Protocol Revision: draft

1. Introduction

1.1 Purpose and Scope

The Model Context Protocol provides authorization capabilities at the transport level, enabling MCP clients to make requests to restricted MCP servers on behalf of resource owners. This specification defines the authorization flow for HTTP-based transports.

1.2 Protocol Requirements

Authorization is OPTIONAL for MCP implementations. When supported:

  • Implementations using an HTTP-based transport SHOULD conform to this specification.
  • Implementations using an STDIO transport SHOULD NOT follow this specification, and instead retrieve credentials from the environment.
  • Implementations using alternative transports MUST follow established security best practices for their protocol.

1.3 Standards Compliance

This authorization mechanism is based on established specifications listed below, but implements a selected subset of their features to ensure security and interoperability while maintaining simplicity:

2. Authorization Flow

2.1 Overview

  1. MCP authorization servers MUST implement OAuth 2.1 with appropriate security measures for both confidential and public clients.

  2. MCP authorization servers and MCP clients SHOULD support the OAuth 2.0 Dynamic Client Registration Protocol (RFC7591).

  3. MCP servers MUST implement OAuth 2.0 Protected Resource Metadata (RFC9728). MCP clients MUST use OAuth 2.0 Protected Resource Metadata for authorization server discovery.

  4. MCP authorization servers MUST provide OAuth 2.0 Authorization Server Metadata (RFC8414). MCP clients MUST use the OAuth 2.0 Authorization Server Metadata.

2.2 Roles

A protected MCP server acts as a OAuth 2.1 resource server, capable of accepting and responding to protected resource requests using access tokens.

An MCP client acts as an OAuth 2.1 client, making protected resource requests on behalf of a resource owner.

The authorization server is responsible for interacting with the user (if necessary) and issuing access tokens for use at the MCP server. The implementation details of the authorization server are beyond the scope of this specification. It may be hosted with the resource server or a separate entity. Section 2.3 Authorization Server Discovery specifies how an MCP server indicates the location of its corresponding authorization server to a client.

2.3 Authorization Server Discovery

This section describes the mechanisms by which MCP servers advertise their associated authorization servers to MCP clients, as well as the discovery process through which MCP clients can determine authorization server endpoints and supported capabilities.

2.3.1 Authorization Server Location

MCP servers MUST implement the OAuth 2.0 Protected Resource Metadata (RFC9728) specification to indicate the locations of authorization servers. The Protected Resource Metadata document returned by the MCP server MUST include the authorization_servers field containing at least one authorization server.

The specific use of authorization_servers is beyond the scope of this specification; implementers should consult OAuth 2.0 Protected Resource Metadata (RFC9728) for guidance on implementation details.

Implementors should note that Protected Resource Metadata documents can define multiple authorization servers. The responsibility for selecting which authorization server to use lies with the MCP client, following the guidelines specified in RFC9728 Section 7.6 “Authorization Servers”.

MCP servers MUST use the HTTP header WWW-Authenticate when returning a 401 Unauthorized to indicate the location of the resource server metadata URL as described in RFC9728 Section 5.1 “WWW-Authenticate Response”.

MCP clients MUST be able to parse WWW-Authenticate headers and respond appropriately to HTTP 401 Unauthorized responses from the MCP server.

2.3.2 Server Metadata Discovery

MCP clients MUST follow the OAuth 2.0 Authorization Server Metadata RFC8414 specification to obtain the information required to interact with the authorization server.

2.3.4 Sequence Diagram

The following diagram outlines an example flow:

2.4 MCP specific headers for discovery

MCP clients SHOULD include the MCP-Protocol-Version: <protocol-version> HTTP header during any request to the MCP server allowing the MCP server to respond based on the MCP protocol version.

MCP servers SHOULD use the MCP-Protocol-Version header to determine compatibility with the MCP client.

For example: MCP-Protocol-Version: 2024-11-05

2.5 Dynamic Client Registration

MCP clients and authorization servers SHOULD support the OAuth 2.0 Dynamic Client Registration Protocol RFC7591 to allow MCP clients to obtain OAuth client IDs without user interaction. This provides a standardized way for clients to automatically register with new authorization servers, which is crucial for MCP because:

  • Clients may not know all possible MCP servers and their authorization servers in advance.
  • Manual registration would create friction for users.
  • It enables seamless connection to new MCP servers and their authorization servers.
  • Authorization servers can implement their own registration policies.

