Error: HTTP 403: Invalid OAuth error response when config with Okta OAuth #1553
Description
Description:
When I Config OAuth with Okta and for the Claude authentication. It happen error Error: HTTP 403: Invalid OAuth error response when config with Okta OAuth
Repro steps:
- Deploy the Envoy AI Gateway with the manifest configuration provided below
- Configure OAuth authentication with Okta issuer and JWKS endpoint
- Config claude terminal and for claude /mcp authentication request to http://127.0.0.1:8888/mcp
- Observe Error: HTTP 403: Invalid OAuth error response
Environment:
gateway version: v.0.0.0-latest
envoy version: docker.io/envoyproxy/envoy:distroless-dev
oauth issuer: https://trial-7314728.okta.com
https://trial-7314728.okta.com/.well-known/oauth-authorization-server
https://trial-7314728.okta.com/oauth2/default/v1/keys
# claude config
"mcpServers": {
"mcp-gateway": {
"type": "http",
"url": "http://127.0.0.1:8888/mcp"
}
}
Manifest:
# Copyright Envoy AI Gateway Authors
# SPDX-License-Identifier: Apache-2.0
# The full text of the Apache license is available in the LICENSE file at
# the root of the repo.
---
apiVersion: aigateway.envoyproxy.io/v1alpha1
kind: MCPRoute
metadata:
name: mcp-route
namespace: default
spec:
parentRefs:
- name: aigw-run
kind: Gateway
group: gateway.networking.k8s.io
securityPolicy:
oauth:
issuer: "https://trial-7314728.okta.com"
jwks:
remoteJWKS:
uri: https://trial-7314728.okta.com/oauth2/default/v1/keys
protectedResourceMetadata:
resource: "http://127.0.0.1:8888/mcp"
scopesSupported:
[
"mcp:access",
# "service_account",
# "offline_access",
# "acr",
# "organization",
# "profile",
# "basic",
# "roles",
# "phone",
# "address",
# "microprofile-jwt",
# "web-origins",
# "email",
]
backendRefs:
- name: kiwi
kind: Backend
group: gateway.envoyproxy.io
path: "/"
---
###################################################################################
############################### Backend Definitions ###############################
###################################################################################
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: Backend
metadata:
name: kiwi
namespace: default
spec:
endpoints:
- fqdn:
hostname: mcp.kiwi.com
port: 443
---
apiVersion: gateway.networking.k8s.io/v1alpha3
kind: BackendTLSPolicy
metadata:
name: kiwi-tls
namespace: default
spec:
targetRefs:
- group: "gateway.envoyproxy.io"
kind: Backend
name: kiwi
validation:
wellKnownCACertificates: "System"
hostname: mcp.kiwi.com
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: Backend
metadata:
name: context7
namespace: default
spec:
endpoints:
- fqdn:
hostname: mcp.context7.com
port: 443
---
apiVersion: gateway.networking.k8s.io/v1alpha3
kind: BackendTLSPolicy
metadata:
name: context7-tls
namespace: default
spec:
targetRefs:
- group: "gateway.envoyproxy.io"
kind: Backend
name: context7
validation:
wellKnownCACertificates: "System"
hostname: mcp.context7.com
---
###################################################################################
############################### Gateway Definitions ###############################
###################################################################################
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: aigw-run
spec:
controllerName: gateway.envoyproxy.io/gatewayclass-controller
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: aigw-run
namespace: default
spec:
gatewayClassName: aigw-run
listeners:
- name: http
protocol: HTTP
port: 8888
infrastructure:
parametersRef:
group: gateway.envoyproxy.io
kind: EnvoyProxy
name: envoy-ai-gateway
---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: EnvoyProxy
metadata:
name: envoy-ai-gateway
namespace: default
spec:
provider:
type: Kubernetes
kubernetes:
envoyService:
type: ClusterIP
logging:
level:
default: error
bootstrap:
type: Merge
value: |-
admin:
address:
socket_address:
address: 127.0.0.1
port_value: 9901
telemetry:
accessLog:
settings:
- sinks:
- type: File
file:
path: /dev/stdout
format:
type: JSON
json:
# MCP specific fields
mcp_request_id: "%DYNAMIC_METADATA(io.envoy.ai_gateway:mcp_request_id)%"
mcp_session_id: "%REQ(MCP-SESSION-ID)%"
