SEP-1933: Workload Identity Federation #1933
Conversation
PieterKas
changed the title
Reformat abstract for improved readability.
wdawson
left a comment
wdawson
left a comment
There was a problem hiding this comment.
Overall looks good to me. My main question is about why not have OAuth2 AS Discovery as another option vs OIDC discovery.
|
|
||
| The message flow combines using a JWT as an authorization grant as defined in | ||
| [RFC7523](https://datatracker.ietf.org/doc/html/rfc7523) with automated issuer | ||
| discovery as described in [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html) |
There was a problem hiding this comment.
Is there a reason we need to restrict the issuer discovery to OIDC? I believe we could also use the OAuth2 Authorization Server Metadata when supported.
There was a problem hiding this comment.
We did consider both, but opted to pick one for the sake of simplicity.
There was a problem hiding this comment.
I foresee folks wanting support for both. Is there a way to include a requirement for some form of discovery and use OIDC as the example in this document?
Agree that keeping things simple for the majority of the document is preferred so it's easy to follow.
There was a problem hiding this comment.
@wdawson, can you expand a little on the reason for supporting a second method (apart from folks thinking it might be a good idea)?
One of the goals with this SEP is to allow easy re-use of existing workload identity infrastructure, specifically K8S and SPIFFE based systems.
Both K8S and SPIFFE based solutions commonly support OpenID Discovery documents (SPIRE, the open source SPIFFE implementation, has a OIDC discovery extension and OIDC discovery is also commonly supported on commercial SPIFFE implementations). Neither of them support OAuth Authorization Server Metadata, so adding Oauth2 Authorization Metadata Discovery as a supported method may have the unintended consequence of forcing existing issuers to add support for a duplicative discovery mechanism when it is not needed.
Are there any other large scale, widely deployed, workload identity infrastructures out there that don't support OIDC discovery already?
There was a problem hiding this comment.
You'd know better than me. I think OIDC makes sense as the example for the reasons you said. I just didn't want to restrict it technically unless we needed to, so that folks could build other solutions that use OAuth AS discovery as a viable alternative. But I hear you from a clarity perspective and don't feel strongly enough here, especially if the large, widely deployed options are OIDC only.
There was a problem hiding this comment.
Thanks @wdawson. I will add a bit more of this context to the "Why OpenID Connect Discovery?" section for clarity.
I think implementors can always support additional mechanisms - I don't recall text prohibiting that, but for interoperability and keeping things simple, we should not encourage it. If there are compelling reasons to add it explicitly later, we can always do that in a future SEP.
| baseline MCP Authorization specification) | ||
|
|
||
| 2. **Construct OpenID Provider Discovery Endpoint URL**: The authorization server extracts the `iss` (issuer) | ||
| claim from the JWT and determines if it is a trusted issuer. If the issuer is |
There was a problem hiding this comment.
We probably want something about what a trusted issuer is, and how an MCP Server's AS might be configured with trusted issuers. I'm ok saying that the process is out of scope of this document, may happen by a variety of mechanisms, etc. But we should probably have at least one example, probably as an example from the motivation section.
There was a problem hiding this comment.
How trust is established, or what the basis of trust is a business decision, not something we can define here.
I am also unsure if we gain much by trying to be more specific in defining how an AS might maintain a list of trusted issuers. That is an implementation choice and it is not immediately apparent how that improves interoperability.
There was a problem hiding this comment.
How trust is established, or what the basis of trust is a business decision, not something we can define here. I am also unsure if we gain much by trying to be more specific in defining how an AS might maintain a list of trusted issuers. That is an implementation choice and it is not immediately apparent how that improves interoperability.
I totally agree. I'm coming at this more from a layperson's reading of the document and not understanding what a "trusted issuer" is, or that it's different from any old iss claim in a random token. I think we need to define the term for the purposes of this document, without being specific about the details. Something like:
"The Authorization Server is configured with a set of issuers (defined by a URL), which are considered 'trusted issuers'. The nature of that trusted relationship and the mechanism by which the set is populated or maintained is out of scope of this document and left up to the implementer. JWTs not issued by these trusted issuers can be safely rejected by the AS."
Feel free to ignore or wordsmith. Again, my primary concern is making sure that folks who aren't steeped in Identity will be able to understand what "trusted issuer" means.
There was a problem hiding this comment.
