github agentic-community/mcp-gateway-registry 1.24.5
1.24.5 - Coding-Assistant OAuth, Custom Entity Types, and a New Identity Provider
on GitHub

12 hours ago

Release 1.24.5 - Coding-Assistant OAuth, Custom Entity Types, and a New Identity Provider

June 2026

Upgrading from 1.24.4

This section covers everything you need to know to upgrade from 1.24.4 to 1.24.5.

Breaking Changes

There are no breaking changes in this release. Every new capability is gated behind a feature flag or an unset environment variable, so existing deployments behave exactly as before until you opt in:

  • Custom Entity Types are off unless CUSTOM_ENTITY_TYPES_ENABLED=true.
  • IDE OAuth login keeps the static-token Connect config unless IDE_OAUTH_CLIENT_ID is set.
  • PingFederate is only active when AUTH_PROVIDER=pingfederate.
  • Internal/workshop telemetry labels default to off and never affect access control.

New Environment Variables

Variable Default Description
CUSTOM_ENTITY_TYPES_ENABLED false Master switch for admin-defined custom entity types (dynamic tabs + endpoints).
CUSTOM_TYPE_CACHE_TTL_SECONDS 60 TTL for the in-process custom-type descriptor cache.
MAX_CUSTOM_RECORDS_PER_TYPE 1000 Soft cap on records per custom type (0 = unlimited).
MAX_CUSTOM_TYPES 50 Cap on the number of custom entity types an admin can define (0 = unlimited).
IDE_OAUTH_CLIENT_ID (empty) Pre-registered public OAuth client_id IDEs use to start the gateway login flow. Public, not a secret.
IDE_OAUTH_CALLBACK_PORT 0 Fixed loopback callback port for the OAuth login redirect (needed for Okta/Entra/Cognito literal redirect matching). 0/unset lets the IDE pick.
MCP_ADVERTISED_SCOPES openid email profile offline_access Scopes advertised in the PRM that IDEs request at login. Actual access is derived from the token groups claim, not these.
INTERNAL_ONLY_DEPLOYMENT false Telemetry label only: marks a deployment as an internal/workshop install. Does not change access control.
INTERNAL_DEPLOYMENT_TYPE none Telemetry label: none / dev / workshop / other. Forced to none when INTERNAL_ONLY_DEPLOYMENT=false.
IDP_USER_GROUP_FALLBACK_ENABLED_PROVIDERS pingfederate Comma-separated providers for which the local idp_user_groups collection populates empty JWT groups claims.
PINGFEDERATE_BASE_URL https://localhost:9031 PingFederate runtime base URL (internal, server-to-server).
PINGFEDERATE_EXTERNAL_URL https://localhost:9031 PingFederate external, browser-facing URL for auth redirects.
PINGFEDERATE_CLIENT_ID mcp-gateway OAuth2 web-app client id created in the PingFederate admin console.
PINGFEDERATE_CLIENT_SECRET changeme OAuth2 web-app client secret.
PINGFEDERATE_GROUPS_CLAIM groups JWT claim name for group memberships.
PINGFEDERATE_ENABLED false Show the PingFederate button on the login page.
PF_ADMIN_URL https://pingfederate:9999 PingFederate Admin API endpoint (client/PCV-user creation).
PF_ADMIN_USER administrator PingFederate Admin API user.
PF_ADMIN_PASS (bundled-PF default) PingFederate Admin API password.
PING_IDENTITY_ACCEPT_EULA YES Accept the Ping Identity EULA for the local PingFederate container (--profile pingfederate).
PING_IDENTITY_DEVOPS_USER (empty) Ping DevOps trial user for the bundled PingFederate container.
PING_IDENTITY_DEVOPS_KEY (empty) Ping DevOps trial key for the bundled PingFederate container.

Optional PingFederate variables (PINGFEDERATE_M2M_CLIENT_ID, PINGFEDERATE_M2M_CLIENT_SECRET, PINGFEDERATE_APPLICATION_ID_URI) are commented out in .env.example and default to the web client or empty.

Upgrade Instructions

Docker Compose

cd mcp-gateway-registry
git pull origin main
git checkout 1.24.5

# Review new env vars in .env.example and update your .env if needed
# Then rebuild and restart:
./build_and_run.sh

Kubernetes / Helm (EKS)

Chart templates, values, and helpers changed across the registry, auth-server, mongodb-configure, and stack charts in this release (PingFederate wiring, MongoDB password auto-generation, custom-entity and IDE-OAuth env vars). The packaged subchart .tgz files inside charts/mcp-gateway-registry-stack/charts/ are gitignored and only repackage when you rebuild dependencies, so a plain git pull + helm upgrade would otherwise use stale subcharts. 

cd mcp-gateway-registry
git pull origin main
git checkout 1.24.5

# REQUIRED: rebuild packaged subcharts so the stack chart picks up the changes
cd charts/mcp-gateway-registry-stack
helm dependency build
helm dependency update

# Update values.yaml if needed, then upgrade:
helm upgrade mcp-gateway . -f your-values.yaml

Terraform / ECS

cd mcp-gateway-registry
git pull origin main
git checkout 1.24.5

# Update your .tfvars with any new variables (e.g. Cognito IDE OAuth, custom entities)
cd terraform/aws-ecs
terraform plan
terraform apply

DockerHub Images

Pre-built images are available: 

docker pull mcpgateway/registry:1.24.5
docker pull mcpgateway/auth-server:1.24.5
docker pull mcpgateway/currenttime-server:1.24.5
docker pull mcpgateway/realserverfaketools-server:1.24.5
docker pull mcpgateway/fininfo-server:1.24.5
docker pull mcpgateway/mcpgw-server:1.24.5
docker pull mcpgateway/metrics-service:1.24.5

Major Features

Custom Entity Types

Registry admins can now define new catalog entity types at runtime, schema-driven, with their own dynamic tabs and endpoints. Each type carries its own embedding collection for semantic search, and the feature ships with guardrails: per-type record caps, a cap on the number of types, and a short-TTL descriptor cache for fast convergence across replicas. Off by default, so existing deployments see no change until an admin enables it.

PR #1173

Coding-Assistant OAuth Login (Cursor, Claude Code, Codex)

The Connect dialog can now hand an AI coding assistant a real OAuth login instead of a static gateway token. A server's Connect config advertises a pre-registered public client_id, so the IDE shows a login button and runs the OAuth/PKCE flow against your identity provider. Per-server oauth_client_id overrides and a /mcp path option let each server tune its connect behavior, and a fixed loopback callback port supports IdPs (Okta, Entra, Cognito) that match the redirect URI literally including the port.

PR #1224, PR #1235

PingFederate Identity Provider

PingFederate joins Cognito, Keycloak, Entra, Okta, and Auth0 as a supported identity provider. The integration covers token exchange, JWKS, and userinfo, a browser-facing external URL for redirects, a configurable groups claim, and an admin-API path for creating OAuth clients and PCV users. A local PingFederate container is available via the pingfederate Docker Compose profile for evaluation. Because PingFederate has no built-in groups scope, a local idp_user_groups fallback can populate empty JWT groups claims.

PR #1163

Amazon Cognito Support (Terraform/ECS)

Amazon Cognito is now wired end to end for Terraform/ECS deployments, including an IAM manager and documentation. Access tokens from Cognito (which carry no aud claim) are validated by client_id against an allowlist, and the cognito:groups claim drives access derivation.

PR #1210

Canonical server.json Export

A new read-only endpoint, GET /api/servers/{path}/server.json, projects a stored server document into the canonical shape that conforms to the official Model Context Protocol (MCP) registry server schema. The server details modal in the UI gained a "Canonical" toggle to view and copy that projection. Auth mirrors the bespoke server read, and backend URLs are redacted for non-admin callers in with-gateway mode.

