How to secure your MCP server with OAuth resource indicators
Blog post from WorkOS
As the Model Context Protocol (MCP) evolves, its authentication layer has incorporated resource indicators from OAuth 2.0 to enhance security by binding tokens to specific resource servers. Resource indicators, defined in RFC 8707, allow a client to specify which server a token is intended for, preventing misuse across multiple servers and mitigating token confusion attacks. MCP utilizes these indicators by having clients include a resource parameter during authentication, ensuring that tokens are bounded to designated servers and reducing potential security risks. Implementation requires consistent URI advertisement, aud claim validation, and informative error messaging to aid debugging. For MCP client developers, managing tokens for multiple servers is crucial, as each server necessitates a unique token. Meanwhile, authorization server operators must support RFC 8707, handling the resource parameter and ensuring correct aud claim embedding. Resource indicators complement OAuth scopes, defining not just what actions a token permits but also where they can be executed, thereby bolstering security in multi-server environments. WorkOS AuthKit provides a solution for those who prefer not to manage this infrastructure, offering native support for resource indicators and seamless integration with existing systems.
| Trend | Post Mentions | Total Month Mentions | Posts | Companies | MoM |
|---|---|---|---|---|---|
| MCP | 45 | 6,026 | 689 | 188 | -15% |
| Vector Search | 2 | 2,091 | 556 | 118 | -8% |