OAuth 2.1 Support

Created on 27 March 2025, 6 months ago

Problem/Motivation

A new version of the MCP specification was finalized on 2025.03.26 with an authentication framework supporting OAuth 2.1
For more information see the Changelog
The new Athorization document can be found here

Proposed resolution

Implement OAuth authentication

Remaining tasks

  • Define a roadmap for implementation
  • Implement authentication
  • Implement tests
  • Extend the module's documentation
✨ Feature request
Status

Active

Version

1.0

Component

Code

Created by

πŸ‡ͺπŸ‡ΈSpain alvarodemendoza

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @alvarodemendoza
  • πŸ‡¬πŸ‡ͺGeorgia gagosha

    It’s part of the module roadmap and a work in progress. Right now I’m in the research phase, so I’m open to conversation about how we can implement it.

  • πŸ‡¬πŸ‡ͺGeorgia gagosha
  • Status changed to Needs work about 2 months ago
  • πŸ‡³πŸ‡±Netherlands askibinski

    Let me share my findings, since I got this working (at least with MCP Inspector and Claude Code, but Claude.ai/desktop should also work).

    This is the main documentation with specifications:
    https://modelcontextprotocol.io/specification/2025-03-26/basic/authoriza...

    I leveraged the simple_oauth module which uses the php league oauth library for the heavy lifting. However, the module does not support Dynamic Client Registration (DCR) whch is required (at least, if you want to make it frictionless). See RFC7591.

    I used a PKCE Flow - Secure public client authentication without client secrets.

    I had an issue that default scopes were not supported and had to workaround that. Basically, on register (DCR) a consumer entity is created with default scopes and those need te be used in the request. Related: ✨ Provide default scopes if client is not requesting a specific scope Closed: outdated

    The MCP inspector's Oauth guide is really helpful in debugging all this locally.

  • πŸ‡¬πŸ‡ͺGeorgia gagosha

    Hey @askibinski, great to see someone interested in making it work.

    As I remember, when I researched the auth implementation, there were the following requirements β†’ Version 2025-06-18:

    * OAuth 2.0 Authorization Server Metadata (RFC8414) β†’ MUST
    * OAuth 2.0 Dynamic Client Registration Protocol (RFC7591) β†’ SHOULD
    * OAuth 2.0 Protected Resource Metadata (RFC9728) β†’ MUST

    And Dynamic Client Registration is a MUST if we want to work with Claude Web or any other web-based clients. So I'd actually consider it a MUST.

    I had a conversation with @bojan_dev, maintainer of the simple_oauth module, and:

    For RFC8414, these need to be done:
    https://www.drupal.org/project/simple_oauth/issues/3174705 ✨ Implement JWKs (RFC 7517) and OAuth metadata (RFC 8414) Needs work
    https://www.drupal.org/project/simple_oauth/issues/3033472 ✨ [PP-1] Support OpenID Connect Discovery Needs review

    RFC7591 and RFC9728 - nothing has been done yet.

    As you pointed out, the previous version supported the PKCE Flow without these requirements. It’s interesting if the latest version also supports this as is (I got these requirements from the latest version, as I mentioned, and never checked the old one :D).

Production build 0.71.5 2024