MCP Python SDK Implementation Gap-9: TokenVerifier lacks OAuth 2.1 Section 5.2 comprehensive token validation #1441
Description
Initial Checks
- I confirm that I'm using the latest version of MCP Python SDK
- I confirm that I searched for my issue in https://github.com/modelcontextprotocol/python-sdk/issues before opening this issue
Description
Description
Per the MCP specification, MCP servers MUST validate access tokens as described in OAuth 2.1 Section 5.2.
The current SDK's ProviderTokenVerifier.verify_token() method only performs token loading rather than proper validation, missing critical security checks required by OAuth 2.1.
Related Issue: This complements #1435 (RFC 8707 audience validation) - both issues stem from the same root cause: verify_token not implementing proper token validation.
Evidence
# 304-306:src/mcp/server/auth/provider.py
class ProviderTokenVerifier(TokenVerifier):
async def verify_token(self, token: str) -> AccessToken | None:
"""Verify token using the provider's load_access_token method."""
return await self.provider.load_access_token(token)Missing OAuth 2.1 Section 5.2 Validations:
- ❌ Token signature verification
- ❌ Token format validation
- ❌ Token issuer verification
- ❌ Comprehensive scope validation
- ❌ Token revocation status check
- ❌ Other security validations per OAuth 2.1
Impact
- Security risk: Invalid/tampered tokens may be accepted
- Compliance violation: Fails OAuth 2.1 requirements
Proposed Solution
Implement comprehensive token validation in verify_token that includes all OAuth 2.1 Section 5.2 requirements, in addition to the RFC 8707 audience validation from #1435.
P.S. Considering it is a different MCP specification with a similar root cause, I opened a new issue and refer to the older issue that I opened yesterday. I believe that fixing #1435 will also fix this problem. So please feel free to close this issue after #1435 has been fixed. Thank you again for your maintainers' hard work!
Example Code
Python & MCP Python SDK
latest