Skip to content

Pass a resource parameter in the authorization URL when using oauth-protected-resource during OAuth #592

New issue
New issue
Closed
#638
Closed
Pass a resource parameter in the authorization URL when using oauth-protected-resource during OAuth#592
#638
Assignees
ochafik
Labels
enhancementRequest for a new feature that's not currently supported
@thedadams

Description

@thedadams
thedadams
opened on Jun 4, 2025

Is your feature request related to a problem? Please describe.
Since a single MCP client may be handing the OAuth flow for several MCP servers, it is important that the authorization server knows where the generated access token will be used. A safety-conscious MCP server could then verify that the access token generated is meant it specifically (typically done via the aud claim in a JWT).

Describe the solution you'd like
As RFC 8707 states, passing a resource query parameter when initiating the OAuth authorization flow allows the authentication server to determine where the generated access token will be used.

Describe alternatives you've considered
N/A

Additional context
I understand that this is part of the draft spec and may still be a work in progress, but I wasn't able to find any other issues or pull requests on this subject.

Metadata

Metadata

Assignees

Labels

enhancementRequest for a new feature that's not currently supported

Type

No type

Projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions