Tracking issue for the MCP Spec 2026-07-28 release — Authorization hardening milestone.
Most of this milestone overlaps with the existing client-OAuth backlog (#315–#326). New SEP-specific work concentrates on issuer validation, AS-binding semantics, server-side scope emission, and OIDC offline_access handling.
SEPs covered
| SEP |
Title |
Spec PR |
Coverage |
| SEP-2468 |
Recommend iss Parameter (RFC 9207) |
#2468 |
New issue |
| SEP-2352 |
Authorization Server binding and migration |
#2352 |
New issue |
| SEP-2351 |
RFC 8414 well-known URI suffix |
#2351 |
Covered by #318 |
| SEP-2350 |
Client-side scope accumulation in step-up |
#2350 |
Client covered by #322; new server-side issue |
| SEP-2207 |
OIDC-flavored refresh token guidance |
#2207 |
New issues (client + server) |
| SEP-837 |
OIDC application_type during DCR |
#837 |
Covered by #320 + #321 |
Sub-issues
Existing issues to annotate with SEP refs
Notes
Tracking issue for the MCP Spec 2026-07-28 release — Authorization hardening milestone.
Most of this milestone overlaps with the existing client-OAuth backlog (#315–#326). New SEP-specific work concentrates on issuer validation, AS-binding semantics, server-side scope emission, and OIDC
offline_accesshandling.SEPs covered
issParameter (RFC 9207)application_typeduring DCRSub-issues
issparameter in authorization response (client)insufficient_scope403 responses (server)offline_accessagainst OIDC-flavored AS (client)offline_accessis not advertised as required (server)Existing issues to annotate with SEP refs
Notes
WWW-Authenticateaudits only.