mcp

https://modelcontextprotocol.io/docs/learn/architecture

core components

application 中manage多个mcp client

每个mcp client连接对应的mcp server

authorization

https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization

强制 oauth2.1

要求 dynamic client registration (rfc7591)，mcp client动态获取client id & client credential

mcp server 即 resource server，通过well-known url声明自身能力

Authorization Flow Steps

mcp client <-> mcp server : 获取 mcp server 的 metadata

mcp client: 从 metadata 解析出 authorization server

mcp client <-> authorization server: 请求实施注册，获得client credentials

mcp client -> browser : 构造PKCE请求（含code verifier），拉起browser

browser <-> authorization server: 用户登录并获得authorization code

browser -> mcp client: authorization code

mcp client -> authorization server: 以authorization code + code challenge请求对应resource的access token

authorization server: 颁发对应access token

mcp client -> mcp server: 以access token请求对应resource

bcp

Confused Deputy Problem: mcp proxy使用static client ID，无dynamic registration，browser侧不做user人工确认，攻击者(evil client)可能构造恶意redirect URI，欺骗用户点击登录并授权，最终获取用户的access token。

分析

proxy场景需要强信任。

直连场景主要依赖oauth2.1。