Safeguard
AI Security

OAuth and authentication patterns for Model Context Proto...

MCP OAuth authentication has been rewritten three times since March 2025. Here's how the spec, its token security model, and real CVEs like CVE-2025-49596 shape safe MCP deployments.

James
Principal Security Architect
7 min read

Every Model Context Protocol server that exposes tools over HTTP is, whether its authors realize it or not, an OAuth resource server. That single architectural fact has driven three major specification rewrites in less than eighteen months. When Anthropic published MCP in November 2024, the protocol shipped with no formal identity story at all — it assumed a developer running a local process over stdio, where "authentication" meant "you already have a shell on the machine." That assumption broke the moment teams started exposing MCP servers over the network to remote AI agents, and it forced a scramble to bolt proper MCP OAuth authentication onto a protocol that wasn't built with it. The result is a spec that has changed shape three times since March 2025, a growing list of real-world CVEs, and a set of authorization patterns every team shipping an MCP server now has to get right the first time.

What is MCP OAuth authentication, and why does the protocol need it?

MCP OAuth authentication is the mechanism by which an MCP client proves to an MCP server, and the server proves to itself, that a given request carries a legitimately issued, correctly scoped token — not just "some bearer string a client attached." The protocol needs it because MCP servers routinely hold the keys to real systems: Git repositories, ticketing platforms, cloud consoles, internal databases. Anthropic's original 2024 spec left authorization almost entirely unaddressed, reasonable for a local stdio integration but untenable once vendors started running MCP servers as internet-facing HTTP services fronting production data. The March 26, 2025 revision was the first to define a formal authorization framework, requiring HTTP-transport MCP servers to implement OAuth 2.1 rather than inventing bespoke token schemes. That single decision — anchor MCP auth to an existing, audited standard instead of a custom one — is the reason the protocol's security story is recoverable at all; custom auth schemes in earlier community MCP servers were exactly where the first vulnerabilities showed up.

How does the MCP authorization spec differ from standard OAuth 2.1?

The MCP authorization spec differs from vanilla OAuth 2.1 mainly in how it defines roles: as of the June 18, 2025 revision, an MCP server is formally classified as an OAuth 2.0 Resource Server, not an Authorization Server, and it must publish OAuth 2.0 Protected Resource Metadata under RFC 9728 so clients can discover which Authorization Server actually issues its tokens. That sounds like a technicality, but it fixed a real problem: earlier MCP servers frequently acted as their own authorization server, minting and validating tokens themselves, which meant every server was reinventing token issuance, refresh, and revocation logic with no external review. The same revision made Resource Indicators (RFC 8707) mandatory for clients, binding every access token to the specific MCP server it was requested for. Then the November 25, 2025 update went further, replacing Dynamic Client Registration with Client ID Metadata Documents (CIMD) as the default registration model and making PKCE mandatory for every authorization code flow, closing the door on the downgrade attacks that plagued optional-PKCE implementations. In other words, the spec has moved, revision by revision, toward "delegate to a real identity provider and verify everything cryptographically" and away from "servers manage their own auth."

What is the confused deputy problem in MCP token security, and why does it matter?

The confused deputy problem in MCP token security is what happens when a server holding valid credentials for one purpose gets tricked into using them for another, unauthorized purpose — and it is the single most cited MCP-specific attack pattern in security research. The canonical failure mode is token passthrough: an MCP server receives a bearer token from a client, doesn't validate that the token's audience claim actually names that server, and forwards it unmodified to an upstream API. The upstream API, trusting the token, executes the action on behalf of whoever the token belongs to — even if that party never authorized this particular MCP tool call. The spec is now explicit on this point: an MCP server MUST NOT accept a token that was not issued specifically for it, and if it needs to act against a downstream service it MUST obtain a separately scoped token for that service rather than relaying the client's own credential. Security researchers cataloguing MCP-specific weaknesses (Adversa AI's "Top 25 MCP Vulnerabilities" review is a widely cited example) consistently rank confused-deputy and token-passthrough patterns near the top of the list, precisely because they're invisible in code review unless you're specifically checking audience validation.

Why did the November 2025 spec revision change how MCP identity is established?

The November 2025 revision changed how MCP identity is established because Dynamic Client Registration, the mechanism most early MCP clients relied on to self-register with an authorization server, turned out to be a poor fit for enterprise environments where IT teams need to pre-approve which clients can request tokens at all. Client ID Metadata Documents flip that model: instead of a client registering itself and receiving a server-issued ID, the client publishes a metadata document at a URL it controls, and the authorization server fetches and verifies that document on demand. DCR moved from a "SHOULD support" to a "MAY support" requirement, meaning implementers are no longer expected to build it by default. The same release added an Enterprise-Managed Authorization extension, sometimes called Cross-App Access, that lets an enterprise identity provider issue MCP tokens directly without a browser redirect — closing a gap where MCP identity had no clean path into existing SSO and conditional-access policies. For any team running MCP servers behind a corporate IdP, this is the change that finally makes MCP identity manageable the same way SaaS app identity already is.

What real-world vulnerabilities have exposed weak MCP OAuth implementations?

The clearest real-world example is CVE-2025-49596, a critical (CVSS 9.4) remote code execution vulnerability in Anthropic's own MCP Inspector debugging tool, disclosed in mid-2025. Versions before 0.14.1 ran a local proxy that accepted stdio commands from the browser-based Inspector UI without authenticating the request's origin, so a developer who simply visited a malicious webpage while Inspector was running could have arbitrary code executed on their machine — no OAuth token theft required, just a complete absence of request authentication at the transport layer. Anthropic's fix added session tokens on every proxy request and origin allow-listing, the same primitives OAuth-based MCP deployments already needed for their HTTP transport. The lesson generalizes: auth gaps in the MCP ecosystem haven't been exotic cryptographic breaks, they've been missing basics — unauthenticated local proxies, servers that skip audience checks, clients that treat DCR responses as trusted without verifying the registering party. Every one of these has a known, spec-documented mitigation; the gap is implementation discipline, not a lack of guidance.

How Safeguard Helps

Safeguard treats MCP servers the way it treats every other component in your software supply chain: as an artifact whose provenance, dependencies, and runtime behavior need continuous verification, not a one-time review. For MCP OAuth authentication specifically, Safeguard scans MCP server configurations and code for the failure patterns above before they ship — flagging servers that skip Protected Resource Metadata publication, that fail to validate token audience claims (the root cause of confused-deputy exposure), or that still depend on deprecated Dynamic Client Registration flows without a CIMD fallback. Safeguard's supply chain analysis also tracks which MCP server versions in your environment map to disclosed CVEs like CVE-2025-49596, so a vulnerable Inspector or proxy binary doesn't sit unpatched in a developer's toolchain for months. Because MCP identity increasingly routes through enterprise IdPs via Cross-App Access, Safeguard correlates MCP token issuance with your existing identity and access management posture, giving security teams one place to see which agents, servers, and human identities actually hold live MCP credentials — and to revoke them the moment a server's provenance looks wrong. As the MCP authorization spec continues to evolve, Safeguard's policy checks are versioned against each spec revision, so your MCP fleet gets flagged for drift the day a new requirement — mandatory PKCE, mandatory Resource Indicators, whatever comes next — ships, instead of months later during an audit.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.