{
  "name": "mcp",
  "condition": "${find(request.uri.path, '^/mcp')}",
  "properties": {
    "amUrl": "https://myTenant.forgeblocks.com/am/",
    "amRealm": "/alpha",
    "gatewayUrl": "https://ig.example.com:8443",
    "mcpServerUrl": "http://localhost:8000"
  },
  "baseURI": "&{mcpServerUrl}",
  "heap": [
    {
      "name": "AuditService",
      "type": "AuditService",
      "config": {
        "eventHandlers": [
          {
            "class": "org.forgerock.audit.handlers.json.JsonAuditEventHandler",
            "config": {
              "name": "json",
              "logDirectory": "&{ig.instance.dir}/audit",
              "topics": [
                "access",
                "mcp"
              ]
            }
          }
        ]
      }
    },
    {
      "name": "SecretsPasswords",
      "type": "Base64EncodedSecretStore",
      "config": {
        "secrets": {
          "agent.secret.id": "cGFzc3dvcmQ="
        }
      }
    },
    {
      "name": "AmService",
      "type": "AmService",
      "config": {
        "url": "&{amUrl}",
        "realm": "&{amRealm}",
        "agent": {
          "username": "ig_agent",
          "passwordSecretId": "agent.secret.id"
        },
        "secretsProvider": "SecretsPasswords",
        "sessionCache": {
          "enabled": true
        }
      }
    },
    {
      "name": "rsFilter",
      "type": "OAuth2ResourceServerFilter",
      "config": {
        "scopes": [
          "test"
        ],
        "accessTokenResolver": {
          "type": "TokenIntrospectionAccessTokenResolver",
          "config": {
            "amService": "AmService",
            "providerHandler": {
              "type": "Chain",
              "config": {
                "filters": [
                  {
                    "type": "HttpBasicAuthenticationClientFilter",
                    "config": {
                      "username": "ig_agent",
                      "passwordSecretId": "agent.secret.id",
                      "secretsProvider": "SecretsPasswords"
                    }
                  }
                ],
                "handler": "ClientHandler"
              }
            }
          }
        }
      }
    }
  ],
  "handler": {
    "type": "Chain",
    "capture": "all",
    "config": {
      "filters": [
        {
          "type": "McpAuditFilter",
          "config": {
            "auditService": "AuditService"
          }
        },
        {
          "type": "UriPathRewriteFilter",
          "config": {
            "mappings": {
              "/mcp": "/"
            }
          }
        },
        {
          "type": "McpProtectionFilter",
          "config": {
            "resourceId": "&{gatewayUrl}/mcp",
            "authorizationServerUri": "&{amUrl}oauth2/realms/root/realms&{amRealm}",
            "resourceServerFilter": "rsFilter",
            "supportedScopes": [
              "test"
            ],
            "resourceIdPointer": "/audience"
          }
        },
        {
          "type": "McpValidationFilter",
          "config": {
            "acceptedOrigins": ".*"
          }
        }
      ],
      "handler": {
        "type": "ReverseProxyHandler",
        "config": {
          "soTimeout": "20 seconds"
        }
      }
    }
  }
}