Auth: MCP Servers are Resource Servers only. Add Protected Resource Metadata to discover Authorization Server by dsp-ant · Pull Request #338 · modelcontextprotocol/modelcontextprotocol

dsp-ant · 2025-04-14T19:49:47Z

No description provided.

docs/specification/2025-03-26/basic/authorization.mdx

0Itsuki0

The link for the OAuth 2.0 Protected Resource Metadata in section 2.3.1 points to the draft. (https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-13)

Shouldn't it be https://datatracker.ietf.org/doc/html/rfc9728 instead?

aaronpk · 2025-04-26T23:50:20Z

I already fixed that in #402

0Itsuki0 · 2025-04-27T02:15:21Z

I already fixed that in #402

Oops! Sorry about that!

janakamarasena · 2025-04-27T16:15:54Z

I think it would be good to add more context around the refresh token. I can see it is shown in the flow and the specification mentions that refresh token handling best practices should be used. I feel it might be better to mention in which cases a refresh token should be used, otherwise the client could unnecessarily have indefinite access. It would be better to provide a reference to refresh token handling best practices (maybe https://datatracker.ietf.org/doc/html/rfc9700#name-refresh-token-protection). Also noticed that the specification directly mentions the authorization code grant and the client credentials grant but doesn't have a mention of the refresh token grant although the refresh token is referenced.

pcibraro · 2025-05-01T15:30:35Z

The specification does not mention how the WWW-Authenticate header should look like. A sample would be useful. Thanks

mintlify bot deployed to staging - docs April 14, 2025 19:50 View deployment

aaronpk reviewed Apr 15, 2025

View reviewed changes

docs/specification/2025-03-26/basic/authorization.mdx Outdated Show resolved Hide resolved

aaronpk reviewed Apr 15, 2025

View reviewed changes

docs/specification/2025-03-26/basic/authorization.mdx Outdated Show resolved Hide resolved

aaronpk reviewed Apr 15, 2025

View reviewed changes

docs/specification/2025-03-26/basic/authorization.mdx Show resolved Hide resolved

aaronpk reviewed Apr 15, 2025

View reviewed changes

docs/specification/2025-03-26/basic/authorization.mdx Outdated Show resolved Hide resolved

aaronpk reviewed Apr 15, 2025

View reviewed changes

docs/specification/2025-03-26/basic/authorization.mdx Outdated Show resolved Hide resolved

aaronpk reviewed Apr 15, 2025

View reviewed changes

docs/specification/2025-03-26/basic/authorization.mdx Outdated Show resolved Hide resolved

aaronpk reviewed Apr 15, 2025

View reviewed changes

docs/specification/2025-03-26/basic/authorization.mdx Outdated Show resolved Hide resolved

aaronpk reviewed Apr 15, 2025

View reviewed changes

docs/specification/2025-03-26/basic/authorization.mdx Outdated Show resolved Hide resolved

aaronpk reviewed Apr 15, 2025

View reviewed changes

docs/specification/2025-03-26/basic/authorization.mdx Outdated Show resolved Hide resolved

aaronpk reviewed Apr 15, 2025

View reviewed changes

docs/specification/2025-03-26/basic/authorization.mdx Outdated Show resolved Hide resolved

aaronpk reviewed Apr 15, 2025

View reviewed changes

docs/specification/2025-03-26/basic/authorization.mdx Outdated Show resolved Hide resolved

mintlify bot deployed to staging - docs April 15, 2025 17:10 View deployment

mintlify bot deployed to staging - docs April 15, 2025 17:11 View deployment

mintlify bot deployed to staging - docs April 15, 2025 17:12 View deployment

mintlify bot deployed to staging - docs April 15, 2025 17:13 View deployment

mintlify bot deployed to staging - docs April 15, 2025 17:14 View deployment

dsp-ant force-pushed the davidsp/auth-rs-as-prm branch from 075bc17 to df2ebe8 Compare April 15, 2025 17:52

mintlify bot deployed to staging - docs April 15, 2025 17:53 View deployment

dsp-ant force-pushed the davidsp/auth-rs-as-prm branch from df2ebe8 to 63095fb Compare April 17, 2025 16:00

aaronpk reviewed Apr 17, 2025

View reviewed changes

docs/specification/2025-03-26/basic/authorization.mdx Outdated Show resolved Hide resolved

mintlify bot deployed to staging - docs April 17, 2025 16:02 View deployment

localden reviewed Apr 22, 2025

View reviewed changes

dsp-ant force-pushed the davidsp/auth-rs-as-prm branch from 63095fb to b8b98cb Compare April 22, 2025 15:17

