Skip to content

Update mcp auth flow spec jun 25 #137

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Oct 15, 2025
Merged

Update mcp auth flow spec jun 25 #137

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
4476fcc
Add new june 2025 spec mcp auth flow
jtemporal Oct 9, 2025
ebb4398
Revise auth flow steps for MCP
jtemporal Oct 9, 2025
e0c90bf
Add DCR in authorization flow steps
jtemporal Oct 15, 2025
2b6eb33
Fix typo
jtemporal Oct 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file modified auth4genai/img/mcp_auth_flow.png
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
21 changes: 7 additions & 14 deletions auth4genai/mcp/auth-for-mcp.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,32 +46,25 @@ Here is the standard OAuth authorization code flow when an MCP server uses Auth0

<Steps>
<Step>
The MCP client initiates the OAuth flow by making a request to the MCP
server's authorization endpoint.
The MCP client sends a request to the protected MCP server and receives HTTP `401 Unauthorized` with a `WWW-Authenticate` header that indicates the protected resource metadata URL.
</Step>
<Step>
The MCP server redirects the user to the Auth0 authorization server.
The MCP client requests the [resource metadata](https://datatracker.ietf.org/doc/html/rfc9728/) from the MCP server at the `/.well-known/oauth-protected-resource` endpoint.
</Step>
<Step>
The user authenticates with Auth0 (using username/password, social login, or
MFA).
The MCP client parses the metadata, selects an authorization server (Auth0) from the list, and then fetches its OAuth 2.0 Authorization Server Metadata from the `/.well-known/oauth-authorization-server` endpoint. [Dynamic Client Registration (DCR)](https://auth0.com/docs/get-started/applications/dynamic-client-registration#enable-dynamic-client-registration) can happen after receiving the metadata response.
</Step>
<Step>
After successful authentication, Auth0 redirects the browser back to the MCP
server's callback URL with a single-use authorization code.
The client generates [PKCE](https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce) parameters and builds the authorization request, then opens the browser to the authorization endpoint.
</Step>
<Step>
The MCP server exchanges the authorization code for an access token directly
with the Auth0 token endpoint.
The user then authenticates with Auth0 (using username/password, social login, or MFA). Auth0 redirects the browser to the MCP client’s registered redirect URI with an authorization code.
</Step>
<Step>
The MCP server validates the token from Auth0 and generates its own session
or internal access token that is bound to the third-party session.
The MCP client exchanges the code at the token endpoint and Auth0 returns the access token completing the original OAuth flow.
</Step>
<Step>
The MCP server completes the original OAuth flow, returning its own token to
the MCP client, which can then be used to make authenticated calls to the
server's tools.
After receiving an access token (and refresh token), the MCP client will use the access token to make authenticated calls to the MCP server's tools.
</Step>
</Steps>

Expand Down