Skip to content

SEP-2352: Clarify authorization server binding and migration#2352

Merged
mcp-commander[bot] merged 13 commits into
mainfrom
den/as
Mar 28, 2026
Merged

SEP-2352: Clarify authorization server binding and migration#2352
mcp-commander[bot] merged 13 commits into
mainfrom
den/as

Conversation

@dend

@dend dend commented Mar 4, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Test plan

  • npx prettier --check passes
  • npm run check:docs:js-comments passes
  • Review rendered docs for correct formatting

🤖 Generated with Claude Code

@dend dend requested a review from a team as a code owner March 4, 2026 22:42
@dend @claude
docs: clarify authorization server binding and multi-AS behavior
dcbfb63 
Add guidance for clients on binding persisted client credentials to
specific authorization servers and handling AS changes. Clarifies
multi-AS behavior when multiple servers are listed in
authorization_servers.

Closes #1349

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@dend dend changed the title docs: clarify authorization server binding and migration SEP-2352: Clarify authorization server binding and migration Mar 4, 2026
@dend dend self-assigned this Mar 4, 2026
@dend dend added auth security SEP draft SEP proposal with a sponsor. labels Mar 4, 2026
@dend dend moved this to In Review in SEP Review Pipeline Mar 4, 2026
@dend dend linked an issue Mar 4, 2026 that may be closed by this pull request
The authorization spec is unclear when multiple Authorization servers are involved #1349
Closed
pcarleton
pcarleton reviewed Mar 5, 2026
View reviewed changes

@pcarleton pcarleton left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good change. Both typescript and python will need to adjustments.

Should be straightforward to conformance test as well, and key it on DCR support.

KevinLuo2000
KevinLuo2000 reviewed Mar 5, 2026
View reviewed changes
Comment thread docs/specification/draft/basic/authorization.mdx Outdated
localden and others added 2 commits March 5, 2026 08:15
@localden @KevinLuo2000
Update docs/specification/draft/basic/authorization.mdx
a4e271a 
Co-authored-by: Kaixuan Luo <30545735+KevinLuo2000@users.noreply.github.com>
@localden @KevinLuo2000
Update docs/specification/draft/basic/authorization.mdx
6e1657b 
Co-authored-by: Kaixuan Luo <30545735+KevinLuo2000@users.noreply.github.com>
@dend @claude
Trigger CI
25aed5a 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@joshrotenberg joshrotenberg mentioned this pull request Mar 5, 2026
Closed
@dend dend mentioned this pull request Mar 5, 2026
Merged
3 tasks
max-stytch
max-stytch reviewed Mar 6, 2026
View reviewed changes
Comment thread docs/specification/draft/basic/authorization.mdx Outdated
@localden @max-stytch
Update docs/specification/draft/basic/authorization.mdx
d133654 
Co-authored-by: Max Gerber <89937743+max-stytch@users.noreply.github.com>
wdawson
wdawson reviewed Mar 6, 2026
View reviewed changes
Comment thread docs/specification/draft/basic/authorization.mdx Outdated
Comment thread docs/specification/draft/basic/authorization.mdx Outdated
Comment thread docs/specification/draft/basic/authorization.mdx Outdated
dend and others added 3 commits March 6, 2026 14:29
@dend @wdawson
Update docs/specification/draft/basic/authorization.mdx
a0c163f 
Co-authored-by: Wils Dawson <wils.dawson@gmail.com>
@dend @wdawson
Update docs/specification/draft/basic/authorization.mdx
c6813f3 
Co-authored-by: Wils Dawson <wils.dawson@gmail.com>
@dend @wdawson
Update docs/specification/draft/basic/authorization.mdx
aa60a6c 
Co-authored-by: Wils Dawson <wils.dawson@gmail.com>
Copilot AI mentioned this pull request Mar 29, 2026
Open
@spacewander spacewander mentioned this pull request Mar 30, 2026
Closed
@mcp-virtual-tpm mcp-virtual-tpm Bot modified the milestone: 2026-06-30-RC Apr 17, 2026
@pja-ant pja-ant mentioned this pull request Apr 27, 2026
Merged
@localden localden assigned localden and unassigned dend Apr 27, 2026
@mikekistler mikekistler mentioned this pull request Apr 30, 2026
Open
22 tasks
@guglielmo-san

guglielmo-san commented May 7, 2026

Copy link
Copy Markdown

I am implementing this SEP in the Go SDK and would like to clarify a couple of cases regarding client credential management:

  1. The SEP states that clients that persist client credentials obtained via DCR must associate them with the specific AS keyed by the issuer identifier. Go SDK does not persist credentials but performs DCR dynamically on-demand (e.g., every time authorization is needed or after a token expires). Is persistence of DCR credentials considered a MUST or a SHOULD for compliance with this SEP?
  2. The SEP states clients MUST maintain separate registration state per authorization server. RFC 9728 Section 7.6 defers server selection to the client. Is a client that always selects only the first AS from authorization_servers (and never attempts others) considered compliant? Or is there an expectation that clients should attempt alternative servers on authorization failure?

This was referenced May 18, 2026
Closed
Merged
This was referenced May 26, 2026
Open
Open
Open
Open
@guglielmo-san guglielmo-san mentioned this pull request May 27, 2026
Closed
@felixweinberger felixweinberger mentioned this pull request May 29, 2026
Open
@alexhancock alexhancock mentioned this pull request Jun 2, 2026
Open
5 tasks
@localden localden added final SEP finalized. and removed accepted SEP accepted by core maintainers, but still requires final wording and reference implementation. labels Jun 4, 2026
This was referenced Jun 6, 2026
Closed
Open
Open
Open
Open
Open
Open
@mattzcarey mattzcarey mentioned this pull request Jun 9, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pcarleton pcarleton pcarleton left review comments

@localden localden localden left review comments

@dsp-ant dsp-ant dsp-ant left review comments

@mcp-commander mcp-commander[bot] mcp-commander[bot] approved these changes

+5 more reviewers

@wdawson wdawson wdawson left review comments

@nbarbettini nbarbettini nbarbettini left review comments

@KevinLuo2000 KevinLuo2000 KevinLuo2000 left review comments

@max-stytch max-stytch max-stytch left review comments

@SamMorrowDrums SamMorrowDrums SamMorrowDrums approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@localden localden

Labels

auth final SEP finalized. security SEP

Projects

2026-07-28 Spec Implementation
Status: Done
SEP Review Pipeline
Status: Accepted

Milestone

2026-07-28-RC

Development

Successfully merging this pull request may close these issues.

The authorization spec is unclear when multiple Authorization servers are involved

10 participants

@dend @localden @guglielmo-san @wdawson @pcarleton @SamMorrowDrums @nbarbettini @KevinLuo2000 @max-stytch @dsp-ant