Skip to content

Implement SEP-990 Enterprise Managed OAuth #1328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
sagar-okta wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Implement SEP-990 Enterprise Managed OAuth #1328

sagar-okta wants to merge 6 commits into from
+1,752 −1

Conversation

@sagar-okta
Copy link

@sagar-okta sagar-okta commented Dec 20, 2025
edited
Loading

This PR implements SEP-990 which adds support for Enterprise Managed OAuth using RFC 8693 Token Exchange and RFC 7523 JWT Bearer flows. This enables secure machine-to-machine authentication for MCP clients in enterprise environments without requiring user interaction.

Related: #1090

Motivation and Context

Enterprise environments often require more secure OAuth flows that don't involve user interaction for machine-to-machine communication. SEP-990 addresses this by implementing:

Token Exchange (RFC 8693): Allows exchanging an ID token from an enterprise IDP for an authorization grant
JWT Bearer Grant (RFC 7523): Enables exchanging the authorization grant for an access token to access MCP resources
This change is needed to support enterprise customers who need to integrate MCP clients into their existing OAuth infrastructure securely.

How Has This Been Tested?

Added comprehensive unit tests in xaa-util.test.ts (994 new test cases) covering:
Successful token exchange flows
Authorization grant request failures (400, 401, 500 errors)
Access token exchange failures
OAuth error handling (invalid_request, invalid_client, invalid_grant, etc.)
Edge cases and validation (empty responses, malformed JSON, special characters encoding)
Token type validation
Request body encoding
Added middleware tests in middleware.test.ts (55 additional test cases)
Added documentation in client.md

Breaking Changes

No breaking changes - This is an additive feature that introduces new functionality without modifying existing APIs.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

Implementation Details:

New utility module xaa-util.ts (593 lines) implementing the core token exchange logic
New middleware functions in middleware.ts for integrating XAA into the auth flow
Added qs dependency for proper URL encoding of OAuth request parameters
Comprehensive error handling for various OAuth error responses
Support for OAuth metadata discovery for both IDP and MCP authorization servers

@sagar-okta sagar-okta requested a review from a team as a code owner December 20, 2025 12:40
@changeset-bot
Copy link

changeset-bot bot commented Dec 20, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: bb49eac

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@pkg-pr-new
Copy link

pkg-pr-new bot commented Dec 20, 2025
edited
Loading

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1328

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1328

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@1328

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@1328

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@1328

commit: bb49eac

@pcarleton pcarleton mentioned this pull request Jan 14, 2026
Open
9 tasks
@pcarleton
Copy link
Member

pcarleton commented Jan 14, 2026

Hi @sagar-okta, I owe you a review on this but won't be able to get to it until Jan 23rd while I wrap up conformance tests for SDK tiering.

To make progress in the meantime, a conformance test for this feature would be really helpful to ensure the implementations are compatible across SDKs.

Cross-linking: modelcontextprotocol/python-sdk#1721

Thanks for your patience!

@sagar-okta sagar-okta mentioned this pull request Jan 21, 2026
Draft
9 tasks
@sagar-okta sagar-okta force-pushed the feature/sep-990-enterprise-oauth branch from 82931fd to a783bde Compare January 21, 2026 06:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sagar-okta @pcarleton