Thanks, that is a helpful clarification. I will take a look at the best ways to provide clarity. Thanks for the suggestion.
|
|
||
| 1. **Token Refresh**: Should workload clients be allowed to obtain refresh tokens, or should they always present fresh workload JWTs for new access tokens? | ||
|
|
||
| 2. **Issuer Metadata Caching**: Should the specification provide guidance on cache TTLs for issuer configurations and JWKs? |
There was a problem hiding this comment.
I don't know that we need specific caching guidance, but calling it out as a security concern might be nice. I like what you did in the security considerations section, however, referencing the existing documents for their best practices. I assume there's something already in those discovery specifications.
There was a problem hiding this comment.
Let me double check - I think you are right, but we can be a bit more specific about where this comes into play and reference specific section in security considerations to be more explicit about it. I will take a look.
|
|
||
| 2. **Issuer Metadata Caching**: Should the specification provide guidance on cache TTLs for issuer configurations and JWKs? | ||
|
|
||
| 3. **Error Response Detail**: How much detail should authorization servers provide in error responses when JWT validation fails (for security vs. debuggability tradeoffs)? |
There was a problem hiding this comment.
We're restricted somewhat by RFC 7523. I might just call out that Authorization Servers SHOULD take that tradeoff into account.
There was a problem hiding this comment.
That makes sense as a security consideration. I can add that.
Co-authored-by: Wils Dawson <wils.dawson@gmail.com>
Thanks for taking the time to review and provide comments @wdawson - I responded to the comments and accepted some of the proposals. |
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
localden
left a comment
localden
left a comment
There was a problem hiding this comment.
Love the direction, but I think this needs a bit more detail. Are we discussing a homegrown WIF implementation within MCP or is this using an existing WIF standard? It feels like the former, which is a bit scary.
|
|
||
| ## Abstract | ||
|
|
||
| This SEP defines Workload Identity Federation for the Model Context Protocol, enabling autonomous MCP clients to access MCP servers using existing workload identity credentials without requiring separate client registration or long-lived credentials. The proposal leverages the OAuth 2.0 JWT Bearer grant type (RFC 7523) combined with OpenID Connect Discovery to allow MCP clients operating as workloads, such as those deployed in Kubernetes or cloud environments, to present platform-issued JWT credentials directly to authorization servers. This eliminates the need for client secrets, client identifiers, or separate credential management while maintaining security through issuer trust relationships and claim-based authorization. |
There was a problem hiding this comment.
I would be really curious to what degree this overlaps with the work captured by WIMSE. Ideally, we do not invent anything MCP-specific here and instead rely on existing standards, the saem way we did for the core authorization spec.
There was a problem hiding this comment.
@localden - the really good news is we are not inventing anything new (deliberately so).
This proposal basically uses:
- RFC7523 JWT Authorization Grants to request an access token
- OpenID Connect Discovery to obtain the keys used to verify the JWT.
RFC 7523 was specifically designed for this kind of use case, while existing Kubernetes and SPIFFE based implementations already support OIDC key discovery.
| - `resource`: The canonical URI of the target MCP server (as defined in the | ||
| baseline MCP Authorization specification) | ||
|
|
||
| 2. **Construct OpenID Provider Discovery Endpoint URL**: The authorization server extracts the `iss` (issuer) |
There was a problem hiding this comment.
Is the flow here mapping to a particular standard for WIF or is this MCP-specific? If AS has to implement a lot of this trust logic, where do they refer to?
There was a problem hiding this comment.
This aspect of WIF is already supported by the most common JWT issuers. In terms of AS support, OIDC discovery is already commonly supported by IdPs (e.g. it is the mechanism used by Entra WIF). Trust configuration is implementation specific (in Entra if I recall, you had to explicitly define the OIDC discover point for an issuer that you trusted, along with a specific subject for example).
The reason for favouring OpenID Connect Discovery is because it is already used and supported by JWT issuers like Kubernetes and SPIFFE as well by Authorization Servers.
| 6. **Request JWK Set**: The authorization server retrieves the | ||
| [RFC7517](https://datatracker.ietf.org/doc/html/rfc7517) JWK set | ||
| containing the issuer's public keys from the TLS protected location specified by |
There was a problem hiding this comment.
Assuming "TLS protected location" is basically a HTTPS endpoint?
There was a problem hiding this comment.
Correct - I think I borrowed language from another draft - happy to clarify that in practice this is an HTTPS endpoint.
| # SEP-1933: Workload Identity Federation | ||
|
|
||
| - **Status**: Draft | ||
| - **Type**: Standards Track |
There was a problem hiding this comment.
