SEP-2343: Clarify that elicitation requires authorization for remote servers#2343
Draft
pcarleton wants to merge 1 commit intomodelcontextprotocol:mainfrom
Draft
SEP-2343: Clarify that elicitation requires authorization for remote servers#2343pcarleton wants to merge 1 commit intomodelcontextprotocol:mainfrom
pcarleton wants to merge 1 commit intomodelcontextprotocol:mainfrom
Conversation
The elicitation spec requires servers to bind state to user identity and prohibits association with session IDs alone, but MCP authorization is optional. This makes these requirements unsatisfiable for remote servers without auth. Add an explicit warning and cross-reference to make this dependency clear.
Member
Author
|
cc @nbarbettini @wdawson wdyt about this change? |
Contributor
|
@pcarleton I support this change, but I think could be tightened further. @wdawson and I discussed it in person and noticed this tension:
Tldr - I think the warning could be elevated from There's maybe also a case to be made for elevating the |
localden
changed the title
sep-automation-bot
bot
added
draft
State Transition: proposal → draftThis SEP has been transitioned from proposal to draft. @pcarleton has been assigned as the sponsor for this SEP. This is an automated message from the SEP lifecycle bot. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The elicitation spec requires servers to bind state to user identity (
MUST bind elicitation requests to the client and user identity) and prohibits association with session IDs alone (State MUST NOT be associated with session IDs alone). However, MCP authorization is optional — making these requirements unsatisfiable for remote servers that don't implement auth.This PR makes the dependency explicit:
Context
This gap was surfaced during review of an H1 bug bounty report demonstrating phantom task injection via leaked session IDs. While the PoC relied on a non-compliant server (violating multiple existing MUSTs), the reviewers noted that the spec could be clearer about elicitation's implicit dependency on authorization.
Note: the Tasks spec already handles this well by explicitly acknowledging the no-auth case and providing a fallback (crypto-random IDs + short TTL). This PR brings elicitation's clarity in line with that approach.