Is MCP a Security Nightmare?: A Look into MCP Authorization with OAuth2(cefboud.com)
cefboud.com
Is MCP a Security Nightmare?: A Look into MCP Authorization with OAuth2
https://cefboud.com/posts/mcp-oauth2-security-authorization/
https://cefboud.com/posts/mcp-oauth2-security-authorization/
A few nits:
- scopes are often set up at the administrative level, but approved by the user. In general, a client should only ask for the scopes they need at the time of authorization, and step up/step down over time
- other than with a bit of hand waving, the author doesn't talk about the security risks of MCP servers. I was hoping to hear more about that.
- a key part of security for MCP servers is what happens between the MCP server and the data/functionality/APIs it is protecting. I have found articles about this to be sorely lacking, probably because it is bespoke to each MCP server. I expect the provided to MCP is not passed through, but then what is? And how is that authorization managed.