OAuth for MCP

Transcript

1. Aaron Parecki • May 2025 • MCP Dev Summit OAuth

   for MCP

2. Raise your hand if you're building... an MCP server an

   MCP client an OAuth server

3. Specs are not good tutorials!

4. RFC6749 RFC6750 CLIENT TYPE AUTH METHOD GRANT TYPE RFC6819 RFC7009

   RFC7592 RFC7662 RFC7636 RFC7591 RFC7519 RFC8252 OIDC RFC8414 STATE PARAM TLS CSRF UMA 2 FAPI RFC7515 RFC7516 RFC7517 RFC7518 TOKEN BINDING POP SECURITY BCP CIBA HTTP SIGNING MUTUAL TLS SPA BCP JARM JAR TOKEN EXCHANGE DPOP

5. OAuth 2.0 RFC6749 OAuth Core Authorization Code Implicit Password Client

   Credentials RFC6750 Bearer Tokens Tokens in HTTP Header Tokens in POST Form Body Tokens in GET Query String RFC7636 +PKCE RFC8252 PKCE for mobile Browser App BCP PKCE for SPAs PKCE for con fi dential clients Security BCP

6. OAuth 2.1 Authorization Code Client Credentials +PKCE Tokens in HTTP

   Header Tokens in POST Form Body

7. OAuth 2.1 Consolidate the OAuth 2.0 specs,
 adding best practices,

   
 removing deprecated features Capture current best practices in OAuth 2.0 under a single name oauth.net/2.1

8. https://yelp.com/

9. The Password Anti-Pattern

10. The Password Anti-Pattern facebook.com ~2010

11. The Password Anti-Pattern • How do you revoke this app’s

    access? • Do you trust the app to not store your password? • Do you trust the app to access only the things it says it needs? • Do you trust the app to not do things like change your password or delete your account?
12. None

13. how can I let an app access my data without

    giving it my password?

14. Authorization Server Access Token Resource (API)

15. https://unsplash.com/photos/GJY1eAw6tn8

16. None

17. Application OAuth Server

18. None

19. Identification Accessing APIs Tells the application about the user authenticating

    Gives the application a way to make API requests

20. Tells the application about the user authenticating Gives the application

    a way to make API requests ID Token Access Token

21. ID Token Access Token

22. OAuth Server Application API

23. ID Token Access Token Read by the App Read by

    the API

24. example.com/auth example.com/api Client authorization requests resource requests MCP Server March

    26 version of MCP Authorization Spec

25. MCP Authorization Server auth.example.com MCP Resource Server api.example.com Client authorization

    requests resource requests Current draft version of MCP Authorization Spec

26. User Agent MCP Client OAuth Server MCP Server ? Authorization

    Request Authorization Code Response Token Request Token Response "Log In" MCP Request

27. User Agent OAuth Server Authorization Request Authorization Code Response Token

    Request Token Response "Log In" Front Channel Back Channel MCP Request MCP Client MCP Server ?

28. User Agent OAuth Server Authorization Request Authorization Code Response Token

    Request Token Response "Log In" Front Channel Back Channel MCP Request MCP Client MCP Server What the 
 MCP Client Sees ?

29. User Agent OAuth Server ? Authorization Request Authorization Code Response

    Token Request Token Response "Log In" Front Channel Back Channel MCP Request MCP Client MCP Server What the 
 MCP Server Sees

30. Access Token Validation GET /v1/contexts HTTP/1.1 Host: mcp.example.com Authorization: Bearer

    eyJhbGciOiJIUzI1NiIs... How does your MCP server validate access tokens?

