|
| 1 | +--- |
| 2 | +title: Security Best Practices |
| 3 | +--- |
| 4 | + |
| 5 | +## 1. Introduction |
| 6 | + |
| 7 | +### 1.1 Purpose and Scope |
| 8 | + |
| 9 | +This document provides security considerations for the Model Context Protocol (MCP), complementing the MCP Authorization specification. This document identifies security risks, attack vectors, and best practices specific to MCP implementations. |
| 10 | + |
| 11 | +The primary audience for this document includes developers implementing MCP authorization flows, MCP server operators, and security professionals evaluating MCP-based systems. This document should be read alongside the MCP Authorization specification and [OAuth 2.0 security best practices](https://datatracker.ietf.org/doc/html/rfc9700). |
| 12 | + |
| 13 | +## 2. Attacks and Mitigations |
| 14 | + |
| 15 | +This section gives a detailed description of attacks on MCP implementations, along with potential countermeasures. |
| 16 | + |
| 17 | +### 2.1 Confused Deputy Problem |
| 18 | + |
| 19 | +An attacker can exploit configurations where an MCP server operates as a proxy in front of another resource server, leading to the confused deputy problem. |
| 20 | + |
| 21 | +#### 2.1.1 Terminology |
| 22 | + |
| 23 | +**MCP Proxy Server** |
| 24 | +: An MCP server that acts as an intermediary between MCP clients and a protected |
| 25 | + third-party API. The MCP proxy server provides MCP functionality while delegating |
| 26 | +API operations to a third-party API server. The MCP proxy server acts as a single OAuth client to the third-party API server. |
| 27 | + |
| 28 | +**Third-Party Authorization Server** |
| 29 | +: The authorization server that protects access to the third-party API. This server may not |
| 30 | + support dynamic client registration, requiring the MCP proxy server to use a single static |
| 31 | + client ID for all requests. |
| 32 | + |
| 33 | +**Third-Party API** |
| 34 | +: The protected resource server that provides the actual API functionality. Access to this |
| 35 | + API requires tokens issued by the third-party authorization server. |
| 36 | + |
| 37 | +**Static Client ID** |
| 38 | +: A fixed OAuth 2.0 client identifier used by the MCP proxy server when communicating with |
| 39 | + the third-party authorization server, shared across all MCP clients. |
| 40 | + |
| 41 | +#### 2.1.2 Architecture and Attack Flow |
| 42 | + |
| 43 | +```mermaid |
| 44 | +sequenceDiagram |
| 45 | + participant UA as User-Agent (Browser) |
| 46 | + participant MC as MCP Client |
| 47 | + participant M as MCP Proxy Server |
| 48 | + participant TAS as Third-Party Authorization Server |
| 49 | + participant A as Attacker |
| 50 | +
|
| 51 | + Note over UA,M: Initial Auth flow completed |
| 52 | +
|
| 53 | + Note over UA,TAS: Step 1: Legitimate user consent for Third Party Server |
| 54 | +
|
| 55 | + M->>UA: Redirect to third party authorization server |
| 56 | + UA->>TAS: Authorization request (client_id: mcp-proxy) |
| 57 | + TAS->>UA: Authorization consent screen |
| 58 | + Note over UA: Review consent screen |
| 59 | + UA->>TAS: Approve |
| 60 | + TAS->>UA: Set consent cookie for client ID: mcp-proxy |
| 61 | + TAS->>UA: 3P Authorization code + redirect to mcp-proxy-server.com |
| 62 | + UA->>M: 3P Authorization code |
| 63 | + Note over M,TAS: Exchange 3P code for 3P token |
| 64 | + Note over M: Generate MCP authorization code |
| 65 | + M->>UA: Redirect to MCP Client with MCP authorization code |
| 66 | +
|
| 67 | + Note over M,UA: Exchange code for token, etc. |
| 68 | +
|
| 69 | + Note over UA,A: Step 2: Attack (leveraging existing cookie) |
| 70 | + A->>M: Dynamically register malicious client, redirect_uri: attacker.com |
| 71 | + A->>UA: Sends malicious link |
| 72 | + UA->>TAS: Authorization request (client_id: mcp-proxy) + consent cookie |
| 73 | + TAS->>TAS: Cookie present, consent skipped |
| 74 | +
|
| 75 | + TAS->>UA: 3P Authorization code + redirect to mcp-proxy-server.com |
| 76 | + UA->>M: 3P Authorization code |
| 77 | + Note over M,TAS: Exchange 3P code for 3P token |
| 78 | + Note over M: Generate MCP authorization code |
| 79 | + M->>UA: Redirect to attacker.com with MCP Authorization code |
| 80 | + UA->>A: MCP Authorization code delivered to attacker.com |
| 81 | + Note over M,A: Attacker exchanges MCP code for MCP token |
| 82 | + A->>M: Attacker impersonates user to MCP server |
| 83 | +``` |
| 84 | + |
| 85 | +#### 2.1.3 Attack Description |
| 86 | + |
| 87 | +When an MCP proxy server uses a static client ID to authenticate with a third-party |
| 88 | +authorization server that does not support dynamic client registration, the following |
| 89 | +attack becomes possible: |
| 90 | + |
| 91 | +1. A user authenticates normally through the MCP proxy server to access the third-party API |
| 92 | +2. During this legitimate flow, the third-party authorization server sets a cookie on the user agent |
| 93 | + indicating consent for the static client ID |
| 94 | +3. An attacker later sends the user a malicious link containing a crafted authorization request |
| 95 | +4. When the user clicks the link, their browser still has the consent cookie from the previous legitimate request |
| 96 | +5. The third-party authorization server detects the cookie and skips the consent screen |
| 97 | +6. The MCP authorization code is redirected to the attacker's server (specified in the crafted redirect_uri during dynamic client registration) |
| 98 | +7. The attacker exchanges the stolen authorization code for access tokens for the MCP server without the user's explicit approval |
| 99 | +8. Attacker now has access to the third-party API as the compromised user |
| 100 | + |
| 101 | +#### 2.1.4 Mitigation |
| 102 | + |
| 103 | +MCP proxy servers that use a static client ID for third-party services MUST require explicit |
| 104 | +approval for each dynamically registered client before forwarding requests to the |
| 105 | +third-party authorization server for user consent. This ensures that each MCP client's |
| 106 | +access is explicitly controlled at the proxy level. |
0 commit comments