Summary
Align Inspector v2 OAuth/OIDC with the MCP 2026-07-28 authorization hardening — six SEPs in the draft authorization spec and RC announcement.
Related: #1520 covers mid-session auth and step-up auth (SEP-2350). This issue tracks the remaining connect-time / DCR / discovery / token-lifecycle hardening.
Background
MCP’s single-client, many-server deployment pattern exposes sharp edges in vanilla OAuth/OIDC. The 2026-07-28 RC tightens client behavior to match real AS deployments (OAuth 2.1 / OIDC).
SEPs to implement
| SEP |
Topic |
Inspector work |
| SEP-2468 |
iss validation (RFC 9207) |
Validate iss on authorization responses; plan to reject responses that omit iss |
| SEP-837 |
DCR application_type |
Declare OIDC application_type during Dynamic Client Registration (web vs native/desktop/CLI) so ASes don’t default to "web" and reject localhost redirect URIs |
| SEP-2352 |
Credential binding to issuer |
Bind registered client credentials to AS issuer; re-register when a resource migrates between authorization servers |
| SEP-2207 |
Refresh tokens (OIDC) |
Document and implement correct refresh-token requests for OIDC-style ASes (including scope semantics on refresh) |
| SEP-2350 |
Step-up scope accumulation |
**Tracked in #1526 |
| SEP-2351 |
.well-known discovery suffix |
Use stable discovery suffix for resource and authorization metadata |
Scope
In scope
Acceptance criteria
- Authorization callback rejects (or warns, per phased rollout) responses where
iss does not match expected issuer (SEP-2468).
- DCR succeeds against OIDC providers that require
application_type for native/localhost clients (SEP-837).
- Stored OAuth client state includes issuer binding; issuer migration triggers re-registration instead of silent failure (SEP-2352).
- Token refresh against OIDC ASes follows SEP-2207 semantics; covered by integration test.
- Discovery uses SEP-2351 suffix; existing resource-metadata flows still work.
- Smoke doc updated with at least one scenario per SEP where manually testable.
References
Summary
Align Inspector v2 OAuth/OIDC with the MCP 2026-07-28 authorization hardening — six SEPs in the draft authorization spec and RC announcement.
Related: #1520 covers mid-session auth and step-up auth (SEP-2350). This issue tracks the remaining connect-time / DCR / discovery / token-lifecycle hardening.
Background
MCP’s single-client, many-server deployment pattern exposes sharp edges in vanilla OAuth/OIDC. The 2026-07-28 RC tightens client behavior to match real AS deployments (OAuth 2.1 / OIDC).
SEPs to implement
issvalidation (RFC 9207)isson authorization responses; plan to reject responses that omitissapplication_typeapplication_typeduring Dynamic Client Registration (web vs native/desktop/CLI) so ASes don’t default to"web"and reject localhost redirect URIsissuer; re-register when a resource migrates between authorization serversscopesemantics on refresh).well-knowndiscovery suffixScope
In scope
core/auth+ SDK OAuth path against each SEPissvalidation incompleteOAuthFlow/ callback handlingapplication_typein DCR for web, TUI, CLI clientsv2_oauth_smoke_testing.mdv2_scope.md/ EMA spec where relevantAcceptance criteria
issdoes not match expected issuer (SEP-2468).application_typefor native/localhost clients (SEP-837).References
specification/v2_auth_challenges.mdspecification/v2_enterprise_managed_auth.mdspecification/v2_oauth_smoke_testing.md