PR #1225, PR #1239

What's New

Authentication

  • Coding-assistant OAuth login with per-server client_id and /mcp path override (#1224)
  • IDE OAuth follow-ups: CSRF fix on connect-config, PRM advertised-scopes default, frontend error surfacing, deployment-surface wiring, and per-IdP public-client setup scripts (#1235)
  • PingFederate identity provider with local-group fallback for empty JWT groups claims (#1163)
  • Amazon Cognito Terraform/ECS support with IAM manager and docs (#1210)
  • Batched per-scope reads on the auth hot path to cut /api/auth/me latency (#1230)

Registry Features

  • Custom Entity Types: admin-defined, schema-driven catalog types with dynamic tabs and endpoints (#1173)
  • Canonical server.json export endpoint (#1225) and a "Canonical" copy toggle in the server details modal (#1239)
  • mcpgw discovery now dedupes candidates and itemizes withheld results (#1227)

Deployment

  • Auto-generated MongoDB password with upgrade-safe persistence (#1222)
  • Internal/workshop deployment classification via telemetry labels (#1220)

Infrastructure

  • Hardened GitHub Actions workflow security (#1177)
  • npm package updates and workflow automation (#1174)

Frontend Improvements

  • Server details modal addresses the at-scale per-card resource exhaustion path and adds the canonical toggle (#1239)

Documentation

  • Repositioned the registry as a true AI asset registry; refreshed roadmap and slide deck (#1223)
  • Dynamic discovery receipt guidance (#1203)
  • Contributor guidance to install pre-commit hooks (#1228)
  • usage-report skill: deterministic template + LLM commentary, LTV counting rule, regrounded rates, daily-reporters chart, community-vs-internal deployment breakdown (#1214, #1236)
  • macOS setup skill fixes: gettext prereq, /var/log bind mount, token file format (#1201)

Bug Fixes

  • Logout failures caused by transient network issues (#1226)
  • NGINX_ENABLE_IPV6 had no effect because IPv6 listeners were wiped when the registry re-rendered the nginx config; the flag now patches the templates so listeners survive a re-render (#1205)
  • Unresolvable virtual-server backend host no longer crashes the nginx (registry) container at startup (#1206)
  • mcpgw discovery returned duplicate candidates and silently dropped withheld results (#1227)

Closed Issues

Issue Title Closed By
#1238 Frontend: add "Copy canonical" toggle to server details modal (server.json export) PR #1239
#1217 Usage-report: classify internal/workshop deployments from telemetry fields PR #1220
#1216 Add internal_only_deployment and internal_deployment_type config + telemetry PR #1220
#1211 Amazon Cognito support: Terraform/ECS wiring + IAM manager + docs PR #1210
#1206 Unresolvable virtual-server backend host crashes nginx at startup manual
#1204 NGINX_ENABLE_IPV6 has no effect: IPv6 listeners wiped on config re-render PR #1205
#1172 Feature: Custom Entity Types (admin-defined, schema-driven catalog types) PR #1173
#1127 feat(auth): add PingFederate as a supported identity provider PR #1163
#1102 Frontend: ServerCard fetches rating + security-scan per card, exhausts browser resources at scale manual
#1047 feat(deps): make target to refresh uv.lock files with supply-chain quarantine PR #1174

Pull Requests Included

PR Title
#1239 feat(frontend): add Copy canonical toggle to server details modal
#1236 feat(usage-report): community-vs-internal deployment breakdown
#1235 feat(connect-config): IDE OAuth login follow-ups (CSRF + PRM scopes fixes, surface wiring, docs, IdP scripts)
#1234 build(deps): bump esbuild from 0.25.11 to 0.28.1 in /cli
#1230 Batch per-scope reads on the auth hot path to cut /api/auth/me latency
#1228 docs: tell contributors to install pre-commit hooks
#1227 fix(mcpgw): dedupe discovery candidates and itemize withheld results
#1226 fix logout issues due to network issues
#1225 Add canonical server.json export endpoint (#1187)
#1224 feat(connect-config): per-server OAuth client_id login for Cursor/Claude/Codex + /mcp path override
#1223 docs: position registry as a true AI asset registry, refresh roadmap and slide deck
#1222 feat(charts): auto-generate MongoDB password with upgrade-safe persistence
#1220 feat: track internal/workshop deployments via telemetry (#1216, #1217)
#1214 chore: usage-report skill LTV counting rule, regrounded rates, daily-reporters chart
#1210 feat: Amazon Cognito support (Terraform/ECS, IAM manager, docs)
#1208 build(deps): bump the actions group in /.github/workflows with 11 updates
#1207 build(deps): bump the docker-images group in /docker with 3 updates
#1205 fix(nginx): make NGINX_ENABLE_IPV6 patch templates so IPv6 listeners survive config re-render
#1203 docs: add dynamic discovery receipt guidance
#1201 macOS setup skill: add missing gettext prereq, fix /var/log bind mount, correct token file format
#1177 Feat/harden action security
#1174 add npm package updates and workflow automation
#1173 Feat/custom entities
#1163 feat(auth): add PingFederate as supported identity provider (#1127)

