OAuth for MCP - Internet Identity Workshop October 2025

Transcript

1. Aaron Parecki • October 2025 oauth2simpli fi ed.com OAuth for

   MCP Internet Identity Workshop

2. Specs are not good tutorials!

3. RFC6749 RFC6750 CLIENT TYPE AUTH METHOD GRANT TYPE RFC6819 RFC7009

   RFC7592 RFC7662 RFC7636 RFC7591 RFC7519 RFC8252 OIDC RFC8414 STATE PARAM TLS CSRF UMA 2 FAPI RFC7515 RFC7516 RFC7517 RFC7518 TOKEN BINDING POP SECURITY BCP CIBA HTTP SIGNING MUTUAL TLS SPA BCP JARM JAR TOKEN EXCHANGE DPOP

4. Identification Accessing APIs Tells the application about the user authenticating

   Gives the application a way to make API requests

5. Tells the application about the user authenticating Gives the application

   a way to make API requests ID Token Access Token

6. ID Token Access Token Read by the App Read by

   the API

7. User Agent App OAuth Server API ? Authorization Request Authorization

   Code Response Token Request Token Response "Log In"

8. User Agent App OAuth Server API Authorization Request Authorization Code

   Response Token Request Token Response "Log In" Front Channel Back Channel ?

9. PROTECTED RESOURCE METADATA RFC 9728

10. "My authorization server is over there" Resource Server Authorization Server

11. GET / HTTP/1.1 Host: mcp.example.com HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer

    resource_metadata="https://mcp.example.com/.well-known/oauth-protected-resource"

12. GET / HTTP/1.1 Host: mcp.example.com HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer

    resource_metadata="https://mcp.example.com/.well-known/oauth-protected-resource" GET /.well-known/oauth-protected-resource Host: mcp.example.com HTTP/1.1 200 Ok Content-type: application/json { "authorization_servers": ["https://auth.example.com/"], ... }

13. GET / HTTP/1.1 Host: mcp.example.com HTTP/1.1 401 Unauthorized WWW-Authenticate: Bearer

    resource_metadata="https://mcp.example.com/.well-known/oauth-protected-resource" GET /.well-known/oauth-protected-resource Host: mcp.example.com HTTP/1.1 200 Ok Content-type: application/json { "authorization_servers": ["https://auth.example.com/"], ... } GET /.well-known/oauth-authorization-server Host: auth.example.com HTTP/1.1 200 Ok Content-type: application/json { "issuer": "https://auth.example.com/",

14. DYNAMIC CLIENT REGISTRATION RFC 7591

15. "Here's some data about me" Authorization Server MCP Client

16. POST /oauth/register HTTP/1.1 Host: auth.example.com Content-Type: application/json { "client_name": "Claude",

    "logo_uri": "https://claude.ai/logo.png", "redirect_uris": ["https://auth.example.com/redirect"] ... } HTTP/1.1 201 Created Content-Type: application/json { "client_id": "ad2669221ba94de0ee0", "client_secret": "6a58a307937e98c459be3bfe8e19af3a", ... }

17. Authorization Interface client_id example-app.com

18. FOR AUTHORIZATION SERVERS PROBLEMS WITH DYNAMIC CLIENT REGISTRATION • Unbounded

    database growth • Client expiry creates a dead end • No correlation between instances of client software • Public DCR endpoint requires protections like rate limiting

19. FOR CLIENTS PROBLEMS WITH DYNAMIC CLIENT REGISTRATION • Managing client

    credentials in addition to access token/refresh token • No way to verify if a client ID is still valid • Unclear lifecycle - No guidance on when to re-register • Clients risk sending the user to a dead end, or register a new client on each login

20. CLIENT ID METADATA DOCUMENT DRAFT https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/

21. CLIENT ID METADATA DOCUMENT Client publishes their metadata at a

    URL The URL is used as the client_id in the authorization request …&client_id=https://example.com/client.json&scope=…

22. SIMPLE EXAMPLE CLIENT ID METADATA DOCUMENT { "client_id": "https://example.com/client.json", "client_name":

    "Example Client", "client_uri": "https://example.com", "logo_uri": "https://example.com/logo.png", "redirect_uris": [ "https://example.com/redirect" ] } The URL is used in an Authorization request /authorize?client_id=https://example.com/client.json&...

23. WITH JWKS CLIENT ID METADATA DOCUMENT { "client_id": "https://example.com/client.json", "client_name":

    "Example Client", "client_uri": "https://example.com", "logo_uri": "https://example.com/logo.png", "redirect_uris": [ "https://example.com/redirect" ],
 "jwks_uri": "https://example.com/keys.json" } The URL is used in an Authorization request /authorize?client_id=https://example.com/client.json&...

24. WITH JWKS CLIENT ID METADATA DOCUMENT • A client that

    can publish public keys to the jwks_uri can then use the private key as RFC7523 Client Authentication (Section 2.2 of RFC7523) • A client that doesn’t/can’t authenticate to an AS would not include a jwks_uri • But every client will still include its client_id URL • An AS that cares about policies on client identity can leverage the domain name

25. WITHOUT AUTOMATIC FETCHING CLIENT ID METADATA DOCUMENT • An AS

    can optionally require that Client ID Metadata Document URLs are pre- registered • This enables enterprise use, enabling the enterprise IdP to allow/disallow certain client_id URLs and/or domains, without the client doing anything special

26. FOR NATIVE APPS CLIENT ID METADATA DOCUMENT • A native

    app can’t host a document at a public URL • iOS and Android provide platform attestation services, which can be leveraged by “Attestation-Based Client Authentication” • The “Client Attester Backend” can hold the private keys published at the jwks_uri • The app developer can publish the Client ID Metadata Document on the app’s website, linking to the Client Attester Backend’s jwks_uri This makes client impersonation of native apps unreasonably expensive

27. BLUESKY

28. aaronpk.com oauth.wtf oauth.net