chore: Add requirement for RFC8707 #734

localden · 2025-06-13T20:26:39Z

Related to #544

docs/specification/draft/basic/authorization.mdx

Co-authored-by: Aaron Parecki <aaron@parecki.com>

docs/specification/draft/basic/authorization.mdx

dsp-ant · 2025-06-16T14:58:24Z

docs/specification/draft/basic/authorization.mdx

+[RFC 8707 Section 2](https://www.rfc-editor.org/rfc/rfc8707.html#section-2) and aligns with the `resource` parameter in
+[RFC 9728](https://datatracker.ietf.org/doc/html/rfc9728). This URI:
+
+1. **MUST** be an absolute URI, as specified by [Section 4.3 of RFC 3986](https://www.rfc-editor.org/rfc/rfc3986#section-4.3).


Do we need to list these or should we just refer to RFC 8707.

@dsp-ant IMO these are helpful to list explicitly as guidance for implementers.

I find the examples useful, this list slightly less so since I ended up bringing up 8707 to see if there was a diff. I'm inclined to remove it to keep it brief.

docs/specification/draft/basic/authorization.mdx

pcarleton

overall lgtm.

left a few optional tweaks.

pcarleton · 2025-06-16T19:59:53Z

docs/specification/draft/basic/authorization.mdx

+[RFC 8707 Section 2](https://www.rfc-editor.org/rfc/rfc8707.html#section-2) and aligns with the `resource` parameter in
+[RFC 9728](https://datatracker.ietf.org/doc/html/rfc9728). This URI:
+
+1. **MUST** be an absolute URI, as specified by [Section 4.3 of RFC 3986](https://www.rfc-editor.org/rfc/rfc3986#section-4.3).


I find the examples useful, this list slightly less so since I ended up bringing up 8707 to see if there was a diff. I'm inclined to remove it to keep it brief.

pcarleton · 2025-06-16T20:14:23Z

docs/specification/draft/basic/authorization.mdx

+- `https://mcp.example.com`
+- `https://mcp.example.com:8443`
+- `https://mcp.example.com/server` (when path component is necessary to identify individual MCP server)


Suggested change

- `https://mcp.example.com`

- `https://mcp.example.com:8443`

- `https://mcp.example.com/server` (when path component is necessary to identify individual MCP server)

- `https://mcp.example.com/mcp`

- `https://mcp.example.com`

- `https://mcp.example.com:8443`

- `https://mcp.example.com/server/mcp` (when path component is necessary to identify individual MCP server)

wydt about this? I want to make it clear that passing the "server URL" is completely valid, like the one people would likely pass into a client.

mcguinness · 2025-06-17T03:50:29Z

Requiring the client to pass the resource indicator is necessary but not sufficient for mitigating phishing attacks as the client has no way of knowing that an discovered Authorization Server successfully processed the resource indicator or not. Many authorization servers today will silently ignore a resource param. RFC 8707 does not provide any token response parameters (e.g audience) or authorization server metadata params to enable a client to detect whether an AS will process a resource request or return an invalid_state error.

See #284 (comment)) and oauth-wg/oauth-v2-1#215

Update authorization.mdx

6f4714c

mintlify bot deployed to staging - docs June 13, 2025 20:27 View deployment

localden requested review from D-McAdams, aaronpk and pcarleton June 13, 2025 20:30

localden added auth security labels Jun 13, 2025

aaronpk reviewed Jun 13, 2025

View reviewed changes

docs/specification/draft/basic/authorization.mdx Show resolved Hide resolved

Update authorization.mdx

a66f8f3

mintlify bot deployed to staging - docs June 13, 2025 20:40 View deployment

Merge branch 'main' into localden/rfc8707

c7f30a2

mintlify bot deployed to staging - docs June 13, 2025 22:09 View deployment

aaronpk reviewed Jun 13, 2025

View reviewed changes

docs/specification/draft/basic/authorization.mdx Outdated Show resolved Hide resolved

