SEP-991 specification changes; OAuth client id metadata document (modelcontextprotocol#1296)

* wip sep

* edit slightly

* fixing

* mermaids

* move to sep folder

* fix some todos and formatting

* Update docs/specification/sep/sep-client-id-metadata.md

Co-authored-by: Aaron Parecki <[email protected]>

* Apply suggestions from code review

Co-authored-by: PieterKas <[email protected]>
Co-authored-by: Aaron Parecki <[email protected]>

* rename sep md

* mention private_key_jwt

* fixup attestation section

* fix up evolving standard text

* add change to authorization.md

* Update spec in preparation for release

* Update authorization.mdx

* Update docs/specification/draft/basic/authorization.mdx

* Update docs/specification/draft/basic/authorization.mdx

* Update docs/specification/draft/basic/authorization.mdx

* Update docs/specification/draft/basic/authorization.mdx

* Apply suggestions from code review

* rework headings

* Update docs/specification/draft/basic/authorization.mdx

Co-authored-by: Max Gerber <[email protected]>

* Update docs/specification/draft/basic/authorization.mdx

Co-authored-by: Max Gerber <[email protected]>

* Consolidate security guidance for metadata fetching

Merged SSRF and DDoS protection sections into a unified 'Authorization Server Abuse Protection' section. Clarified and reorganized security recommendations for authorization servers fetching client metadata documents, including SSRF and DoS mitigation steps.

* Clarify client hostname display for phishing prevention

Updated the documentation to specify that both the CIMD and other associated client hostnames should be displayed prominently to prevent phishing, instead of only the client hostname.

* changelog

* Update authorization.mdx

re-order client registration methods

* Update docs/specification/draft/basic/authorization.mdx

Co-authored-by: Aaron Parecki <[email protected]>

* Update docs/specification/draft/basic/authorization.mdx

Co-authored-by: Aaron Parecki <[email protected]>

* Update docs/specification/draft/basic/authorization.mdx

Co-authored-by: Aaron Parecki <[email protected]>

* Update docs/specification/draft/basic/authorization.mdx

Co-authored-by: Aaron Parecki <[email protected]>

* Update docs/specification/draft/basic/authorization.mdx

Co-authored-by: Aaron Parecki <[email protected]>

* lint

* Update docs/specification/draft/basic/authorization.mdx

Co-authored-by: Aaron Parecki <[email protected]>

* Update docs/specification/draft/basic/authorization.mdx

Co-authored-by: Aaron Parecki <[email protected]>

* Update docs/specification/draft/basic/authorization.mdx

Co-authored-by: Aaron Parecki <[email protected]>

* Update docs/specification/draft/basic/authorization.mdx

Co-authored-by: Aaron Parecki <[email protected]>

* Update docs/specification/draft/basic/authorization.mdx

Co-authored-by: Aaron Parecki <[email protected]>

* Update authorization flow diagram and clarify client registration

Added explicit authentication prompt and user credential steps to the sequence diagram for clarity. Improved wording regarding OAuth 2.0 Dynamic Client Registration Protocol support.

* Update authorization.mdx

* Update docs/specification/draft/basic/authorization.mdx

Co-authored-by: Aaron Parecki <[email protected]>

* empty for gh

---------

Co-authored-by: Aaron Parecki <[email protected]>
Co-authored-by: PieterKas <[email protected]>
Co-authored-by: den (work) <[email protected]>
Co-authored-by: Max Gerber <[email protected]>

Author: 5 people