You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: auth4genai/mcp/auth-for-mcp.mdx
+7-14Lines changed: 7 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -46,32 +46,25 @@ Here is the standard OAuth authorization code flow when an MCP server uses Auth0
46
46
47
47
<Steps>
48
48
<Step>
49
-
The MCP client initiates the OAuth flow by making a request to the MCP
50
-
server's authorization endpoint.
49
+
The MCP client sends a request to the protected MCP server and receives HTTP `401 Unauthorized` with a `WWW-Authenticate` header that indicates the protected resource metadata URL.
51
50
</Step>
52
51
<Step>
53
-
The MCP server redirects the user to the Auth0 authorization server.
52
+
The MCP client requests the [resource metadata](https://datatracker.ietf.org/doc/html/rfc9728/) from the MCP server at the `/.well-known/oauth-protected-resource` endpoint.
54
53
</Step>
55
54
<Step>
56
-
The user authenticates with Auth0 (using username/password, social login, or
57
-
MFA).
55
+
The MCP client parses the metadata, selects an authorization server (Auth0) from the list, and then fetches its OAuth 2.0 Authorization Server Metadata from the `/.well-known/oauth-authorization-server` endpoint. [Dynamic Client Registration (DCR)](https://auth0.com/docs/get-started/applications/dynamic-client-registration#enable-dynamic-client-registration) can happen after receiving the metadata response.
58
56
</Step>
59
57
<Step>
60
-
After successful authentication, Auth0 redirects the browser back to the MCP
61
-
server's callback URL with a single-use authorization code.
58
+
The client generates [PKCE](https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce) parameters and builds the authorization request, then opens the browser to the authorization endpoint.
62
59
</Step>
63
60
<Step>
64
-
The MCP server exchanges the authorization code for an access token directly
65
-
with the Auth0 token endpoint.
61
+
The user then authenticates with Auth0 (using username/password, social login, or MFA). Auth0 redirects the browser to the MCP client’s registered redirect URI with an authorization code.
66
62
</Step>
67
63
<Step>
68
-
The MCP server validates the token from Auth0 and generates its own session
69
-
or internal access token that is bound to the third-party session.
64
+
The MCP client exchanges the code at the token endpoint and Auth0 returns the access token completing the original OAuth flow.
70
65
</Step>
71
66
<Step>
72
-
The MCP server completes the original OAuth flow, returning its own token to
73
-
the MCP client, which can then be used to make authenticated calls to the
74
-
server's tools.
67
+
After receiving an access token (and refresh token), the MCP client will use the access token to make authenticated calls to the MCP server's tools.
0 commit comments