Skip to content

Auth — 2026 client-side requirements #2902

Open
Open
Auth — 2026 client-side requirements#2902
Labels
spec-2026-07-282026-07-28 MCP spec release workv2Ideas, requests and plans for v2 of the SDK which will incorporate major changes and fixes
Milestone
2026-07-28 spec support
@maxisbey

Description

@maxisbey
maxisbey
opened on Jun 17, 2026

Tracks: #2801 #2800 #2783 #2798 #2795

Spec-compliant client-side OAuth changes for the release. Independent of the protocol-version work; design choices are the implementer's.

What's in it

  • Validate iss on the OAuth callback (RFC 9207 / SEP-2468).
  • Bind stored credentials to the issuer; re-register on AS change (SEP-2352).
  • Send application_type on DCR (SEP-837).
  • Union scopes on step-up re-authorization (SEP-2350).
  • Confirm and close out offline_access (SEP-2207 — already implemented).
  • Server-side SHOULDs (PRM offline_access, single-challenge scopes): docs note / out of scope for this release.

Conformance

  • auth/iss-* (×6)
  • auth/metadata-issuer-mismatch
  • auth/authorization-server-migration
  • auth/offline-access-not-supported
  • auth/scope-step-up

Dependencies

  • Depends on: none

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    spec-2026-07-282026-07-28 MCP spec release workv2Ideas, requests and plans for v2 of the SDK which will incorporate major changes and fixes

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions