Skip to content

Commit 33417ad

Browse files
pcarletonaaronpk
andauthored
Apply suggestions from code review
Co-authored-by: Aaron Parecki <aaron@parecki.com>
1 parent 9c25bbe commit 33417ad

1 file changed

Lines changed: 9 additions & 5 deletions

File tree

specification/stable/enterprise-managed-authorization.mdx

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -36,13 +36,16 @@ This profile is an application of the "Identity Assertion JWT Authorization Gran
3636
The Identity Assertion JWT Authorization Grant follows three steps:
3737

3838
1. Single Sign-On to the MCP Client via OpenID Connect or SAML
39+
1a. optionally exchange the SAML assertion for a Refresh Token
3940
2. Token Exchange ([RFC8693](https://datatracker.ietf.org/doc/html/rfc8693))
4041
3. JWT Authorization Grant ([RFC7523](https://datatracker.ietf.org/doc/html/rfc7523))
4142

4243
The core flow is as follows:
4344

4445
- A user logs in to an MCP Client through their enterprise Identity Provider, resulting in an Identity Assertion (ID Token or SAML assertion) being issued to the MCP Client.
45-
- The MCP Client sends a Token Exchange [[RFC8693](https://datatracker.ietf.org/doc/html/rfc8693)] request to the Identity Provider including the identity assertion and identifier of the MCP Server it is attempting to access, and obtains a Identity Assertion JWT Authorization Grant (ID-JAG).
46+
- For SAML:
47+
- The MCP Client sends a Token Exchange request to the Identity Provider with the SAML assertion, and obtains a Refresh Token.
48+
- The MCP Client sends a Token Exchange [[RFC8693](https://datatracker.ietf.org/doc/html/rfc8693)] request to the Identity Provider including the ID Token or Refresh Token, and the identifier of the MCP Server it is attempting to access, and obtains a Identity Assertion JWT Authorization Grant (ID-JAG).
4649
- The MCP Client uses the Identity Assertion JWT Authorization Grant as a JWT Authorization Grant [[RFC7523](https://datatracker.ietf.org/doc/html/rfc7523)] to request an access token from the Resource Authorization Server.
4750
- The Resource Authorization Server validates the Identity Assertion JWT Authorization Grant and, if valid, issues an access token.
4851
- The MCP Client uses the access token to make requests to the MCP Server.
@@ -124,7 +127,7 @@ To request an ID-JAG, the MCP Client makes a Token Exchange request to the IdP's
124127
In this profile:
125128

126129
- `audience` **MUST** be the issuer identifier of the Resource Authorization Server.
127-
- `resource` is **REQUIRED** and **MUST** be the Resource Identifier of the MCP Server as defined in [RFC9728](https://datatracker.ietf.org/doc/html/rfc9728).
130+
- `resource` is **OPTIONAL** and if set, **MUST** be the Resource Identifier of the MCP Server as defined in [RFC9728](https://datatracker.ietf.org/doc/html/rfc9728).
128131

129132
If the IdP requires client authentication when the MCP Client performs OpenID Connect for single sign-on, then client authentication of the Token Exchange request is also required.
130133

@@ -146,6 +149,7 @@ grant_type=urn:ietf:params:oauth:grant-type:token-exchange
146149
&client_secret=a26d84873504215a34a86d52ef5cd64f4b76
147150
```
148151

152+
If the client uses SAML for single sign-on to the IdP, see [Section 4.5](https://www.ietf.org/archive/id/draft-ietf-oauth-identity-assertion-authz-grant-04.html#section-4.5) for details on how the client can exchange the SAML assertion for a refresh token, then use the refresh token to request an ID-JAG.
149153
### 4.1 Processing Rules
150154

151155
The IdP processes the request according to [Section 4.3.3 of draft-ietf-oauth-identity-assertion-authz-grant](https://www.ietf.org/archive/id/draft-ietf-oauth-identity-assertion-authz-grant-04.html#section-4.3.3). The IdP evaluates administrator-defined policies for the token exchange request and determines if the MCP Client should be granted access to act on behalf of the user for the target MCP Server and scopes.
@@ -175,7 +179,7 @@ Error responses are returned as OAuth 2.0 Token Error responses per [Section 5.2
175179

176180
The ID-JAG is a JWT issued and signed by the IdP with the claims defined in [Section 3.1 of draft-ietf-oauth-identity-assertion-authz-grant](https://www.ietf.org/archive/id/draft-ietf-oauth-identity-assertion-authz-grant-04.html#section-3.1).
177181

178-
In this profile, the `resource` claim is **REQUIRED** and **MUST** contain the Resource Identifier of the MCP Server.
182+
In this profile, the `resource` claim **MUST** contain the Resource Identifier of the MCP Server if present.
179183

180184
An example JWT shown with expanded header and payload claims may look like this:
181185

@@ -188,6 +192,7 @@ An example JWT shown with expanded header and payload claims may look like this:
188192
"jti": "9e43f81b64a33f20116179",
189193
"iss": "https://acme.idp.example",
190194
"sub": "U019488227",
195+
"email": "user@example.com",
191196
"aud": "https://auth.chat.example/",
192197
"resource": "https://mcp.chat.example/",
193198
"client_id": "f53f191f9311af35",
@@ -253,13 +258,12 @@ An MCP Client can determine that a Resource Authorization Server supports this p
253258

254259
In most enterprise deployments, the IdP policy will only allow users to sign in to pre-registered clients. The MCP client will likely need to be pre-registered with the enterprise IdP for single sign-on.
255260

256-
It is also assumed that the MCP client will be pre-registered with the Resource Authorization Server.
257261

258262
See [Section 5 of draft-ietf-oauth-identity-assertion-authz-grant](https://www.ietf.org/archive/id/draft-ietf-oauth-identity-assertion-authz-grant-04.html#section-5) for how the IdP determines the `client_id` value to include in the ID-JAG.
259263

260264
### 7.2 Scope of Enterprise Visibility and Policy Enforcement
261265

262-
This specification enables the enterprise IdP to be part of the issuance of the access token at the MCP Server. The visibility the IdP has between the MCP Client and MCP Server is limited to the process of issuing the access token, but does not extend to the actual API calls between the MCP Client and Server.
266+
This specification enables the enterprise IdP to be part of the issuance of the access token at the MCP Server. The visibility the IdP has between the MCP Client and MCP Server is limited to the process of issuing the access token, but does not extend to the actual MCP traffic between the MCP Client and Server.
263267

264268
This enables the enterprise IdP to enforce policies such as which users in the organization can use certain MCP clients with certain MCP servers. Depending on the granularity of the OAuth scopes defined at the MCP server, this can also extend to govern which scopes a given user can request.
265269

0 commit comments

Comments
 (0)