You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/specification/draft/basic/authorization.mdx
+4-5Lines changed: 4 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -255,15 +255,14 @@ Servers **MUST** return appropriate HTTP status codes for authorization errors:
255
255
256
256
## 3. Security Considerations
257
257
258
-
Implementations **MUST** follow OAuth 2.1 security best practices. Refer to
259
-
[RFC9700](https://datatracker.ietf.org/doc/html/rfc9700) for details.
258
+
Implementations **MUST** follow OAuth 2.1 security best practices as laid out in [Section 7. Security Considerations](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12#name-security-considerations).
260
259
261
260
### 3.1 Token Theft
262
261
Attackers who obtain tokens stored by the client, or tokens cached or logged on the server can access protected resources with
263
262
requests that appear legitimate to resource servers.
264
263
265
264
Clients **MUST** implement secure token storage and follow OAuth 2.0 best practices,
266
-
as outlined in [RFC 9700](https://datatracker.ietf.org/doc/html/rfc9700).
265
+
as outlined in [OAuth 2.1, section 7.1](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12#section-7.1).
267
266
268
267
MCP authorization servers SHOULD enforce token expiration and rotation to limit the window of exploitation.
269
268
@@ -278,7 +277,7 @@ Specifically:
278
277
279
278
### 3.3 Authorization Code Protection
280
279
281
-
An attacker who has gained access to an authorization code contained in an authorization response can try to redeem the authorization code for an access token or otherwise make use of the authorization code. (Further described in [RFC 9700 Section 4.5](https://www.rfc-editor.org/rfc/rfc9700.html#name-authorization-code-injectio))
280
+
An attacker who has gained access to an authorization code contained in an authorization response can try to redeem the authorization code for an access token or otherwise make use of the authorization code. (Further described in [OAuth 2.1, section 7.5](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12#section-7.5))
282
281
283
282
MCP clients **MUST** implement PKCE according to [OAuth 2.1 section 7.5.2](https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-12.html#name-countermeasures). PKCE helps prevent authorization code interception attacks by requiring clients to create a secret verifier-challenge pair, ensuring that only the original requestor can exchange an authorization code for tokens.
MCP clients **SHOULD** use and verify state parameters in the authorization code flow
294
293
and discard any results that do not include or have a mis-match with the original state.
295
294
296
-
Authorization servers **MUST** take precautions to prevent redirecting user agents to untrusted URI's, following suggestions laid out in [RFC 9700 Section 4.11.2](https://www.rfc-editor.org/rfc/rfc9700.html#section-4.11.2)
295
+
Authorization servers **MUST** take precautions to prevent redirecting user agents to untrusted URI's, following suggestions laid out in [OAuth 2.1, Section 7.12.2](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1-12#section-7.12.2)
0 commit comments