Security Dependency Updates

Package Previous Updated Scope
esbuild 0.25.11 0.28.1 cli/ (npm)
docker base images - - docker/ (3 images)
GitHub Actions - - .github/workflows/ (11 actions)

Contributors

Thank you to all contributors for this release:

Support

Full Changelog: 1.24.4...1.24.5

What's Changed

  • macOS setup skill: add missing gettext prereq, fix /var/log bind mount, correct token file format by @vrindabhandari in #1201
  • feat(auth): add PingFederate as supported identity provider (#1127) by @shekharprateek in #1163
  • Feat/harden action security by @omrishiv in #1177
  • add npm package updates and workflow automation by @omrishiv in #1174
  • build(deps): bump the actions group in /.github/workflows with 11 updates by @dependabot[bot] in #1208
  • build(deps): bump the docker-images group in /docker with 3 updates by @dependabot[bot] in #1207
  • feat: Amazon Cognito support (Terraform/ECS, IAM manager, docs) by @aarora79 in #1210
  • Feat/custom entities by @omrishiv in #1173
  • chore: usage-report skill — LTV counting rule, regrounded rates, daily-reporters chart by @aarora79 in #1214
  • dynamically generate mongodb password by @omrishiv in #1212
  • fix(nginx): make NGINX_ENABLE_IPV6 patch templates so IPv6 listeners survive config re-render by @go-faustino in #1205
  • Revert "dynamically generate mongodb password" by @omrishiv in #1219
  • feat: track internal/workshop deployments via telemetry (#1216, #1217) by @aarora79 in #1220
  • docs: position as true AI asset registry, refresh roadmap and slide deck by @aarora79 in #1223
  • fix logout issues due to network issues by @omrishiv in #1226
  • docs: add dynamic discovery receipt guidance by @caioribeiroclw-pixel in #1203
  • fix(mcpgw): dedupe discovery candidates and itemize withheld results by @aarora79 in #1227
  • Add canonical server.json export endpoint (#1187) by @vrindabhandari in #1225
  • docs: tell contributors to install pre-commit hooks by @aarora79 in #1228
  • Batch per-scope reads on the auth hot path to cut /api/auth/me latency by @omrishiv in #1230
  • feat(charts): auto-generate MongoDB password with upgrade-safe persistence by @omrishiv in #1222
  • feat(connect-config): per-server OAuth client_id login for Cursor/Claude/Codex + /mcp path override by @go-faustino in #1224
  • build(deps): bump esbuild from 0.25.11 to 0.28.1 in /cli in the npm_and_yarn group across 1 directory by @dependabot[bot] in #1234
  • feat(connect-config): IDE OAuth login follow-ups (CSRF + PRM scopes fixes, surface wiring, docs, IdP scripts) by @aarora79 in #1235
  • feat(usage-report): community-vs-internal deployment breakdown by @aarora79 in #1236
  • feat(frontend): add Copy canonical toggle to server details modal by @aarora79 in #1239

New Contributors

Full Changelog: 1.24.4...1.24.5

Check out latest releases or
releases around agentic-community/mcp-gateway-registry 1.24.5

Don't miss a new mcp-gateway-registry release

NewReleases is sending notifications on new releases.

Get notifications