You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/specification/draft/basic/authorization.mdx
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -265,25 +265,25 @@ Implementations **MUST** follow OAuth 2.1 security best practices as laid out in
265
265
Attackers who obtain tokens stored by the client, or tokens cached or logged on the server can access protected resources with
266
266
requests that appear legitimate to resource servers.
267
267
268
-
Clients **MUST** implement secure token storage and follow OAuth 2.0 best practices,
268
+
Clients **MUST** implement secure token storage and follow OAuth best practices,
269
269
as outlined in [OAuth 2.1, section 7.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12#section-7.1).
270
270
271
-
MCP authorization servers SHOULD enforce token expiration and rotation to limit the window of exploitation.
271
+
MCP authorization servers SHOULD issue short-lived access tokens token to reduce the impact of leaked tokens. For public clients, MCP authorization servers MUST rotate refresh tokens as described in [Section 4.3.1 of OAuth 2.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12#section-4.3.1).
272
272
273
273
### 3.2 Communication Security
274
274
An attacker positioned between MCP clients and MCP servers can intercept tokens via [Man-in-the-Middle (MITM)](https://en.wikipedia.org/wiki/Man-in-the-middle_attack) attacks.
275
275
276
276
Implementations MUST follow [OAuth 2.1 section 1.5](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12#section-1.5).
277
277
278
278
Specifically:
279
-
1. All authorization endpoints **MUST** be served over HTTPS.
279
+
1. All authorization server endpoints **MUST** be served over HTTPS.
280
280
1. All redirect URIs **MUST** be either `localhost` or use HTTPS.
281
281
282
282
### 3.3 Authorization Code Protection
283
283
284
284
An attacker who has gained access to an authorization code contained in an authorization response can try to redeem the authorization code for an access token or otherwise make use of the authorization code. (Further described in [OAuth 2.1, section 7.5](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12#section-7.5))
285
285
286
-
MCP clients **MUST** implement PKCE according to [OAuth 2.1 section 7.5.2](https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-12.html#name-countermeasures). PKCE helps prevent authorization code interception attacks by requiring clients to create a secret verifier-challenge pair, ensuring that only the original requestor can exchange an authorization code for tokens.
286
+
MCP clients **MUST** implement PKCE according to [OAuth 2.1 section 7.5.2](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12#section-7.5.2). PKCE helps prevent authorization code interception and injection attacks by requiring clients to create a secret verifier-challenge pair, ensuring that only the original requestor can exchange an authorization code for tokens.
0 commit comments