Skip to content

Require CSRF token as part of the OAuth authorization flow.#435

Merged
jokemanfire merged 3 commits intomodelcontextprotocol:mainfrom
warpdotdev:vorporeal/require-csrf-token-in-authorization-flow
Sep 12, 2025
Merged

Require CSRF token as part of the OAuth authorization flow.#435
jokemanfire merged 3 commits intomodelcontextprotocol:mainfrom
warpdotdev:vorporeal/require-csrf-token-in-authorization-flow

Conversation

@vorporeal
Copy link
Copy Markdown
Contributor

@vorporeal vorporeal commented Sep 11, 2025
edited
Loading

Motivation and Context

The current logic discards the CSRF token that is generated as part of the OAuth authorization flow, instead of retaining it and verifying that the same token was provided back to the client by the authorization server.

This is an important step in OAuth to avoid CSRF attacks, and it is to the benefit of users of this library for it to require users to provide the token (ensuring that it gets validated).

How Has This Been Tested?

I discovered this issue while integrating OAuth support, and decided it made more sense to make a change on the rmcp side instead of adding logic in our application to extract the state param from the authorization URL, and doing the equality check ourselves.

Breaking Changes

Yes, users who support OAuth will need to modify their code to pass through the CSRF token when completing the authorization flow.

I assert this is a good thing, as it improves their security posture.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

@github-actions github-actions Bot added T-core Core library changes T-examples Example code changes T-transport Transport layer changes labels Sep 11, 2025
@github-actions github-actions Bot added the T-documentation Documentation improvements label Sep 11, 2025
@jokemanfire
Copy link
Copy Markdown
Member

jokemanfire commented Sep 12, 2025

Thanks!

@jokemanfire jokemanfire merged commit 271cf0b into modelcontextprotocol:main Sep 12, 2025
10 of 11 checks passed
@github-actions github-actions Bot mentioned this pull request Sep 12, 2025
Closed
@jamadeo jamadeo mentioned this pull request Sep 24, 2025
Merged
takumi-earth pushed a commit to earthlings-dev/rmcp that referenced this pull request Jan 27, 2026
@vorporeal
fix(oauth): require CSRF token as part of the OAuth authorization flo…
0cd6f85 
…w. (modelcontextprotocol#435)

* Require CSRF token as part of the authorization flow.

* Update auth example.

* Update docs/OAUTH_SUPPORT.md.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jokemanfire jokemanfire jokemanfire approved these changes

Assignees

No one assigned

Labels

T-core Core library changes T-documentation Documentation improvements T-examples Example code changes T-transport Transport layer changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vorporeal @jokemanfire