etc.)
3. After successful login, should redirect to OIDC bridge callback

### 3.4 OIDC Bridge Callback
1. Should see brief redirect through `oidc.jettaintelligence.com/callback`
2. Then redirect back to Context Forge with authorization code

### 3.5 Token Exchange & Landing
1. Context Forge exchanges code for tokens (happens automatically)
2. Should land on Context Forge admin UI
3. Verify user email/name is displayed (if shown in UI)

---

## Part 4: Context Forge Functionality

### 4.1 Admin UI Navigation
1. Explore the Context Forge admin interface
2. Look for: Servers/Gateways section, Tools section, Settings
3. Note available features and navigation

### 4.2 MCP Server Registry
1. Find the registered MCP servers list
2. Check if `mcp-mfiles` appears (may need to be registered separately)
3. Note server status indicators

### 4.3 Tool Discovery (if servers registered)
1. Navigate to Tools or similar section
2. Verify tools from registered MCP servers are visible
3. Note tool names and descriptions

---

## Part 5: Error Handling

### 5.1 Invalid OIDC Request
1. Try accessing `https://oidc.jettaintelligence.com/authorize` without required params
2. Should return appropriate error (400 or redirect with error)

### 5.2 Logout Flow
1. Find logout option in Context Forge
2. Click logout
3. Verify session is terminated
4. Revisiting gateway should require re-authentication

---

## Part 6: Browser Console & Network

### 6.1 Check for Errors
1. Open browser DevTools (F12) → Console tab
2. Look for any JavaScript errors or warnings
3. Note any CORS issues or failed requests

### 6.2 Network Inspection
1. Go to Network tab
2. Perform the authentication flow again
3. Verify all requests complete successfully (no 4xx/5xx errors)
4. Check that cookies are being set correctly

Expected Results

## Success Criteria

### OIDC Bridge
- [ ] Health endpoint returns `{"status": "healthy"}`
- [ ] OIDC discovery returns valid configuration with all required fields
- [ ] JWKS endpoint returns valid RSA public key
- [ ] Authorization redirects to Jetta SSO correctly
- [ ] Callback processes Jetta SSO cookie and redirects with code
- [ ] Token endpoint returns valid JWT id_token
- [ ] Userinfo endpoint returns user claims

### Context Forge Gateway
- [ ] Health endpoint responds
- [ ] Unauthenticated access redirects to OIDC bridge
- [ ] After authentication, admin UI is accessible
- [ ] User identity is recognized from OIDC token
- [ ] MCP server registry is functional
- [ ] Tool discovery works for registered servers

### Authentication Flow
- [ ] Full flow completes: Gateway → OIDC Bridge → Jetta SSO → Back
- [ ] No authentication loops or infinite redirects
- [ ] Session persists across page refreshes
- [ ] Logout properly terminates session

### No Errors
- [ ] No JavaScript console errors
- [ ] No failed network requests (except expected 401s before auth)
- [ ] No CORS errors
- [ ] Response times are reasonable (< 3s for redirects)

Claim This Job