Skip to content

feat: enhance auth server discovery with OAuth2 and OIDC metadata support #677

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
localden merged 1 commit into from
Jun 17, 2025
Merged

feat: enhance auth server discovery with OAuth2 and OIDC metadata support #677

localden merged 1 commit into from
Jun 17, 2025

Conversation

@xiaoyijun
Copy link
Contributor

@xiaoyijun xiaoyijun commented Jun 9, 2025

Add OpenID Connect Discovery Support for Authorization Server Discovery

Motivation and Context

This PR enhances the authorization server discovery mechanism by adding support for OpenID Connect Discovery 1.0 alongside the existing OAuth 2.0 Authorization Server Metadata.

OpenID Connect (OIDC) is built on top of OAuth 2.0, extending it with standardized identity functionality. Many modern authorization servers implement OIDC as their primary protocol, making it crucial for MCP to support both discovery mechanisms. Popular authorization providers such as Keycloak, Auth0, and Logto all implement OIDC discovery by default.

Key benefits:

  • Better compatibility with OIDC-based authorization servers
  • Maintains full OAuth 2.0 compatibility since OIDC is an extension of OAuth 2.0
  • Enables seamless integration with popular identity providers
  • No breaking changes to existing OAuth 2.0 implementations

How Has This Been Tested?

N/A

Breaking Changes

None. This change is fully backwards compatible:

  • Existing OAuth 2.0 metadata discovery continues to work as before
  • Authorization servers can choose which discovery mechanism to implement
  • MCP clients must support both mechanisms but will automatically use the correct one

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

The addition of OIDC discovery support is particularly valuable because:

  1. OIDC is the de-facto standard for modern identity providers
  2. The .well-known/openid-configuration endpoint is widely supported
  3. OIDC providers automatically support OAuth 2.0 flows since OIDC is built on top of OAuth 2.0
  4. This enables MCP to work seamlessly with popular authorization servers like Keycloak, Auth0, and Logto without additional configuration

@xiaoyijun xiaoyijun changed the title feat: enhance auth server discovery with OAuth2 and OpenID metadata support feat: enhance auth server discovery with OAuth2 and OIDC metadata support Jun 9, 2025
aaronpk
aaronpk requested changes Jun 11, 2025
View reviewed changes
localden
localden requested changes Jun 11, 2025
View reviewed changes
@xiaoyijun xiaoyijun force-pushed the feature/support-oidc-discovery-in-auth-spec branch from 81eca51 to 005d8de Compare June 12, 2025 10:06
@xiaoyijun xiaoyijun force-pushed the feature/support-oidc-discovery-in-auth-spec branch from 005d8de to 79b3dcc Compare June 12, 2025 10:07
@xiaoyijun xiaoyijun requested review from aaronpk and localden June 12, 2025 10:07
@xiaoyijun
Copy link
Contributor Author

xiaoyijun commented Jun 16, 2025

Hi @aaronpk , thanks again for your earlier review 🙏. I’ve addressed the changes you requested, would you have a moment to take another look?

pcarleton
pcarleton approved these changes Jun 17, 2025
View reviewed changes
Copy link
Member

@pcarleton pcarleton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

we'll also need support for this in the SDKs

@localden localden enabled auto-merge June 17, 2025 19:59
@localden localden merged commit 8b50bc2 into modelcontextprotocol:main Jun 17, 2025
2 checks passed
@xiaoyijun xiaoyijun mentioned this pull request Jun 18, 2025
Merged
9 tasks
@xiaoyijun
Copy link
Contributor Author

xiaoyijun commented Jun 18, 2025

Hi @pcarleton , I add this support in the client SDK in this PR, PTAL ❤️

@dsp-ant
Copy link
Member

dsp-ant commented Jun 18, 2025

this is missing an entry to changelog.mdx. @xiaoyijun please follow up and make an entry to changelog.mdx

@ihrpr ihrpr added this to the DRAFT 2025-06-XX milestone Jun 18, 2025
@ihrpr ihrpr mentioned this pull request Jun 18, 2025
Open
@xiaoyijun xiaoyijun mentioned this pull request Jun 18, 2025
Closed
9 tasks
@xiaoyijun
Copy link
Contributor Author

xiaoyijun commented Jun 18, 2025

@dsp-ant Apologies for the oversight, and thank you for pointing it out. The changelog entry has been added, and the PR is now ready: #779

@dsp-ant
Copy link
Member

dsp-ant commented Jun 18, 2025

Just FYI. I will revert this. I think in general its a good idea, but coming in too hot for a spec release that we are cutting today from the draft. This means it will require you to reopen the PR again once we have a new draft.

There are also open question how clients should handle the difference in fields between OICD and OAuth 2.0 AS metadata, that the PR should address.

@ochafik ochafik mentioned this pull request Jun 18, 2025
Open
@xiaoyijun xiaoyijun mentioned this pull request Jun 19, 2025
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aaronpk aaronpk aaronpk approved these changes

@pcarleton pcarleton pcarleton approved these changes

@localden localden localden approved these changes

@D-McAdams D-McAdams Awaiting requested review from D-McAdams

Assignees

No one assigned

Labels

auth security

Projects

No open projects
Standards Track
Status: Draft

Milestone

DRAFT 2025-06-XX

Development

Successfully merging this pull request may close these issues.

6 participants

@xiaoyijun @dsp-ant @aaronpk @pcarleton @localden @ihrpr