Skip to content

SEP-2468: Recommend Issuer (iss) Claim in MCP Auth Responses#2468

Open
EmLauber wants to merge 1 commit intomodelcontextprotocol:mainfrom
EmLauber:sep-issuer-claim-auth
Open

SEP-2468: Recommend Issuer (iss) Claim in MCP Auth Responses#2468
EmLauber wants to merge 1 commit intomodelcontextprotocol:mainfrom
EmLauber:sep-issuer-claim-auth

Conversation

@EmLauber
Copy link
Copy Markdown

@EmLauber EmLauber commented Mar 25, 2026

Proposes requiring the inclusion and validation of an explicit issuer (iss) claim in MCP authorization responses to mitigate authorization mix-up attacks in multi-IdP environments.

Motivation and Context

  • Problem: MCP operates in multi-IdP environments where mix-up attacks are possible
  • Solution: Require issuer claim validation in clients to bind responses to correct auth server
  • Follows: RFC 9207 specifications for OAuth security

How Has This Been Tested?

Tested in OAuth scenarios. Will need additional testing specific to MCP environments before accepting and merging.

Breaking Changes

It is additive fro security. Clients will need to update code to validate the issuer parameter.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • [ x] New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • [x ] Documentation update

Checklist

  • [ x] I have read the MCP Documentation
  • [ x] My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

Some auth servers already use the issuer claim and can reference those examples once more details are added.

@EmLauber
Add SEP: Recommend Issuer (iss) Claim in MCP Auth Responses
025222f 
Proposes requiring the inclusion and validation of an explicit
issuer (iss) claim in MCP authorization responses to mitigate
authorization mix-up attacks in multi-IdP environments.
@localden localden changed the title Add SEP: Recommend Issuer (iss) Claim in MCP Auth Responses SEP-2468: Recommend Issuer (iss) Claim in MCP Auth Responses Mar 25, 2026
@localden localden added auth security proposal SEP proposal without a sponsor. SEP labels Mar 25, 2026
max-stytch
max-stytch reviewed Mar 25, 2026
View reviewed changes
seps/0000-recommend-issuer-claim-for-auth.md

## Abstract

This SEP proposes requiring the inclusion and validation of an explicit issuer (iss) claim in Model Context Protocol (MCP) authorization responses to mitigate authorization mix‑up attacks. By binding authorization responses to a specific authorization server identity, MCP clients can reliably detect and reject responses originating from an unexpected issuer, improving protocol robustness in multi‑identity provider (IdP) environments. This SEP follows the specifications defined in [RFC9207](https://datatracker.ietf.org/doc/rfc9207/)
Copy link
Copy Markdown
Contributor

@max-stytch max-stytch Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verbiage nit - 9207 uses parameter instead of claim throughout, since iss is returned as a query parameter (and not as a JWT claim).

seps/0000-recommend-issuer-claim-for-auth.md

The Model Context Protocol increasingly operates in environments where multiple authorization servers, identity providers, and intermediaries coexist. In such environments, OAuth 2.0 mix‑up attacks become a realistic threat. Mix-up attacks are when an attacker causes a client to associate an authorization response with the wrong authorization server, potentially leading to token leakage or privilege escalation.

OAuth specifications describes two mitigations for mix‑up attacks: requiring issuer (*iss*) claim or using a unique redirect_uri for each client. A unique redirect_uri is not viable in an MCP environment where dynamic registration is possible. As such, the recommendation is for MCP environments to leverage the issuer mitigation.
Copy link
Copy Markdown
Contributor

@max-stytch max-stytch Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
OAuth specifications describes two mitigations for mix‑up attacks: requiring issuer (*iss*) claim or using a unique redirect_uri for each client. A unique redirect_uri is not viable in an MCP environment where dynamic registration is possible. As such, the recommendation is for MCP environments to leverage the issuer mitigation.
OAuth specifications describes two mitigations for mix‑up attacks: requiring issuer (*iss*) claim or using a unique redirect_uri for each issuer a client interacts with. A unique redirect_uri is not viable in an MCP environment where dynamic registration is possible. As such, the recommendation is for MCP environments to leverage the issuer mitigation.

seps/0000-recommend-issuer-claim-for-auth.md
## Specification

###Issuer Claim Requirement
MCP authorization servers SHOULD include an issuer (*iss*) claim in authorization responses that result in the issuance of access tokens or authorization codes.
Copy link
Copy Markdown
Contributor

@max-stytch max-stytch Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

9207 also defines the iss param in error responses. Should we do the same to be consistent with the spec?

Suggested change
MCP authorization servers SHOULD include an issuer (*iss*) claim in authorization responses that result in the issuance of access tokens or authorization codes.
MCP authorization servers SHOULD include an issuer (*iss*) claim in authorization responses to the client, including error responses.

seps/0000-recommend-issuer-claim-for-auth.md
The *iss* claim MUST:
- Exactly match the issuer identifier advertised via discovery or configuration
- Its value MUST be a URL that uses the "https" scheme without any query or fragment components.

Copy link
Copy Markdown
Contributor

@max-stytch max-stytch Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WDYT about including the corresponding Authorization Server Metadata update that signals to clients that iss is supported / expected -

Suggested change
###Issuer Metadata Requirement
MCP authorization servers that support the `iss` parameter in authorization responses MUST advertise their support by returning `"authorization_response_iss_parameter_supported": true` in their authorization server metadata response as specified in [RFC9207](https://datatracker.ietf.org/doc/html/rfc9207#name-authorization-server-metada).

(Corresponding language needs to be added to the client validation requirement to check this parameter too)

@max-stytch max-stytch mentioned this pull request Mar 26, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@max-stytch max-stytch max-stytch left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

auth proposal SEP proposal without a sponsor. security SEP

Projects

SEP Review Pipeline
Status: No status

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@EmLauber @max-stytch @localden