Also to clarify - this is intended as an extension, similar to other things in ext-auth? Or is the intent for this to be part of the core spec?
There was a problem hiding this comment.
Correct. This is intended as an extension.
| [RFC 7523 Section 2.1](https://datatracker.ietf.org/doc/html/rfc7523#section-2.1). | ||
|
|
||
| 10. **MCP Server Access**: The MCP client makes a JSON-RPC request to the MCP | ||
| server, including the access token in the `Authorization` header using the |
There was a problem hiding this comment.
Needs clarification on which access token is used here.
There was a problem hiding this comment.
Good catch, will do.
|
|
||
| ## Rationale | ||
|
|
||
| The design leverages established OAuth and OpenID Connect standards (RFC 7523 JWT Bearer grants and OIDC Discovery) rather than creating MCP-specific mechanisms, ensuring broad interoperability with existing identity infrastructure and authorization servers. By using platform-issued JWTs directly, this approach leverages installed infrastrucutre and eliminates operational overhead while maintaining strong security through cryptographic verification, and the use of automated issuer discovery supports key rotation and reduces manual configuration burden in dynamic workload environments. |
There was a problem hiding this comment.
There is still a non-zero burden on AS to support this particular implementation, no?
There was a problem hiding this comment.
This draft does not impose any new claims or processing rules - so if an authorization server already supports RFC 7523 and OpenID connect discovery would have very little, if any, additional work.
|
|
||
| When exchanging tokens, both MCP clients and authorization servers MUST ensure that workload JWTs are handled securely: | ||
|
|
||
| - Workload JWTs MUST be transmitted only over authenticated, TLS-protected channels. |
There was a problem hiding this comment.
What does "authenticated" means in this context?
There was a problem hiding this comment.
Server authentication. This can probably be simplified to say HTTPS similar to an earlier comment.
| When exchanging tokens, both MCP clients and authorization servers MUST ensure that workload JWTs are handled securely: | ||
|
|
||
| - Workload JWTs MUST be transmitted only over authenticated, TLS-protected channels. | ||
| - Implementations SHOULD avoid logging, storing, or otherwise persisting either JWT assertions or exchanged access tokens. |
There was a problem hiding this comment.
I feel like a lot of these are covered in existing OAuth RFCs, no? We should probably refer to those best practices rather than rewriting them here.
|
|
||
| - Workload JWTs MUST be transmitted only over authenticated, TLS-protected channels. | ||
| - Implementations SHOULD avoid logging, storing, or otherwise persisting either JWT assertions or exchanged access tokens. | ||
| - Authorization servers SHOULD verify token freshness (`exp`, `iat`, `jti`) and enforce strict replay protection. |
There was a problem hiding this comment.
Same as above, this feels like an implementation detail that should be captured by an OAuth RFC.
| - Workload JWTs MUST be transmitted only over authenticated, TLS-protected channels. | ||
| - Implementations SHOULD avoid logging, storing, or otherwise persisting either JWT assertions or exchanged access tokens. | ||
| - Authorization servers SHOULD verify token freshness (`exp`, `iat`, `jti`) and enforce strict replay protection. | ||
| - The mapping between workload identity and MCP access token forms a critical trust boundary; misconfiguration can result in privilege escalation. |
There was a problem hiding this comment.
Who's responsible for the mapping of this trust relationship?
There was a problem hiding this comment.
This is configuration on the Authorization system - not unlike any other kind of misconfiguration that might result in privilege escalation.
