Aaron Parecki

The latest version of the MCP spec is now officially 2025-06-18! Congrats to everyone in the MCP community involved in making this happen!

Key updates to the authorization section:

⚙️ MCP Servers are no longer responsible for issuing access tokens or handling user authentication
🛡️ A dedicated Authorization Server separate from the MCP Server handles user authentication and issuing access tokens
🔍 RFC9728 Protected Resource Metadata enables the MCP client to dynamically discover the MCP Server's authorization server
👉 RFC8707 Resource Indicators are required as a security measure

Thanks to everyone who contributed to the many discussions to update the authorization part of the spec to be more compatible with existing OAuth systems!

David Soria Parra, Paul Carleton, Den Delimarsky, Nate Barbettini, William Dawson, Jared Hanson, Karl McGuinness, Darin McAdams, Jean-François LOMBARDO and apologies if I forgot to mention you, those threads were extremely long!

#modelcontextprotocol #mcp #oauth #ai

In two weeks I'll be speaking at the MCP Dev Summit in San Francisco! It's going to be a great day packed with back to back sessions.

In less than a year, the MCP project has quickly reshaped how developers are building AI agents. My talk, "Intro to OAuth for MCP Servers", will cover the basics of the new MCP authorization protocol and set the stage for building secure MCP servers.

https://mcpdevsummit.ai/#agenda

Is it just me or does this current Model Context Protocol wave remind anyone of the early Web 2.0 days of everyone launching open APIs?

In case you missed it, our IPSIE webinar recording is now available! I had a great time chatting with Dean H. Saxe, George Fletcher, Gail Hodges, and Jeff Reich about what IPSIE is, why profiling existing specifications is so important, and the progress the working group has made so far! Thanks for the great conversation!

IPSIE:
Interoperability
Profile for
Secure
Identity in the
Enterprise

https://www.brighttalk.com/webcast/18458/636068

Chase sends 8-digit 2fa SMS codes, which seems excessive compared to the 6 that most other places use, but even weirder is that the first digit of them has always been the same, effectively making it a 7 digit code. Anyone know what's up with that?

At long last, the OAuth working group has finished the Best Current Practice for OAuth 2.0 Security and it was just published as RFC9700! This has been a long time in the works, and I'm very thankful to everyone who has helped out with it over the years!

https://www.rfc-editor.org/rfc/rfc9700.html

This is one of the major inputs to OAuth 2.1, so I'm also very excited to be able to move that forward this year as well!

Congrats to BlueSky for launching OAuth support for apps! 🙌 https://docs.bsky.app/blog/oauth-atproto

Someone broke through the chain link fence last week, in broad daylight, while I was home, and didn't notice at the time.

I started thinking about what I could do about it, and it turns out the EA Unifi cameras have a new webhook feature. So now my cameras send a webhook to Home Assistant when someone crosses a virtual line, and it will trigger the siren. Since this is a line crossing event, not generic person detection, I can leave it armed 24/7, since nobody should be in that area at all.