Skip to content

Commit e5eef54

Browse files
committed
Format with prettier
1 parent 33417ad commit e5eef54

1 file changed

Lines changed: 3 additions & 3 deletions

File tree

specification/stable/enterprise-managed-authorization.mdx

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -36,15 +36,15 @@ This profile is an application of the "Identity Assertion JWT Authorization Gran
3636
The Identity Assertion JWT Authorization Grant follows three steps:
3737

3838
1. Single Sign-On to the MCP Client via OpenID Connect or SAML
39-
1a. optionally exchange the SAML assertion for a Refresh Token
39+
1a. optionally exchange the SAML assertion for a Refresh Token
4040
2. Token Exchange ([RFC8693](https://datatracker.ietf.org/doc/html/rfc8693))
4141
3. JWT Authorization Grant ([RFC7523](https://datatracker.ietf.org/doc/html/rfc7523))
4242

4343
The core flow is as follows:
4444

4545
- A user logs in to an MCP Client through their enterprise Identity Provider, resulting in an Identity Assertion (ID Token or SAML assertion) being issued to the MCP Client.
4646
- For SAML:
47-
- The MCP Client sends a Token Exchange request to the Identity Provider with the SAML assertion, and obtains a Refresh Token.
47+
- The MCP Client sends a Token Exchange request to the Identity Provider with the SAML assertion, and obtains a Refresh Token.
4848
- The MCP Client sends a Token Exchange [[RFC8693](https://datatracker.ietf.org/doc/html/rfc8693)] request to the Identity Provider including the ID Token or Refresh Token, and the identifier of the MCP Server it is attempting to access, and obtains a Identity Assertion JWT Authorization Grant (ID-JAG).
4949
- The MCP Client uses the Identity Assertion JWT Authorization Grant as a JWT Authorization Grant [[RFC7523](https://datatracker.ietf.org/doc/html/rfc7523)] to request an access token from the Resource Authorization Server.
5050
- The Resource Authorization Server validates the Identity Assertion JWT Authorization Grant and, if valid, issues an access token.
@@ -150,6 +150,7 @@ grant_type=urn:ietf:params:oauth:grant-type:token-exchange
150150
```
151151

152152
If the client uses SAML for single sign-on to the IdP, see [Section 4.5](https://www.ietf.org/archive/id/draft-ietf-oauth-identity-assertion-authz-grant-04.html#section-4.5) for details on how the client can exchange the SAML assertion for a refresh token, then use the refresh token to request an ID-JAG.
153+
153154
### 4.1 Processing Rules
154155

155156
The IdP processes the request according to [Section 4.3.3 of draft-ietf-oauth-identity-assertion-authz-grant](https://www.ietf.org/archive/id/draft-ietf-oauth-identity-assertion-authz-grant-04.html#section-4.3.3). The IdP evaluates administrator-defined policies for the token exchange request and determines if the MCP Client should be granted access to act on behalf of the user for the target MCP Server and scopes.
@@ -258,7 +259,6 @@ An MCP Client can determine that a Resource Authorization Server supports this p
258259

259260
In most enterprise deployments, the IdP policy will only allow users to sign in to pre-registered clients. The MCP client will likely need to be pre-registered with the enterprise IdP for single sign-on.
260261

261-
262262
See [Section 5 of draft-ietf-oauth-identity-assertion-authz-grant](https://www.ietf.org/archive/id/draft-ietf-oauth-identity-assertion-authz-grant-04.html#section-5) for how the IdP determines the `client_id` value to include in the ID-JAG.
263263

264264
### 7.2 Scope of Enterprise Visibility and Policy Enforcement

0 commit comments

Comments
 (0)