Skip to content

Authorization and remote-host compliance #2975

Description

@g2vinay

Verify that the server still behaves correctly with the hardened auth model.

Work items:

  1. Re-test incoming auth in HTTP mode after the SDK upgrade.
  2. Verify issuer validation and OAuth protected resource metadata behavior with RC-compliant clients.
  3. Review outbound MCP-to-MCP auth for registry-backed servers in core/Microsoft.Mcp.Core/src/Areas/Server/Commands/Discovery.
  4. Reconfirm that the OBO path, hosting-environment identity path, and no-auth dev path still map cleanly to supported deployments.
  5. Update auth guidance where the spec now expects stricter issuer and registration behavior.

Acceptance criteria:

  • Authenticated HTTP mode still works end to end.
  • External MCP server calls remain functional against RC-compliant servers.
  • Operator docs reflect the stricter auth assumptions.

Metadata

Metadata

Assignees

No one assigned
    No fields configured for Feature.

    Projects

    Status
    Untriaged

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions