Ch 8: Security, Authorization & OAuth

Ch 8 — Security & OAuth Under the Hood

Server metadata discovery, PKCE flow, token lifecycle, roots, DNS rebinding protection

Index ← High Level

Under the Hood

Click play or press Space to begin...

Step- / 10

AServer Metadata DiscoveryHow the client finds the OAuth endpoints

error

401 ResponseServer rejects
unauthenticated request

discover

travel_explore

Metadata URL.well-known/oauth-
authorization-server

returns

description

Endpointsauthorize, token,
registration URLs

arrow_downward PKCE: Proof Key for Code Exchange

BPKCE FlowPreventing authorization code interception

key

code_verifierClient generates
random secret

hash

tag

code_challengeSHA-256 hash
sent with auth request

verify

verified

Token ExchangeVerifier proves
client identity

arrow_downward Dynamic client registration

CDynamic Client RegistrationMCP clients register themselves automatically

app_registration

RegisterClient sends
metadata to server

gets

badge

client_idServer assigns
unique identifier

uses

Auth Flowclient_id used in
OAuth requests

arrow_downward Token lifecycle: access, refresh, expiry

DToken LifecycleAccess tokens, refresh tokens, and expiry handling

token

Access TokenShort-lived
Bearer token

expires

refresh

Refresh TokenLong-lived token
to get new access

Re-authenticateFull OAuth flow
again if needed

arrow_downward Roots: limiting server filesystem access

ERootsTelling servers which directories they can access

folder

roots/listClient tells server
allowed directories

limits

dns

Server ScopeServer should only
access these paths

arrow_downward Transport-level protections

FTransport SecurityHTTPS, DNS rebinding, Origin validation

https

HTTPS / TLSEncrypted transport
for remote servers

dns

DNS RebindingValidate Origin
and Host headers

verified_user

CORSRestrict which
origins can connect