Any MCP authorization servers that do not support Dynamic Client Registration need to provide alternative ways to obtain a client ID (and, if applicable, client credentials). For one of these authorization servers, MCP clients will have to either:

  1. Hardcode a client ID (and, if applicable, client credentials) specifically for the MCP client to use when interacting with that authorization server, or
  2. Present a UI to users that allows them to enter these details, after registering an OAuth client themselves (e.g., through a configuration interface hosted by the server).

2.6 Authorization Flow Steps

The complete Authorization flow proceeds as follows:

2.7 Access Token Usage

2.7.1 Token Requirements

Access token handling when making requests to MCP servers MUST conform to the requirements defined in OAuth 2.1 Section 5 “Resource Requests”. Specifically:

  1. MCP client MUST use the Authorization request header field defined in OAuth 2.1 Section 5.1.1:
Authorization: Bearer <access-token>

Note that authorization MUST be included in every HTTP request from client to server, even if they are part of the same logical session.

  1. Access tokens MUST NOT be included in the URI query string

Example request:

GET /v1/contexts HTTP/1.1
Host: mcp.example.com
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

2.7.2 Token Handling

MCP servers, acting in their role as an OAuth 2.1 resource server, MUST validate access tokens as described in OAuth 2.1 Section 5.2. If validation fails, servers MUST respond according to OAuth 2.1 Section 5.3 error handling requirements. Invalid or expired tokens MUST receive a HTTP 401 response.

MCP clients MUST NOT send tokens to the MCP server other than ones issued by the MCP server’s authorization server.

MCP authorization servers MUST only accept tokens that are valid for use with their own resources.

MCP servers MUST NOT accept or transit any other tokens.

2.8 Error Handling

Servers MUST return appropriate HTTP status codes for authorization errors:

Status CodeDescriptionUsage
401UnauthorizedAuthorization required or token invalid
403ForbiddenInvalid scopes or insufficient permissions
400Bad RequestMalformed authorization request

3. Security Considerations

Implementations MUST follow OAuth 2.1 security best practices as laid out in OAuth 2.1 Section 7. “Security Considerations”.

3.1 Token Theft

Attackers who obtain tokens stored by the client, or tokens cached or logged on the server can access protected resources with requests that appear legitimate to resource servers.

Clients and servers MUST implement secure token storage and follow OAuth best practices, as outlined in OAuth 2.1, Section 7.1.

MCP authorization servers SHOULD issue short-lived access tokens token to reduce the impact of leaked tokens. For public clients, MCP authorization servers MUST rotate refresh tokens as described in OAuth 2.1 Section 4.3.1 “Refresh Token Grant”.

3.2 Communication Security

Implementations MUST follow OAuth 2.1 Section 1.5 “Communication Security”.

Specifically:

  1. All authorization server endpoints MUST be served over HTTPS.
  2. All redirect URIs MUST be either localhost or use HTTPS.

3.3 Authorization Code Protection

An attacker who has gained access to an authorization code contained in an authorization response can try to redeem the authorization code for an access token or otherwise make use of the authorization code. (Further described in OAuth 2.1 Section 7.5)

To mitigate this, MCP clients MUST implement PKCE according to OAuth 2.1 Section 7.5.2. PKCE helps prevent authorization code interception and injection attacks by requiring clients to create a secret verifier-challenge pair, ensuring that only the original requestor can exchange an authorization code for tokens.

3.3 Open Redirection

An attacker may craft malicious redirect URIs to direct users to phishing sites.

MCP clients MUST have redirect URIs registered with the authorization server.

Authorization servers MUST validate exact redirect URIs against pre-registered values to prevent redirection attacks.

MCP clients SHOULD use and verify state parameters in the authorization code flow and discard any results that do not include or have a mis-match with the original state.

Authorization servers MUST take precautions to prevent redirecting user agents to untrusted URI’s, following suggestions laid out in OAuth 2.1 Section 7.12.2

Authorization servers SHOULD only automatically redirect the user agent if it trusts the redirection URI. If the URI is not trusted, the authorization server MAY inform the user and rely on the user to make the correct decision.

3.4 Confused Deputy Problem

Attackers can exploit MCP servers acting as intermediaries to third-party APIs, leading to confused deputy vulnerabilities. By using stolen authorization codes, they can obtain access tokens without user consent. See Security Best Practices 2.1 for details.

MCP proxy servers using static client IDs MUST obtain user consent for each dynamically registered client before forwarding to third-party authorization servers (which may require additional consent).