You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/specification/draft/basic/authorization.mdx
+19Lines changed: 19 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -304,3 +304,22 @@ See [Security Best Practices 2.1](/specification/draft/basic/security_best_pract
304
304
305
305
MCP proxy servers using static client IDs **MUST** obtain user consent for each dynamically
306
306
registered client before forwarding to third-party authorization servers (which may require additional consent).
307
+
308
+
### 3.5 Access Token Privilege Restriction
309
+
310
+
An attacker can gain unauthorized access or otherwise compromise a MCP server if the server accepts tokens issued for other resources.
311
+
312
+
This vulnerability has two critical dimensions:
313
+
314
+
1.**Audience validation failures.** When an MCP server doesn't verify that tokens were specifically intended for it (for example, via the audience claim, as mentioned in [RFC9068](https://www.rfc-editor.org/rfc/rfc9068.html)), it may accept tokens originally issued for other services. This breaks a fundamental OAuth security boundary, allowing attackers to reuse legitimate tokens across different services than intended.
315
+
2.**Token passthrough.** If the MCP server not only accepts tokens with incorrect audiences but also forwards these unmodified tokens to downstream services, it can potentially cause the "confused deputy" problem, outlined in [Section 3.4](#34-confused-deputy-problem), where the downstream API may incorrectly trust the token as if it came from the MCP server or assume the token was validated by the upstream API. See [Security Best Practices 2.2](/specification/draft/basic/security_best_practices) for additional details.
316
+
317
+
MCP servers **MUST** validate access tokens before processing the request, ensuring the access token is issued specifically for the MCP server, and take all necessary steps to ensure no data is returned to unauthorized parties.
318
+
319
+
A MCP server **MUST** follow the guidelines in [OAuth 2.1 - Section 5.2](https://www.ietf.org/archive/id/draft-ietf-oauth-v2-1-12.html#section-5.2) to validate inbound tokens.
320
+
321
+
MCP servers **MUST** only accept tokens specifically intended for themselves.
322
+
323
+
If the MCP server makes requests to upstream APIs, it may act as an OAuth client to them. The access token used at the upstream API is a seperate token, issued by the upstream authorization server. The MCP server **MUST NOT** pass through the token it received from the MCP client.
324
+
325
+
If the authorization server supports the `resource` parameter, it is recommended that implementers follow [RFC 8707](https://www.rfc-editor.org/rfc/rfc8707.html) to prevent token misuse.
Copy file name to clipboardExpand all lines: docs/specification/draft/basic/security_best_practices.mdx
+25Lines changed: 25 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -114,3 +114,28 @@ attack becomes possible:
114
114
115
115
MCP proxy servers using static client IDs **MUST** obtain user consent for each dynamically
116
116
registered client before forwarding to third-party authorization servers (which may require additional consent).
117
+
118
+
### 2.2 Token Passthrough
119
+
120
+
"Token passthrough" is an anti-pattern where an MCP server accepts tokens from an MCP client without validating that the tokens were properly issued _to the MCP server_ and "passing them through" to the downstream API.
121
+
122
+
#### 2.2.1 Risks
123
+
124
+
Token passthrough is explicitly forbidden in the [authorization specification](/specification/draft/basic/authorization) as it introduces a number of security risks, that include:
125
+
126
+
-**Security Control Circumvention**
127
+
- The MCP Server or downstream APIs might implement important security controls like rate limiting, request validation, or traffic monitoring, that depend on the token audience or other credential constraints. If clients can obtain and use tokens directly with the downstream APIs without the MCP server validating them properly or ensuring that the tokens are issued for the right service, they bypass these controls.
128
+
-**Accountability and Audit Trail Issues**
129
+
- The MCP Server will be unable to identify or distinguish between MCP Clients when clients are calling with an upstream-issued access token which may be opaque to the MCP Server.
130
+
- The downstream Resource Server’s logs may show requests that appear to come from a different source with a different identity, rather than the MCP server that is actually forwarding the tokens.
131
+
- Both factors make incident investigation, controls, and auditing more difficult.
132
+
- If the MCP Server passes tokens without validating their claims (e.g., roles, privileges, or audience) or other metadata, a malicious actor in possession of a stolen token can use the server as a proxy for data exfiltration.
133
+
-**Trust Boundary Issues**
134
+
- The downstream Resource Server grants trust to specific entities. This trust might include assumptions about origin or client behavior patterns. Breaking this trust boundary could lead to unexpected issues.
135
+
- If the token is accepted by multiple services without proper validation, an attacker compromising one service can use the token to access other connected services.
136
+
-**Future Compatibility Risk**
137
+
- Even if an MCP Server starts as a "pure proxy" today, it might need to add security controls later. Starting with proper token audience separation makes it easier to evolve the security model.
138
+
139
+
#### 2.2.2 Mitigation
140
+
141
+
MCP servers **MUST NOT** accept any tokens that were not explicitly issued for the MCP server.
0 commit comments