Thanks @localden - there is nothing homegrown here - it is purely RFC 7523 + OpenID Connect Discovery. Was there any bit that you felt like we were inventing something new beyond those two? |
|
The SEP mentions that it does not require any client registration, but without a described way to establish trust with issuers, and a definition what a client is, would this really work well for MCP? It would leave support for specific client/AS combinations completely to the AS where either the AS needs to support some well-known issuers, or the resource owner needs to setup mappings for individual MCP clients. Could you take this into a bit of a different direction? For example, if you add a new attribute to the client metadata definition like This way, any client-AS combination can work, setup is owned by the client developers, it fits both CIMD and DCR, and you get consistent client identifiers. You probably also want the This would likely have to be started as a spec outside of MCP, and goes into the realm of WIMSE, but it would be much more dynamic and consistent. |
|
@freiadr - the goal of the spec is to let workloads use existing credentials (think Kubernetes PSAT tokens, SPIFFE JWTs) so that deployments don't have to further proliferate client secrets if they have better options available. A happy side effect of using RFC 7523 is that you don't need to register client ids for authorisation grant flows. This pattern is already well adopted. The "establish trust" topic feels like a red herring for the environments we expect this being used in. In the flows I am familiar with, establishing trust (i.e. configuring which issuer you will accept) is a business decision. If I think about the environments where this is desirable, the owners of these systems are opinionated about which issuers they trust (e.g. they trust the issuers they deployed to provision the credentials in the first place). I would definitely encourage you to submit a draft to the OAuth or WIMSE working groups to explore your proposal further, but I think your proposal focus on doing something different from what we are solving for here in a new way, while this proposal just combines to existing, commonly supported specs (RFC 7523 and OIDC discovery) to simplify how workloads get access in MCP servers if there is no human involved and they already have credentials from a trusted issuer. |
|
It looks interesting, and from my own experience, it works very well. Our workloads all run in the cloud, and through the WebIdentity mechanism (based on OIDC tokens), I can place workloads in any possible compute center (hybrid cloud or on-premises data center) in a zero-trust manner, without worrying about authentication and authorization issues. As a result, our DevOps workflows have become much simpler. Regarding the complexity of token issuance, I believe this can and should be fully shielded by the IdP. For example, in our GitLab CI, we only need a very small amount of configuration to grant AWS role permissions via OIDC: variables:
AWS_ROLE_ARN: "arn:aws:iam::00000000000:role/foobarbaz"
AWS_WEB_IDENTITY_TOKEN_FILE: "/builds/$CI_PROJECT_PATH/gitlab_oidc_token.jwt"
foobar:
id_tokens:
GITLAB_OIDC_TOKEN:
aud: sts.amazonaws.com
before_script:
- echo "$GITLAB_OIDC_TOKEN" "$AWS_WEB_IDENTITY_TOKEN_FILE"
script:
- aws sts get-caller-identityOn the relying party side, AWS provides a useful reference model. AWS does not participate in token issuance at all. It only registers an OIDC issuer, validates standard JWT claims ( One reason this model works well in practice is that it authenticates and authorizes the calling platform as a whole, rather than individual end users. In other words, the server establishes trust in the MCP client itself, or in the IdP backing that client. This makes it much easier to secure MCP resources that are not directly tied to a human user, without having to manage or propagate user-level credentials everywhere. From this perspective, the proposal can be seen as a natural evolution of MCP’s existing authorization model, rather than a parallel or fragmented flow. The core concern remains the same: establishing trust between the caller and the service, as described in the current authorization documentation (https://modelcontextprotocol.io/docs/tutorials/security/authorization). Workload identity simply shifts the trust anchor from user credentials to platform- or client-level identity. This is also why I think it is important to keep the flow steps described in the SEP clearly scoped as illustrative examples, rather than protocol-mandated authentication procedures. The most important boundary should remain the contract between the caller and the service: given a valid, standards-compliant OIDC token issued by a trusted IdP, the server can make an authorization decision. Once that trust relationship is in place, the MCP server should not need to care how the IdP issued the token or which authorization type was used. Treating token issuance as an internal concern of the client and its IdP keeps the protocol simple, avoids binding technical preferences into the spec, and allows zero-trust properties to be achieved with minimal implementation burden on MCP servers. Correspondingly, the specification steps 1–9 in the SEP should not be considered mandatory parts of the protocol. Their core purpose is merely to illustrate how a token can be obtained for the current session, but is should never be defined as a part of SPECIFICATION |
7 participants
Motivation and Context
As autonomous workloads increasingly interact with MCP servers, the existing authorization mechanisms, primarily designed around human-centric OAuth flows or statically registered client credentials, impose operational friction and do not align with how modern platforms provision identity. Workloads in environments such as Kubernetes, SPIFFE/SPIRE, and cloud-native runtimes already receive short-lived, cryptographically verifiable JWTs that reflect their runtime identity. Requiring these workloads to additionally register as OAuth clients or manage long-lived secrets introduces unnecessary complexity and weakens security posture.
Workload Identity Federation allows MCP to directly leverage these platform-provided credentials, eliminating separate client identity lifecycles while maintaining strong authentication and authorization guarantees. By standardizing how workload-issued JWTs are validated, exchanged, and authorized, this proposal enables scalable, interoperable workload-to-service access across MCP deployments. This approach reflects best practices in modern cloud and zero-trust architectures, reducing operational overhead while improving security.
How Has This Been Tested?
TBD
Breaking Changes
No
Types of changes
Checklist
Additional context
@D-McAdams