I'm currently working through a security review of MCP servers auth implementations, and I'm stuck on something that I want a second opinion on.
One challenge with OAuth implementations is potential abuse by becoming an open redirector. However, with the validation of redirect URLs and pre-registered clients, AS can know to block requests where redirects don't match. This has the secondary benefit of blocking attackers from turning an AS into an open redirector. With DCR, clients can register their own redirect urls, which means the protection by AS vetting of redirect urls to clients no longer prevents redirects to malicious urls. MCP server clients, (read: LLMs) which requires dynamic client registration, and requires it without authorization (an initial access token) to an AS, allows anyone to register malicious redirect urls. These urls can be used to bypass the normal restrictions on AS being abused as an open redirector. As long as MCP clients don't provide some sort of OIDC or pre-approval for requests to DCR, do we in fact have a "serious" problem here? I say "serious" because there is no security issue, but the conclusion I'm coming to is that any MCP Server that exists necessarily requires an open redirector unless they pre-validate a list of approved MCP Clients. I know there is the effort to create CIMD - OAuth Client ID Metadata Documents, but I don't see that helps prevent this abuse. --- While, since this isn't a security issue unless someone goes out of their way to enable all potential untrusted LLMs to register clients, and even then there are no security concerns, this abuse is not something that I think should be left unchecked. I would appreciate at least a double check on my thinking here. Thanks, Warren
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
