Skip to content

Commit 44029de

Browse files
localdenlocalden
authored
Merge pull request modelcontextprotocol#402 from modelcontextprotocol/aaronpk/rfc9728
update Protected Resource Metadata references to RFC9728
2 parents 89a2e98 + cf3a719 commit 44029de

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

docs/specification/draft/basic/authorization.mdx

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@ while maintaining simplicity:
4545
1. MCP authorization servers and MCP clients **SHOULD** support the OAuth 2.0 Dynamic Client Registration
4646
Protocol ([RFC7591](https://datatracker.ietf.org/doc/html/rfc7591)).
4747

48-
1. MCP servers **MUST** implement [OAuth 2.0 Protected Resource Metadata](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-13).
48+
1. MCP servers **MUST** implement OAuth 2.0 Protected Resource Metadata ([RFC9728](https://datatracker.ietf.org/doc/html/rfc9728)).
4949
MCP clients **MUST** use OAuth 2.0 Protected Resource Metadata for authorization server discovery.
5050

5151
1. MCP authorization servers and MCP clients **MUST** implement OAuth 2.0 Authorization
@@ -82,16 +82,16 @@ authorization servers to MCP clients, as well as the discovery process through w
8282
clients can determine authorization server endpoints and supported capabilities.
8383

8484
### 2.3.1 Authorization Server Location
85-
MCP servers **MUST** implement the [OAuth 2.0 Protected Resource Metadata](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-13)
85+
MCP servers **MUST** implement OAuth 2.0 Protected Resource Metadata ([RFC9728](https://datatracker.ietf.org/doc/html/rfc9728))
8686
specification to indicate the locations of authorization servers. The Protected Resource Metadata document returned by the MCP server **MUST** include
8787
the `authorization_servers` field containing at least one authorization server.
8888

8989
The specific use of `authorization_servers` is beyond the scope of this specification; implementers should consult
90-
the [OAuth 2.0 Protected Resource Metadata](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-13) documentation for
90+
OAuth 2.0 Protected Resource Metadata ([RFC9728](https://datatracker.ietf.org/doc/html/rfc9728)) for
9191
guidance on implementation details.
9292

9393
MCP servers **MUST** use the HTTP header `WWW-Authenticate` when returning a _401 Unauthorized_ to indicate the location of the resource server metadata URL
94-
as described in [OAuth 2.0 Protected Resource Metadata](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-resource-metadata-13).
94+
as described in OAuth 2.0 Protected Resource Metadata ([RFC9728](https://datatracker.ietf.org/doc/html/rfc9728)).
9595

9696
MCP clients **MUST** be able to parse `WWW-Authenticate` headers and respond appropriately to `HTTP 401 Unauthorized` responses from the MCP server.
9797

0 commit comments

Comments
 (0)