<!-- ⚠️⚠️ Do Not Delete This! feature_request_template ⚠️⚠️ --> <!-- Please read our Rules of Conduct: https://opensource.microsoft.com/codeofconduct/ --> <!-- Please search existing issues to avoid creating duplicates. --> <!-- Describe the feature you'd like. --> Model Context Protocol (MCP) has recently released a new iteration of the [authorization specification](https://modelcontextprotocol.io/specification/draft/basic/authorization). This enables a discovery flow for protected MCP servers, where they rely on OAuth 2.0 Protected Resource Metadata ([RFC9728](https://datatracker.ietf.org/doc/html/rfc9728)) documents to provide information about the authorization server(s) (AS) used by teh MCP server. ## Rough flow 1. Remote protected MCP server is connected to VS Code (MCP client). 2. VS Code initiates a connection. 3. Server responds with a `HTTP 401 Unauthorized` and a `WWW-Authenticate` header that contains a `resource_metadata` field, which encapsulates a pointer to the PRM document. 4. VS Code reads the PRM document and extracts AS information. 5. VS Code initiates the discovery process with the AS using conventional `/.well-known` endpoints. 6. Depending on the AS, VS Code either performs OAuth 2.0 Dynamic Client Registration ([RFC7591](https://datatracker.ietf.org/doc/html/rfc7591)) or uses the built-in client ID. 7. With the information at hand, VS Code initiates the authorization via authorization code flow with PKCE. ## Reference items - [MCP Spec Change](https://github.com/modelcontextprotocol/modelcontextprotocol/pull/338)
AI Analysis
This issue appears to be discussing a feature request or bug report related to the repository. Based on the content, it seems to be still under discussion. The issue was opened by localden and has received 3 comments.
Add a comment
Comment form would go here