Implement SEP-990: Enterprise Managed Authorization (Extension)

[felixweinberger]

This is a tracking issue for implementation of SEP-990.

Summary

This extension enables secure authorization of MCP clients within enterprise environments by leveraging existing enterprise Identity Provider (IdP) infrastructure. The Rust SDK needs to implement client-side OAuth flows including OpenID Connect/SAML integration, RFC8693 Token Exchange to obtain Identity Assertion JWT Authorization Grants (ID-JAG), and RFC7523 JWT Bearer Grant flows. Server-side implementations need JWT validation including signature verification, claims validation, and replay prevention. This extension provides seamless single sign-on for users while enabling enterprise administrators to control which MCP servers can be accessed and enforce policies through existing IdP infrastructure.

Related Issues & PRs

• Implementation PRs: n/a
• Related PRs: n/a
• Related Issues: n/a

[tanish111]

@alexhancock @jokemanfire is anyone working on this?
If not can I start working ?

[tanish111]

@alexhancock @jokemanfire is anyone working on this? If not can I start working ?

anyone working on this?

[alexhancock]

@tanish111 Not yet to my knowledge

[tanish111]

In that case, I’ll start working on it. I think it’s related to my recent OAuth CIMD change.