Skip to content

Commit 5c35d6d

Browse files
dsp-antdsp-ant
committed
fix: review comments for authentication specification (PR modelcontextprotocol#133)
1 parent 55e7e2b commit 5c35d6d

File tree

1 file changed

+17
-17
lines changed

1 file changed

+17
-17
lines changed

docs/specification/draft/basic/authorization.md

Lines changed: 17 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -53,8 +53,8 @@ while maintaining simplicity:
5353

5454
### 2.2 Basic OAuth 2.1 Authorization
5555

56-
When authorization is required and not yet prooven by the client, servers **MUST**
57-
respond with _HTTP 401 Unauthorized_.
56+
When authorization is required and not yet proven by the client, servers **MUST** respond
57+
with _HTTP 401 Unauthorized_.
5858

5959
Clients initiate the
6060
[OAuth 2.1 IETF DRAFT](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12)
@@ -88,10 +88,9 @@ For server capability discovery:
8888

8989
- MCP clients _MUST_ follow the OAuth 2.0 Authorization Server Metadata protocol defined
9090
in [RFC8414](https://datatracker.ietf.org/doc/html/rfc8414).
91-
- MCP server _SHOULD_ support follow the OAuth 2.0 Authorization Server Metadata
92-
protocol.
91+
- MCP server _SHOULD_ follow the OAuth 2.0 Authorization Server Metadata protocol.
9392
- MCP servers that do not support the OAuth 2.0 Authorization Server Metadata protocol,
94-
_MUST_ support fallback URLs..
93+
_MUST_ support fallback URLs.
9594

9695
The discovery flow is illustrated below:
9796

@@ -111,10 +110,11 @@ sequenceDiagram
111110
Note over C: Continue with authorization flow
112111
```
113112

114-
#### 2.3.1 Server Metadata Discover Headers
113+
#### 2.3.1 Server Metadata Discovery Headers
115114

116115
MCP clients _SHOULD_ include the header `MCP-Protocol-Version: <protocol-version>` during
117-
Server Metadata Discover to allow MCP server to respond based on MCP protocol version.
116+
Server Metadata Discovery to allow the MCP server to respond based on the MCP protocol
117+
version.
118118

119119
For example: `MCP-Protocol-Version: 2024-11-05`
120120

@@ -143,10 +143,9 @@ to allow MCP clients to obtain OAuth client IDs without user interaction.
143143
[OAuth 2.0 Dynamic Client Registration Protocol](https://datatracker.ietf.org/doc/html/rfc7591)
144144
- MCP servers with non-localhost redirect URIs **SHOULD** support Dynamic Client
145145
Registration.
146-
- MCP servers with localhost redirect URIs **OPTIONALLY** support Dynamic Client
147-
Registration.
146+
- MCP servers with localhost redirect URIs **MAY** support Dynamic Client Registration.
148147

149-
Note that are not required to support Dynamic Client Registration. MCP clients that do
148+
Note that it is not required to support Dynamic Client Registration. MCP clients that do
150149
not support Dynamic Client Registration need to provide alternative ways to obtain a
151150
client id (and if applicable client secret).
152151

@@ -155,9 +154,9 @@ client id (and if applicable client secret).
155154
When using localhost redirect URIs (http://localhost:{port} or http://127.0.0.1:{port}),
156155
clients:
157156

158-
- Dynamic registration is **OPTIONAL** (a client ID is not required)
159-
- **MAY** proceed directly to authorization
160-
- **MUST NOT** require client secrets
157+
- Dynamic registration is **OPTIONAL** (a client ID is not required).
158+
- **MAY** proceed directly to authorization.
159+
- **SHOULD** be considered public clients and not store any clients secrets.
161160

162161
This exception for localhost is explicitly supported by OAuth 2.1 for public clients and
163162
provides a secure flow through the combination of PKCE and localhost-only redirects.
@@ -202,7 +201,7 @@ sequenceDiagram
202201
M->>B: Redirect to callback with authorization code
203202
B->>C: Authorization code callback
204203
C->>M: Token Request + code_verifier
205-
M->>C: Access Token + Refresh Token
204+
M->>C: Access Token (+ Refresh Token)
206205
C->>M: API Requests with Access Token
207206
```
208207

@@ -360,7 +359,7 @@ When implementing third-party authorization, servers **MUST**:
360359

361360
#### 3.1 Local clients as Public OAuth 2.1 Clients
362361

363-
We strongly recommend that local clients implement OAuth 2.1 as public client:
362+
We strongly recommend that local clients implement OAuth 2.1 as a public client:
364363

365364
1. Utilizing code challenges (PKCE) for authorization requests to prevent interception
366365
attacks
@@ -370,8 +369,9 @@ We strongly recommend that local clients implement OAuth 2.1 as public client:
370369

371370
#### 3.2 Authorization Metadata Discovery
372371

373-
We strongly recommend, that all clients implement metadata discovery. This reduces the
374-
need for users to provide endpoints either manually or fallback to the defined defaults.
372+
We strongly recommend that all clients implement metadata discovery. This reduces the
373+
need for users to provide endpoints manually or clients to fallback to the defined
374+
defaults.
375375

376376
#### 3.3 Dynamic Client Registration
377377

0 commit comments

Comments
 (0)