Merge branch 'main' into davidsp/auth-rs-as-prm

44f3de5

localden approved these changes Apr 23, 2025

View reviewed changes

mintlify bot deployed to staging - docs April 23, 2025 17:20 View deployment

aaronpk approved these changes Apr 23, 2025

View reviewed changes

localden merged commit 89a2e98 into main Apr 23, 2025
5 checks passed

localden deleted the davidsp/auth-rs-as-prm branch April 23, 2025 17:24

dsp-ant mentioned this pull request Apr 23, 2025

[RFC] Update the Authorization specification for MCP servers #284

Closed

4 tasks

This was referenced Apr 23, 2025

Treat the MCP server as an OAuth resource server rather than an authorization server #205

Closed

Clients should support WWW-Authenticate for authentication rather than just the MCP server's OIDC metadata document #195

Closed

localden mentioned this pull request Apr 23, 2025

WIP: Authorization spec fast-follow #401

Merged

0Itsuki0 reviewed Apr 26, 2025

View reviewed changes

localden mentioned this pull request Apr 29, 2025

Support MCP Server Authorization microsoft/vscode#247759

Closed

dsp-ant changed the title ~~WIP: RS/AS split and PRM~~ Auth: MCP Servers are Resource Servers only. Add Protected Resource Metadata to discover Authorization Server May 2, 2025

dsp-ant added this to Standards Track May 2, 2025

github-project-automation bot moved this to Draft in Standards Track May 2, 2025

dsp-ant moved this from Draft to Approved in Standards Track May 2, 2025

maia-iyer mentioned this pull request May 2, 2025

Support On-Behalf-Of Token Exchange protocol for Agent-to-Agent Communications #214

Closed

aaronpk mentioned this pull request May 30, 2025

Simplify Authorization #389

Closed

dsp-ant added this to the DRAFT: 2025-03-26 milestone Jun 5, 2025

ihrpr mentioned this pull request Jun 9, 2025

[sdk implemetation] auth #688

Closed

primeinc mentioned this pull request Jun 18, 2025

Migrate from fastmcp to official modelcontextprotocol/python-sdk primeinc/telnyx-mcp-server#13

Draft

ihrpr mentioned this pull request Jun 18, 2025

MCP server separation into Authorization Server (AS) and Resource Server (RS) roles per spec PR #338 modelcontextprotocol/python-sdk#982

Merged

3 tasks

desimone mentioned this pull request Jun 20, 2025

Spec Proposal: A Gateway-Based Authorization Model #803

Closed

Mookse mentioned this pull request Jun 25, 2025

MCP: Upgrade to 2025-06-18 MyLife-Services/mylife-maht#536

Closed

6 tasks

muliyul mentioned this pull request Jun 29, 2025

Grouped (namespaced) servers should expose OAuth 2.1 endpoints for authentication metatool-ai/mcp-server-metamcp#24

Open

Mookse mentioned this pull request Jul 2, 2025

MCP (Security) Upgrade 2025-0618 MyLife-Services/mylife-maht#541

Open

4 tasks

Conversation

dsp-ant commented Apr 14, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

0Itsuki0 left a comment

Choose a reason for hiding this comment

Uh oh!

aaronpk commented Apr 26, 2025

Uh oh!

0Itsuki0 commented Apr 27, 2025

Uh oh!

janakamarasena commented Apr 27, 2025

Uh oh!

pcibraro commented May 1, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

Comments

pcibraro commented May 1, 2025 •

edited

Loading