I don’t think this is a great article. MCP is inherently designed so integrating something like oAUTH is going to be very difficult. What callback url are you going to use? How are you going to pass the token in so it isn’t stored by the LLM provider? Etc.
boleary-gl•3h ago
You’re not wrong but also this does raise a central question that I think is super un-considered in this whole MCP thing: how are we handling identity in those contexts.
If anything we should be more concerned so it that because of the power that it can hand over to agents.
spacebanana7•2h ago
I feel the authorisation layer really needs to sit with the MCP server.
Ultimately the LLM provider’s servers can’t be prevented from using a token however they want.
gsibble•3h ago
boleary-gl•3h ago
If anything we should be more concerned so it that because of the power that it can hand over to agents.
spacebanana7•2h ago
Ultimately the LLM provider’s servers can’t be prevented from using a token however they want.
mdaniel•1h ago
There is actually a dedicated redirect_uri URN for fixing that: "urn:ietf:wg:oauth:2.0:oob" or, if the service is modern enough, RFC 8252 offers custom scheme support https://datatracker.ietf.org/doc/html/rfc8252#section-7.1