[HN Gopher] OAuth's Role in MCP Security
___________________________________________________________________
OAuth's Role in MCP Security
Author : mooreds
Score : 29 points
Date : 2025-04-20 14:47 UTC (8 hours ago)
(HTM) web link (defensiblesystems.substack.com)
(TXT) w3m dump (defensiblesystems.substack.com)
| gsibble wrote:
| I don't think this is a great article. MCP is inherently designed
| so integrating something like oAUTH is going to be very
| difficult. What callback url are you going to use? How are you
| going to pass the token in so it isn't stored by the LLM
| provider? Etc.
| boleary-gl wrote:
| You're not wrong but also this does raise a central question
| that I think is super un-considered in this whole MCP thing:
| how are we handling identity in those contexts.
|
| If anything we should be more concerned so it that because of
| the power that it can hand over to agents.
| adamm255 wrote:
| Totally. Still getting my head around this write up but it
| goes into a lot of detail.
| https://aaronparecki.com/2025/04/03/15/oauth-for-model-
| conte...
| spacebanana7 wrote:
| I feel the authorisation layer really needs to sit with the MCP
| server.
|
| Ultimately the LLM provider's servers can't be prevented from
| using a token however they want.
| mdaniel wrote:
| > What callback url are you going to use?
|
| There is actually a dedicated redirect_uri URN for fixing that:
| "urn:ietf:wg:oauth:2.0:oob" or, if the service is modern
| enough, RFC 8252 offers custom scheme support
| https://datatracker.ietf.org/doc/html/rfc8252#section-7.1
___________________________________________________________________
(page generated 2025-04-20 23:01 UTC)