fix: strip http forwarded headers from requests to kc

[Cali0707]

While testing the server deployed in an openshift cluster, the wellknown proxy to keycloak was not working correctly, as all the various forwarded headers led keycloak to set the base url to the url to the MCP server, not the keycloak server.

This PR just strips those forwarded headers before passing requests to the keycloak server.

[matzew]

LGTM

thanks for picking this here!

[manusa]

I need to properly check this. I recall that the header forwarding was added precisely for a proxy-related issue.
Do you have some environment to try or a way to reproduce the issue?

[Cali0707]

Do you have some environment to try or a way to reproduce the issue?

To reproduce, you can install keycloak + the MCP server in a OpenShift cluster (behind routes), and then try to authenticate

I was using the make targets in openshift#80

[manusa]

To reproduce, you can install keycloak + the MCP server in a OpenShift cluster (behind routes), and then try to authenticate

OK, I've checked the history.
This was added for the MCP inspector and the CORS issue #406

Was not present in the early implementation when everything was tested with the OpenShift setup.

I assume that the problem is that the URLs from the Well Known document now point to the MCP URL instead of that of the exposed Keycloak endpoints.

[Cali0707]

I assume that the problem is that the URLs from the Well Known document now point to the MCP URL instead of that of the exposed Keycloak endpoints.

Yes, that is exactly the issue this is trying to resolve

[manusa]

If this is needed for downstream work, I think we can merge safely.
As agreed internally we may follow up to provide only headers necessary for the MCP inspector