Update docs/specification/draft/basic/authorization.mdx

e6c9de7

Co-authored-by: Aaron Parecki <aaron@parecki.com>

mintlify bot deployed to staging - docs June 13, 2025 22:21 View deployment

Merge branch 'main' into localden/rfc8707

83978b1

mintlify bot deployed to staging - docs June 13, 2025 23:25 View deployment

Merge branch 'main' into localden/rfc8707

5d4f749

mintlify bot deployed to staging - docs June 14, 2025 06:18 View deployment

Merge branch 'main' into localden/rfc8707

6e0e04a

mintlify bot deployed to staging - docs June 14, 2025 18:58 View deployment

ihrpr added this to Standards Track Jun 16, 2025

github-project-automation bot moved this to Draft in Standards Track Jun 16, 2025

pcarleton reviewed Jun 16, 2025

View reviewed changes

docs/specification/draft/basic/authorization.mdx Show resolved Hide resolved

ihrpr moved this from Draft to In Review in Standards Track Jun 16, 2025

ihrpr added this to the DRAFT 2025-06-XX milestone Jun 16, 2025

ihrpr mentioned this pull request Jun 16, 2025

Add requirement for RFC8707 #752

Closed

pcarleton mentioned this pull request Jun 16, 2025

update typescript auth example to demonstrate RFC 8707 resource parameter validation modelcontextprotocol/typescript-sdk#635

Closed

dsp-ant reviewed Jun 16, 2025

View reviewed changes

Merge branch 'main' into localden/rfc8707

8ba9264

Update authorization.mdx

6241273

mintlify bot deployed to staging - docs June 16, 2025 18:35 View deployment

Update authorization.mdx

302512e

mintlify bot deployed to staging - docs June 16, 2025 18:39 View deployment

Update authorization.mdx

eeebf87

mintlify bot deployed to staging - docs June 16, 2025 19:08 View deployment

Update authorization.mdx

a45cad7

mintlify bot deployed to staging - docs June 16, 2025 19:40 View deployment

Update authorization.mdx

66b8a65

mintlify bot deployed to staging - docs June 16, 2025 19:45 View deployment

Update authorization.mdx

7f8f1b0

localden requested review from aaronpk, dsp-ant and pcarleton June 16, 2025 19:53

localden enabled auto-merge June 16, 2025 19:54

mintlify bot deployed to staging - docs June 16, 2025 19:59 View deployment

pcarleton approved these changes Jun 16, 2025

View reviewed changes

localden merged commit 20a951a into main Jun 16, 2025
7 checks passed

localden deleted the localden/rfc8707 branch June 16, 2025 20:15

github-project-automation bot moved this from In Review to Approved in Standards Track Jun 16, 2025

localden mentioned this pull request Jun 16, 2025

chore: Follow-up on RFC8707 in authorization.mdx #758

Merged

xiaoyijun mentioned this pull request Jun 17, 2025

feat(auth): support resource indicators in auth flow modelcontextprotocol/typescript-sdk#498

Closed

9 tasks

primeinc mentioned this pull request Jun 18, 2025

Migrate from fastmcp to official modelcontextprotocol/python-sdk primeinc/telnyx-mcp-server#13

Draft

ochafik mentioned this pull request Jun 18, 2025

RFC 8707 Resource Indicators Implementation modelcontextprotocol/typescript-sdk#638

Merged

9 tasks

localden mentioned this pull request Jun 18, 2025

chore: Update security considerations in authorization.mdx #787

Merged

ihrpr mentioned this pull request Jun 20, 2025

RFC 8707 Resource Indicators Implementation modelcontextprotocol/python-sdk#991

Merged

findleyr mentioned this pull request Jun 24, 2025

Implement client-side resource indicators modelcontextprotocol/go-sdk#18

Open

Mookse mentioned this pull request Jun 25, 2025

MCP: Upgrade to 2025-06-18 MyLife-Services/mylife-maht#536

Closed

6 tasks

Mookse mentioned this pull request Jul 2, 2025

MCP (Security) Upgrade 2025-0618 MyLife-Services/mylife-maht#541

Open

4 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore: Add requirement for RFC8707 #734

chore: Add requirement for RFC8707 #734

Uh oh!

localden commented Jun 13, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

dsp-ant Jun 16, 2025

Uh oh!

localden Jun 16, 2025

Uh oh!

pcarleton Jun 16, 2025

Uh oh!

Uh oh!

pcarleton left a comment

Uh oh!

pcarleton Jun 16, 2025

Uh oh!

pcarleton Jun 16, 2025

Uh oh!

Uh oh!

mcguinness commented Jun 17, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

chore: Add requirement for RFC8707 #734

chore: Add requirement for RFC8707 #734

Uh oh!

Conversation

localden commented Jun 13, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

dsp-ant Jun 16, 2025

Choose a reason for hiding this comment

Uh oh!

localden Jun 16, 2025

Choose a reason for hiding this comment

Uh oh!

pcarleton Jun 16, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

pcarleton left a comment

Choose a reason for hiding this comment

Uh oh!

pcarleton Jun 16, 2025

Choose a reason for hiding this comment

Uh oh!

pcarleton Jun 16, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

mcguinness commented Jun 17, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants