Skip to content

Commit 0441a60

Browse files
localdenlocalden
authored
Merge branch 'main' into localden/note
2 parents e72cb1e + 8c778cb commit 0441a60

File tree

1 file changed

+10
-16
lines changed

1 file changed

+10
-16
lines changed

docs/specification/draft/basic/authorization.mdx

Lines changed: 10 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -63,12 +63,9 @@ specifies how an MCP server indicates the location of its corresponding authoriz
6363
1. MCP servers **MUST** implement OAuth 2.0 Protected Resource Metadata ([RFC9728](https://datatracker.ietf.org/doc/html/rfc9728)).
6464
MCP clients **MUST** use OAuth 2.0 Protected Resource Metadata for authorization server discovery.
6565

66-
1. Authorization servers **MUST** provide _at least one_ of the following discovery mechanisms:
67-
68-
- OAuth 2.0 Authorization Server Metadata ([RFC8414](https://datatracker.ietf.org/doc/html/rfc8414))
69-
- [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0-final.html)
70-
71-
MCP clients **MUST** support both discovery mechanisms to obtain the information required to interact with the authorization server.
66+
1. MCP authorization servers **MUST** provide OAuth 2.0 Authorization
67+
Server Metadata ([RFC8414](https://datatracker.ietf.org/doc/html/rfc8414)).
68+
MCP clients **MUST** use the OAuth 2.0 Authorization Server Metadata.
7269

7370
### Authorization Server Discovery
7471

@@ -94,6 +91,11 @@ as described in [RFC9728 Section 5.1 "WWW-Authenticate Response"](https://datatr
9491

9592
MCP clients **MUST** be able to parse `WWW-Authenticate` headers and respond appropriately to `HTTP 401 Unauthorized` responses from the MCP server.
9693

94+
#### Server Metadata Discovery
95+
96+
MCP clients **MUST** follow the OAuth 2.0 Authorization Server Metadata [RFC8414](https://datatracker.ietf.org/doc/html/rfc8414)
97+
specification to obtain the information required to interact with the authorization server.
98+
9799
#### Sequence Diagram
98100

99101
The following diagram outlines an example flow:
@@ -112,11 +114,7 @@ sequenceDiagram
112114
M-->>C: Resource metadata with authorization server URL
113115
Note over C: Validate RS metadata,<br />build AS metadata URL
114116
115-
alt OAuth 2.0 Authorization Server Metadata
116-
C->>A: GET /.well-known/oauth-authorization-server
117-
else OpenID Connect Discovery
118-
C->>A: GET /.well-known/openid-configuration
119-
end
117+
C->>A: GET /.well-known/oauth-authorization-server
120118
A-->>C: Authorization server metadata
121119
122120
Note over C,A: OAuth 2.1 authorization flow happens here
@@ -172,11 +170,7 @@ sequenceDiagram
172170
173171
Note over C: Parse metadata and extract authorization server(s)<br/>Client determines AS to use
174172
175-
alt OAuth 2.0 Authorization Server Metadata
176-
C->>A: GET /.well-known/oauth-authorization-server
177-
else OpenID Connect Discovery
178-
C->>A: GET /.well-known/openid-configuration
179-
end
173+
C->>A: GET /.well-known/oauth-authorization-server
180174
A->>C: Authorization server metadata response
181175
182176
alt Dynamic client registration

0 commit comments

Comments
 (0)