Hi folks, Following Aaron's suggestion, I want to surface OAuth 2.1 Github issue 223 for discussion on this mailing list - https://github.com/oauth-wg/oauth-v2-1/issues/233. I am hopeful that we can close on this issue by mail.
Summary: OAuth 2.1 incorporates RFC 9207's issuer response parameter optionally. I believe OAuth 2.1 should make this parameter mandatory. Rationale: * MCP needs this to mitigate the mix-up attack. * Enabling clients to mitigate the mix-up attack requires a very small amount of work from servers - returning a constant response value (iss). * We (OAuth WG) should strive for a simpler world for non-auth experts where non-auth specifications (like MCP) can just reference OAuth 2.1 and be secure. It should not be necessary for non-auth experts to reference OAuth 2.1 and also read many OAuth 2 extensions and evaluate which of those extensions are needed for security. The status quo (optional) makes implementing OAuth 2.1 slightly easier for OAuth providers, at the cost of requiring more complex security analysis from specifications that reference OAuth 2.1 (like MCP) and clients that implement OAuth 2.1 (like MCP clients). Given that the implementation burden on OAuth providers is very small, I believe that mandating this response parameter is the right tradeoff. There will undoubtably be a small flurry of activity when OAuth 2.1 is finalized where implementations advertise their compliance. We should take advantage of that opportunity to mitigate the mix-up attack once and for all. Attack in detail: See https://github.com/modelcontextprotocol/modelcontextprotocol/issues/1721#issuecomment-3555689564. Thanks, Will Bartlett
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
