Verify that the server still behaves correctly with the hardened auth model.
Work items:
- Re-test incoming auth in HTTP mode after the SDK upgrade.
- Verify issuer validation and OAuth protected resource metadata behavior with RC-compliant clients.
- Review outbound MCP-to-MCP auth for registry-backed servers in core/Microsoft.Mcp.Core/src/Areas/Server/Commands/Discovery.
- Reconfirm that the OBO path, hosting-environment identity path, and no-auth dev path still map cleanly to supported deployments.
- Update auth guidance where the spec now expects stricter issuer and registration behavior.
Acceptance criteria:
- Authenticated HTTP mode still works end to end.
- External MCP server calls remain functional against RC-compliant servers.
- Operator docs reflect the stricter auth assumptions.
Verify that the server still behaves correctly with the hardened auth model.
Work items:
Acceptance criteria: