You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/specification/draft/basic/authorization.mdx
+22-1Lines changed: 22 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -306,4 +306,25 @@ upstream API.
306
306
307
307
If the the backing authorization server sets cookies after user consent, an attacker can craft malicious authorization requests that bypass consent flows for previously authorized applications.
308
308
309
-
MCP servers using a static client_id for a backing service MUST require explicit approval for each newly registered dynamic client prior to forwarding requests to the backing authorization server for user consent.
309
+
MCP servers using a static client_id for a backing service MUST require explicit approval for each newly registered dynamic client prior to forwarding requests to the backing authorization server for user consent.
310
+
311
+
### 3.5 Token Validation
312
+
313
+
An attacker can gain unauthorized access or perform token redirection attacks if an MCP server accepts tokens with incorrect audience claims. This vulnerability has two critical dimensions:
314
+
315
+
1.**Audience validation failures.** When an MCP server doesn't verify that tokens were specifically intended for it (via the `aud` claim), it may accept tokens originally issued for other services. This breaks the fundamental OAuth security boundary, allowing attackers to reuse legitimate tokens across different services than intended.
316
+
2.**Token passthrough.** If the MCP server not only accepts tokens with incorrect audiences but also forwards these unmodified tokens to downstream services, it introduces the "confused deputy" risk, outlined in [Section 3.4](#34-confused-deputy-problem). The MCP server becomes an unintentional proxy that can:
317
+
1. Enable privilege escalation across service boundaries
318
+
1. Facilitate lateral movement through connected resources
319
+
1. Allow circumvention of security controls between services
320
+
1. Enable replay attacks against multiple backend systems
321
+
322
+
MCP servers **MUST** take all necessary steps to ensure no data is returned to unauthorized parties and **MUST** ensure any credentials are valid before processing the request.
323
+
324
+
For example, a MCP server could validate inbound tokens through one of the following approaches:
325
+
326
+
1. Token introspection, according to [RFC7662](https://datatracker.ietf.org/doc/html/rfc7662). 1. JWT validation, according to [RFC 9068](https://www.rfc-editor.org/rfc/rfc9068.html).
327
+
1. Custom validation, according to the conventions established by the AS.
328
+
329
+
MCP servers **MUST** strictly validate token audiences and only accept tokens specifically intended for themselves. Implementers **MUST NOT** design architectures where clients send
330
+
tokens through the MCP server intended for other resources.
0 commit comments