You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
MCP clients **MUST** support both discovery mechanisms to obtain the information required to interact with the authorization server.
59
72
60
-
### Roles
61
-
62
-
A protected MCP server acts as an [OAuth 2.1 resource server](https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-12.html#name-roles),
63
-
capable of accepting and responding to protected resource requests using access tokens.
64
-
65
-
An MCP client acts as an [OAuth 2.1 client](https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-12.html#name-roles),
66
-
making protected resource requests on behalf of a resource owner.
67
-
68
-
The authorization server is responsible for interacting with the user (if necessary) and issuing access tokens for use at the MCP server.
69
-
The implementation details of the authorization server are beyond the scope of this specification. It may be hosted with the
70
-
resource server or a separate entity. The [Authorization Server Discovery section](#authorization-server-discovery)
71
-
specifies how an MCP server indicates the location of its corresponding authorization server to a client.
72
-
73
73
### Authorization Server Discovery
74
74
75
75
This section describes the mechanisms by which MCP servers advertise their associated
@@ -142,7 +142,7 @@ for MCP because:
142
142
- It enables seamless connection to new MCP servers and their authorization servers.
143
143
- Authorization servers can implement their own registration policies.
144
144
145
-
Any MCP authorization servers that _do not_ support Dynamic Client Registration need to provide
145
+
Any authorization servers that _do not_ support Dynamic Client Registration need to provide
146
146
alternative ways to obtain a client ID (and, if applicable, client credentials). For one of
147
147
these authorization servers, MCP clients will have to either:
148
148
@@ -277,7 +277,7 @@ response.
277
277
278
278
MCP clients **MUST NOT** send tokens to the MCP server other than ones issued by the MCP server's authorization server.
279
279
280
-
MCP authorization servers **MUST** only accept tokens that are valid for use with their
280
+
Authorization servers **MUST** only accept tokens that are valid for use with their
281
281
own resources.
282
282
283
283
MCP servers **MUST NOT** accept or transit any other tokens.
@@ -304,8 +304,8 @@ requests that appear legitimate to resource servers.
304
304
Clients and servers **MUST** implement secure token storage and follow OAuth best practices,
305
305
as outlined in [OAuth 2.1, Section 7.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12#section-7.1).
306
306
307
-
MCP authorization servers SHOULD issue short-lived access tokens to reduce the impact of leaked tokens.
308
-
For public clients, MCP authorization servers **MUST** rotate refresh tokens as described in [OAuth 2.1 Section 4.3.1 "Refresh Token Grant"](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12#section-4.3.1).
307
+
Authorization servers **SHOULD** issue short-lived access tokens to reduce the impact of leaked tokens.
308
+
For public clients, authorization servers **MUST** rotate refresh tokens as described in [OAuth 2.1 Section 4.3.1 "Refresh Token Grant"](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12#section-4.3.1).
0 commit comments