31. Access Token Validation Local Validation Remote Introspection ‣ Faster ‣

    No network requests ‣ Use a JWT library ‣ Slower ‣ Requires a network request ‣ No library needed eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZS I6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImp0aSI6ImI5ZDRhNzViLTA2MDMtNDgxYy1hM jgyLTY3YTk0NDJiNGRkNiIsImlhdCI6MTUzMjQwMDkyMiwiZXhwIjoxNTMyNDA0NTIyfQ.S jYROEt8lZpEOq1eKh3OxRmRk3xttOXZeD5yW8aW2k8 { "sub": "1234567890", "name": "John Doe", "admin": true, "jti": "b9d4a75b-0603-481c-a282-67a9442b4dd6", "iat": 1532400922, "exp": 1532404522 } POST https://authorization-server.com/introspect token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3OD &client_id={CLIENT_ID} &client_secret={CLIENT_SECRET}

32. Goal 1: Con fi gure an MCP client with only

    the single URL of the MCP server No copying API keys, no copying multiple OAuth URLs, no client credentials

33. PROTECTED RESOURCE METADATA RFC 9728

34. GET / HTTP/1.1 Host: mcp.example.com HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer

    resource_metadata="https://mcp.example.com/.well-known/oauth-protected-resource"

35. GET / HTTP/1.1 Host: mcp.example.com HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer

    resource_metadata="https://mcp.example.com/.well-known/oauth-protected-resource" GET /.well-known/oauth-protected-resource Host: mcp.example.com HTTP/1.1 200 Ok Content-type: application/json { "authorization_servers": ["https://auth.example.com/"], ... }

36. GET / HTTP/1.1 Host: mcp.example.com HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer

    resource_metadata="https://mcp.example.com/.well-known/oauth-protected-resource" GET /.well-known/oauth-protected-resource Host: mcp.example.com HTTP/1.1 200 Ok Content-type: application/json { "authorization_servers": ["https://auth.example.com/"], ... } GET /.well-known/oauth-authorization-server Host: auth.example.com HTTP/1.1 200 Ok Content-type: application/json { "issuer": "https://auth.example.com/",

37. Goal 2: Enable people to build MCP servers that can

    be used by MCP clients
 that have never before seen that client

38. DYNAMIC CLIENT REGISTRATION RFC 7591

39. POST /oauth/register HTTP/1.1 Host: auth.example.com Content-Type: application/json { "client_name": "Claude",

    "logo_uri": "https://claude.ai/logo.png", "redirect_uris": ["https://auth.example.com/redirect"] ... } HTTP/1.1 201 Created Content-Type: application/json { "client_id": "ad2669221ba94de0ee0", "client_secret": "6a58a307937e98c459be3bfe8e19af3a", ... }
40. None

41. Authorization Interface client_id example-app.com

42. ENTERPRISE-READY MCP

43. Enterprise IdP AI Chat Bot Chat Wiki Video Conferencing etc

    Enterprise Single Sign-On

44. Logging in to Claude with SSO 1. Login Screen 2.

    Redirect to IdP 3. Logged In

45. Enterprise IdP AI Chat Bot Chat Wiki Video Conferencing etc

    Enterprise API Access

46. Granting Claude Access to Google via SSO 1. Connect Button

    2. Login to Google through IdP 3. Google Consent Prompt

47. Terrible UX for Employees No control or visibility by the

    enterprise IT admin

48. Claude Okta (IdP) 1. Redirect to Log In 2. ID

    Token Returned https://datatracker.ietf.org/doc/draft-parecki-oauth-identity-assertion-authz-grant/

49. Claude Okta (IdP) 3. POST ID Token with 
 Cross-App

    Access Request 4. Cross-Domain JWT Returned https://datatracker.ietf.org/doc/draft-parecki-oauth-identity-assertion-authz-grant/

50. Claude Okta (IdP) 5. POST Cross-Domain JWT to Request Access

    Token 7. Access Token Returned Slack 6. Validates JWT using signature with IdP public key https://datatracker.ietf.org/doc/draft-parecki-oauth-identity-assertion-authz-grant/

51. Claude Okta (IdP) 5. POST Cross-Domain JWT to Request Access

    Token 7. Access Token Returned Slack 6. Validates JWT using signature with IdP public key 1. Redirect to Log In 2. ID Token Returned 3. POST ID Token with 
 Cross-App Access Request 4. Cross-Domain JWT Returned https://datatracker.ietf.org/doc/draft-parecki-oauth-identity-assertion-authz-grant/

52. aaronpk.com/mcp

53. aaronpk.com oauth.wtf oauth.net