Skip to content

fix: prevent OAuth resource spoofing#937

Merged
DaleSeo merged 1 commit into
mainfrom
fix/oauth-resource-spoofing
Jun 27, 2026
Merged

fix: prevent OAuth resource spoofing#937
DaleSeo merged 1 commit into
mainfrom
fix/oauth-resource-spoofing

Conversation

@DaleSeo

@DaleSeo DaleSeo commented Jun 27, 2026

Copy link
Copy Markdown
Member

Motivation and Context

This fixes an OAuth protected-resource metadata spoofing issue by requiring discovered RFC 9728 metadata to identify the same MCP resource the client is connecting to. Without this check, a malicious MCP server could advertise another resource's authorization server and trick clients into sending access tokens to the wrong server. The change rejects missing or mismatched resource values before trusting advertised authorization servers or scopes, while preserving the root URL slash normalization needed for existing local-server flows.

How Has This Been Tested?

Added tests

Breaking Changes

This is intended to be a non-breaking security fix.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

@github-actions github-actions Bot added T-core Core library changes T-transport Transport layer changes labels Jun 27, 2026
@DaleSeo DaleSeo marked this pull request as ready for review June 27, 2026 16:03
@DaleSeo DaleSeo requested a review from a team as a code owner June 27, 2026 16:03
@DaleSeo DaleSeo merged commit c1a8b29 into main Jun 27, 2026
19 checks passed
@DaleSeo DaleSeo deleted the fix/oauth-resource-spoofing branch June 27, 2026 23:43
@github-actions github-actions Bot mentioned this pull request Jun 27, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaelneale michaelneale michaelneale approved these changes

Assignees

No one assigned

Labels

T-core Core library changes T-transport Transport layer changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DaleSeo @michaelneale