mcp_method: "%DYNAMIC_METADATA(io.envoy.ai_gateway:mcp_method)%"
mcp_backend: "%DYNAMIC_METADATA(io.envoy.ai_gateway:mcp_backend)%"
# Default fields
start_time: "%START_TIME%"
method: "%REQ(:METHOD)%"
x-envoy-origin-path: "%REQ(X-ENVOY-ORIGINAL-PATH?:PATH)%"
protocol: "%PROTOCOL%"
response_code: "%RESPONSE_CODE%"
response_flags: "%RESPONSE_FLAGS%"
response_code_details: "%RESPONSE_CODE_DETAILS%"
connection_termination_details: "%CONNECTION_TERMINATION_DETAILS%"
upstream_transport_failure_reason: "%UPSTREAM_TRANSPORT_FAILURE_REASON%"
bytes_received: "%BYTES_RECEIVED%"
bytes_sent: "%BYTES_SENT%"
duration: "%DURATION%"
x-envoy-upstream-service-time: "%RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)%"
x-forwarded-for: "%REQ(X-FORWARDED-FOR)%"
user-agent: "%REQ(USER-AGENT)%"
x-request-id: "%REQ(X-REQUEST-ID)%"
":authority": "%REQ(:AUTHORITY)%"
upstream_host: "%UPSTREAM_HOST%"
upstream_cluster: "%UPSTREAM_CLUSTER%"
upstream_local_address: "%UPSTREAM_LOCAL_ADDRESS%"
downstream_local_address: "%DOWNSTREAM_LOCAL_ADDRESS%"
downstream_remote_address: "%DOWNSTREAM_REMOTE_ADDRESS%"
requested_server_name: "%REQUESTED_SERVER_NAME%"
route_name: "%ROUTE_NAME%"
Logs:
upstream_host":null,"upstream_local_address":null,"upstream_transport_failure_reason":null,"user-agent":"claude-code/2.0.47","x-envoy-origin-path":"/mcp","x-envoy-upstream-service-time":null,"x-forwarded ││ -for":"10.244.5.3","x-request-id":"3abd21a8-df78-46a4-b9b1-45f063b5fe84"} │
│ {":authority":"127.0.0.1:8888","bytes_received":0,"bytes_sent":171,"connection_termination_details":null,"downstream_local_address":"127.0.0.1:8888","downstream_remote_address":"127.0.0.1:47598","duratio ││ n":0,"mcp_backend":null,"mcp_method":null,"mcp_request_id":null,"mcp_session_id":null,"method":"GET","protocol":"HTTP/1.1","requested_server_name":null,"response_code":200,"response_code_details":"direct │
│ _response","response_flags":"-","route_name":"httproute/default/ai-eg-mcp-main-mcp-route/rule/1/match/0/*","start_time":"2025-11-20T13:11:34.568Z","upstream_cluster":null,"upstream_host":null,"upstream_l ││ ocal_address":null,"upstream_transport_failure_reason":null,"user-agent":"node","x-envoy-origin-path":"/.well-known/oauth-protected-resource","x-envoy-upstream-service-time":null,"x-forwarded-for":"10.24 │
│ 4.5.3","x-request-id":"f5f8f9e1-0757-4c2f-a577-471aaa93bd68"} ││ {":authority":"127.0.0.1:8888","bytes_received":0,"bytes_sent":3224,"connection_termination_details":null,"downstream_local_address":"127.0.0.1:8888","downstream_remote_address":"127.0.0.1:47600","durati │
│ on":0,"mcp_backend":null,"mcp_method":null,"mcp_request_id":null,"mcp_session_id":null,"method":"GET","protocol":"HTTP/1.1","requested_server_name":null,"response_code":200,"response_code_details":"direc ││ t_response","response_flags":"-","route_name":"httproute/default/ai-eg-mcp-main-mcp-route/rule/4/match/0/*","start_time":"2025-11-20T13:11:37.776Z","upstream_cluster":null,"upstream_host":null,"upstream_ │
│ local_address":null,"upstream_transport_failure_reason":null,"user-agent":"node","x-envoy-origin-path":"/.well-known/oauth-authorization-server/mcp","x-envoy-upstream-service-time":null,"x-forwarded-for" │
│ :"10.244.5.3","x-request-id":"8e200785-9ee9-45a8-892f-6aef65c8a7bb"} │
│ {":authority":"127.0.0.1:8888","bytes_received":0,"bytes_sent":171,"connection_termination_details":null,"downstream_local_address":"127.0.0.1:8888","downstream_remote_address":"127.0.0.1:47598","duratio │
│ n":0,"mcp_backend":null,"mcp_method":null,"mcp_request_id":null,"mcp_session_id":null,"method":"GET","protocol":"HTTP/1.1","requested_server_name":null,"response_code":200,"response_code_details":"direct │
│ _response","response_flags":"-","route_name":"httproute/default/ai-eg-mcp-main-mcp-route/rule/2/match/0/*","start_time":"2025-11-20T13:11:37.783Z","upstream_cluster":null,"upstream_host":null,"upstream_l │
│ ocal_address":null,"upstream_transport_failure_reason":null,"user-agent":"node","x-envoy-origin-path":"/.well-known/oauth-protected-resource/mcp","x-envoy-upstream-service-time":null,"x-forwarded-for":"1 │
│ 0.244.5.3","x-request-id":"bd57ea69-0204-46c4-a885-829ac703bb01"}
Include the access logs and the Envoy logs.