3pp-mirror/pomerium: Pomerium is an identity and context-aware access proxy.

mirror of https://github.com/pomerium/pomerium.git synced 2026-02-12 23:55:27 +01:00

Pomerium is an identity and context-aware access proxy.

beyondcorp gateway go iam identity identity-aware-proxy pomerium reverse-proxy vpn zero-trust

Find a file

Denis Mishin 02ea793100 mcp: host Client ID Metadata Documents for auto-discovery mode (#6088 ) ## Summary Add support for Pomerium to host Client ID Metadata Documents (CIMD) at `/.pomerium/mcp/client/metadata.json` for MCP server routes using auto-discovery mode (routes without `upstream_oauth2` configured). When Pomerium acts as an OAuth 2.1 client to upstream MCP servers, it needs to present its own CIMD to the upstream authorization server. This enables dynamic client registration via the Client ID Metadata Document spec (draft-ietf-oauth-client-id-metadata-document). Key changes: - Add `ClientIDMetadata` handler to serve per-host CIMD documents - Add `UsesAutoDiscovery`/`GetServerHostInfo` methods to `HostInfo` - Split OAuth callback endpoints: `server/oauth/callback` vs `client/oauth/callback` - Add debug logging for CIMD requests ## Related issues - [ENG-3525](https://linear.app/pomerium/issue/ENG-3525/host-client-id-metadata-documents-for-auto-discovery-mode) ## User Explanation MCP server routes using auto-discovery mode (without explicit `upstream_oauth2` configuration) now automatically serve a CIMD document. This allows upstream MCP servers' authorization servers to discover Pomerium's OAuth client metadata. ## Checklist - [x] reference any related issues - [x] updated unit tests - [ ] add appropriate label (`enhancement`, `bug`, `breaking`, `dependencies`, `ci`) - [ ] ready for review		2026-02-11 19:44:36 -05:00
.github	chore(deps): bump the docker group in /.github with 3 updates (#6082 )	2026-02-02 10:51:00 -05:00
.vscode	use tlsClientConfig instead of custom dialer (#3830 )	2022-12-27 09:55:36 -07:00
authenticate	authenticate: avoid double signout confirmation (#6093 )	2026-02-04 09:16:24 -08:00
authorize	mcp: add ext_proc integration for response interception (#6091 )	2026-02-11 16:55:43 -05:00
cmd/pomerium	feat: health check CLI (#5823 )	2025-09-15 16:43:07 -04:00
config	mcp: add ext_proc integration for response interception (#6091 )	2026-02-11 16:55:43 -05:00
databroker	feat(grpc): ensure "coordination" between keepalives in http/2 protocols in internal pomerium grpc impls (#6078 )	2026-02-04 15:57:32 -05:00
examples	ci: update dependencies (#6094 )	2026-02-09 10:15:25 -08:00
integration	core/config: remove envoy options (#6021 )	2026-01-05 17:18:31 -07:00
internal	mcp: host Client ID Metadata Documents for auto-discovery mode (#6088 )	2026-02-11 19:44:36 -05:00
k8s/zero	Fix kustomization warning (#5735 )	2025-07-21 14:05:26 -04:00
ospkg	enable systemd health checks by default (#5850 )	2025-09-25 11:24:08 -04:00
pkg	mcp: add ext_proc integration for response interception (#6091 )	2026-02-11 16:55:43 -05:00
proxy	mcp: implement refresh token support (#6049 )	2026-01-15 14:21:45 -05:00
scripts	Add custom git merge driver for components.json (#6068 )	2026-02-10 21:36:49 -05:00
ui	chore(deps): bump lodash from 4.17.21 to 4.17.23 in /ui (#6059 )	2026-01-22 13:57:20 -07:00
.clang-format	config: add circuit breaker thresholds (#5650 )	2025-06-16 09:38:39 -06:00
.codecov.yml	development: change codecov precision	2019-07-18 16:49:37 -07:00
.dockerignore	frontend: react+mui (#3004 )	2022-02-07 08:47:58 -07:00
.fossa.yml	rm cli code (#2824 )	2021-12-15 16:25:21 -05:00
.gitattributes	Add custom git merge driver for components.json (#6068 )	2026-02-10 21:36:49 -05:00
.gitignore	feat(grpc): ensure "coordination" between keepalives in http/2 protocols in internal pomerium grpc impls (#6078 )	2026-02-04 15:57:32 -05:00
.golangci.yml	chore: upgrade to go 1.25 (#5843 )	2025-12-09 13:46:15 -05:00
.pre-commit-config.yaml	chore: add pre-commit hooks and fix UI formatting (#6018 )	2025-12-30 08:35:55 -08:00
.tool-versions	ci: update dependencies (#6094 )	2026-02-09 10:15:25 -08:00
3RD-PARTY	dependencies: vendor base58, remove shortuuid (#2739 )	2021-11-02 09:23:15 -06:00
DEBUG.MD	deplyoment: add debug build / container / docs (#1513 )	2020-10-13 16:54:21 -04:00
Dockerfile	ci: update dependencies (#6094 )	2026-02-09 10:15:25 -08:00
Dockerfile.debug	ci: update dependencies (#6094 )	2026-02-09 10:15:25 -08:00
go.mod	mcp: add ext_proc integration for response interception (#6091 )	2026-02-11 16:55:43 -05:00
go.sum	mcp: add ext_proc integration for response interception (#6091 )	2026-02-11 16:55:43 -05:00
LICENSE	fix: CI after pre-commit (#5966 )	2025-12-03 13:17:53 -05:00
Makefile	Add custom git merge driver for components.json (#6068 )	2026-02-10 21:36:49 -05:00
pomerium.go	fix go get, improve redis test (#2450 )	2021-08-06 12:07:20 -06:00
README.md	core/ui: update logo (#5249 )	2024-09-05 18:13:06 +02:00
RELEASING.md	deployment: update RELEASING.md (#3503 )	2022-08-16 10:40:03 -07:00
SECURITY.md	Fix SECURITY.md treated as symlink (#5211 )	2024-08-07 17:20:18 -04:00

README.md

Pomerium builds secure, clientless connections to internal web apps and services without a corporate VPN.

Pomerium is:

Easier with clientless access.
Faster by being tunnel-free and deployed where your apps and services are.
Safer because every single action is verified before allowed to execute.
Tailored to your organization’s needs by integrating all data for context-aware access.

It’s not a VPN alternative – it’s the trusted, foolproof way to protect your business. Want a hosted control plane and management GUI? Give Pomerium Zero a try today!

Docs

For comprehensive docs, and tutorials see our documentation.

Contributing

See Contributing for information on how you can contribute to Pomerium.

README.md Unescape Escape

Docs

Contributing

README.md