[Server] scope OAuth to resource server, not authorization server#382
Open
soyuka wants to merge 1 commit into
Open
[Server] scope OAuth to resource server, not authorization server#382soyuka wants to merge 1 commit into
soyuka wants to merge 1 commit into
Conversation
Record ADR 0001: the MCP server is an OAuth 2.1 Resource Server that MAY delegate to an upstream authorization server, and will NOT issue tokens or act as an Identity Provider. Gives a single citable ruling to decline the recurring "native authorization server" PRs (e.g. modelcontextprotocol#373). Also remove the surface signal that invites them: reframe the OAuthProxyMiddleware class docblock to lead with its delegation intent and state explicit non-goals (never mints/signs/stores/rotates tokens), and add a "Scope" section to docs/authorization.md describing the three OAuth roles and what the SDK does not do. No behavior change — docblock, docs, and ADR only.
soyuka
requested review from
CodeWithKyrian,
Nyholm and
chr-hertel
as code owners
soyuka
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
We keep getting PRs that push the SDK toward becoming a full OAuth 2.1 authorization server — minting its own tokens, registering clients, running login/consent (i.e. being an IdP). The most explicit is #373 (~3,400 lines / 50+ files), but the direction has crept in incrementally.
This PR draws the line authoritatively and removes the surface signal that invites it. No behavior change — ADR + docblock + docs only.
Why a docs/ADR change instead of code
A scope doc alone won't stop these PRs. The real driver is the API surface: the SDK already exposes the authorization-server endpoints in proxy form (
OAuthProxyMiddlewareanswers/authorize,/token,/.well-known/oauth-authorization-server; DCR landed in #269). From a contributor's seat the SDK looks ~60% of an AS, so #373 reads as "finishing the job."So this does two things:
OAuthProxyMiddleware's delegation-only intent unmistakable, so the leap to "issue tokens here" is no longer implied.OAuth's three roles — the SDK implements one and a half
WWW-Authenticate)OAuthProxyMiddleware)Changes
adr/0001-oauth-authorization-server-out-of-scope.md— the ruling, rationale (security liability, RFC footprint, mature libs/IdPs already exist), boundary statement, and "what to do instead" (front with Keycloak/Auth0/Entra/Okta, or runleague/oauth2-serverin your own app behind the existing proxy + validator seams). References [Server] Add native OAuth 2.1 authorization server #373 as the example and [Server] Oauth2 based on middleware #221/[Server] feat: relax StrictOidcDiscoveryMetadataPolicy and add Dynamic Client Registration middleware (RFC 7591) #269 as the surface origin.adr/README.md— new ADR index.src/Server/Transport/Http/Middleware/OAuthProxyMiddleware.php— class docblock only: leads with delegation intent, explicit non-goals (never mints/signs/stores/rotates tokens).docs/authorization.md— new "Scope: what this SDK does and does not do" section (three-role table + ADR link); proxy entry reframed as delegation.Out of scope
php -lpasses on the edited middleware. No markdown linter is configured in the repo.