Question: Is the MCP server compatible with OAuth 2.1 as per MCP spec? #25
Description
Hi there — thanks for the great project!
I’m exploring using paper-search-mcp as a protected Model Context Protocol (MCP) server (i.e. requiring authorization) under the specification of MCP’s Authorization / Protected Resource model. In particular, I refer to the draft spec:
“A protected MCP server acts as an OAuth 2.1 resource server …” 0
And the specification text here:
https://modelcontextprotocol.io/specification/draft/basic/authorization
What I’d like to know / my questions
-
Is paper-search-mcp intended to or currently able to serve as a protected MCP server (i.e. requiring OAuth tokens) in compliance with the MCP spec?
-
More specifically, does it support (or have plans to support) the following features from the spec:
- Publication of Protected Resource Metadata (RFC 9728) so that MCP clients can discover authorization server endpoints. 1
- Validation of incoming access tokens as an OAuth 2.1 resource server, including checking audience, expiry, scopes, etc. 2
- Support for the
resourceparameter (RFC 8707) in token requests, as required by the spec to bind tokens to the MCP server. 3 - Use of the
Authorization: Bearer <token>header (rather than query parameters) for requests. 4 - 401 / 403 error codes for unauthorized/insufficient scope requests, per the spec. 5
- Any additional constraints or deviations from the spec as currently implemented.
-
If the support is not yet implemented, are there roadmaps or architectural constraints that would block implementing this “protected mode”?
Thanks again for your work — I look forward to your feedback. 🙏
Best,
François