[2026-07-28] Authorization hardening (OAuth/OIDC)

[chr-hertel]

Tracking issue for the MCP Spec 2026-07-28 release — Authorization hardening milestone.

Most of this milestone overlaps with the existing client-OAuth backlog (#315–#326). New SEP-specific work concentrates on issuer validation, AS-binding semantics, server-side scope emission, and OIDC offline_access handling.

SEPs covered

SEP	Title	Spec PR	Coverage
SEP-2468	Recommend iss Parameter (RFC 9207)	#2468	New issue
SEP-2352	Authorization Server binding and migration	#2352	New issue
SEP-2351	RFC 8414 well-known URI suffix	#2351	Covered by #318
SEP-2350	Client-side scope accumulation in step-up	#2350	Client covered by #322; new server-side issue
SEP-2207	OIDC-flavored refresh token guidance	#2207	New issues (client + server)
SEP-837	OIDC application_type during DCR	#837	Covered by #320 + #321

Sub-issues

• [Client][Auth] SEP-2468: Validate iss parameter in authorization response (RFC 9207) #360 — SEP-2468: Validate iss parameter in authorization response (client)
• [Client][Auth] SEP-2352: Key DCR registrations and tokens by AS issuer; reject cross-AS credential reuse #361 — SEP-2352: Key DCR/tokens by AS issuer; reject cross-AS reuse (client)
• [Server][Auth] SEP-2350: Emit per-operation scopes in insufficient_scope 403 responses (RFC 6750 §3.1) #362 — SEP-2350: Emit per-operation scopes in insufficient_scope 403 responses (server)
• [Client][Auth] SEP-2207: Request offline_access scope against OIDC-flavored AS for refresh tokens #363 — SEP-2207: Request offline_access against OIDC-flavored AS (client)
• [Server][Auth] SEP-2207: Audit PRM to ensure offline_access is not advertised as a required scope #364 — SEP-2207: Audit PRM to ensure offline_access is not advertised as required (server)

Existing issues to annotate with SEP refs

• [Client] Add OAuth 2.0 credential storage interface (TokenStorageInterface) #315 (TokenStorage) → SEP-2352
• [Client] Implement Authorization Server Metadata discovery (RFC 8414) #318 (RFC 8414 AS metadata) → SEP-2351
• [Client] Implement OAuth 2.0 Authorization Code flow with PKCE (RFC 6749 + RFC 7636) #319 (Auth Code + PKCE) → SEP-2468, SEP-2207
• [Client] Implement Dynamic Client Registration (RFC 7591) + pre-registered client support #320 (DCR) → SEP-2352, SEP-837
• [Client] Support token_endpoint_auth_method: client_secret_basic, client_secret_post, none #321 (token_endpoint_auth_method) → SEP-837
• [Client] Implement OAuth scope handling (WWW-Authenticate, scopes_supported, step-up, retry-limit, omitted) #322 (scope handling/step-up) → SEP-2350
• [Client] Implement refresh_token grant + offline_access scope #323 (refresh_token grant) → SEP-2207

Notes

• All six SEPs are merged.
• PHP SDK client-side OAuth is largely unimplemented; the bulk of work is therefore on the client side via the existing [Client] Add OAuth 2.0 credential storage interface (TokenStorageInterface) #315–[Client] Add OAuth 2025-03-26 metadata backcompat fallback #326 backlog plus the new SEP-specific issues above. Server-side OAuth middleware needs targeted PRM/WWW-Authenticate audits only.