Improve MCP Auth docs

[ayshsandu]

Purpose

Restructure and improve MCP Auth docs

Summary by CodeRabbit

• Documentation
  • Replaced brief intro with a comprehensive MCP Authorization guide and specification reference
  • Added an Architecture mapping between MCP and IAM concepts and a detailed role table
  • Expanded server, client, and agent registration/setup workflows with attribution and auditing guidance
  • Described three auth patterns (user-delegation/OBO, M2M, delegated agent) with token flows
  • Broadened supported specs (OAuth 2.1, OIDC variants, PAR) and added “What’s Next?” quick-start links

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Expands the MCP documentation into a full MCP Authorization guide: adds an MCP Authorization Specification reference, architecture mapping to IAM concepts, server/client/agent registration and permission configuration steps, three authentication/authorization flow patterns (user delegation/OBO, M2M, delegated agent), supported specs, and “What’s Next?” quick-start links.

Changes

Cohort / File(s)

Summary

MCP Authorization Documentation en/includes/guides/agentic-ai/mcp/index.md

Replaces minimal intro with a comprehensive MCP Authorization guide: adds Authorization Specification reference and architecture mapping to IAM concepts; guidance for registering MCP servers, clients, and agents; permission/configuration steps; three authn/authz flow patterns (A: user delegation/OBO, B: M2M, C: delegated agent) with token issuance/exchange/invocation details; agent identity attribution and auditing notes; supported specs (OAuth 2.1, OIDC variants, PAR); and “What’s Next?” quick-start links.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant User as "User"
  participant Agent as "Agent"
  participant Client as "MCP Client"
  participant Authz as "Authorization Server"
  participant Resource as "Resource / MCP Host"
  Note right of User: Flow A — User delegation / OBO
  User->>Agent: Initiate action
  Agent->>Client: Request on-behalf-of (OBO)
  Client->>Authz: Exchange user token / request access token (OBO)
  Authz-->>Client: Issue access token (with user delegation)
  Client->>Resource: Invoke MCP API with token
  Resource-->>Client: Response

Loading

sequenceDiagram
  autonumber
  participant Client as "MCP Client"
  participant Authz as "Authorization Server"
  participant Resource as "Resource / MCP Host"
  Note right of Client: Flow B — Machine-to-Machine (M2M)
  Client->>Authz: Client credentials / PAR (if used)
  Authz-->>Client: Access token
  Client->>Resource: Invoke MCP API with client token
  Resource-->>Client: Response

Loading

sequenceDiagram
  autonumber
  participant User as "User"
  participant Agent as "Agent (delegated)"
  participant Client as "MCP Client"
  participant Authz as "Authorization Server"
  participant Resource as "Resource / MCP Host"
  Note right of Agent: Flow C — Delegated Agent
  User->>Agent: Delegate authority / consent
  Agent->>Authz: Acquire agent identity token (or exchange)
  Authz-->>Agent: Agent token (with attribution)
  Agent->>Client: Call MCP Client (or act directly)
  Client->>Resource: Invoke MCP API (token includes agent + user context)
  Resource-->>Client: Response

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hopped through specs with a curious cheer,
I stitched tokens and mappings, kept the paths clear,
Servers, clients, agents now waltz in the light,
Tokens traded, logs aligned — everything's right,
A little rabbit's grin for docs polished bright.

🚥 Pre-merge checks | ✅ 1 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is incomplete and missing several required sections from the template including 'Related PRs', 'Test environment', and 'Security checks'.	Complete the description template by adding 'Related PRs', 'Test environment', and 'Security checks' sections. For documentation changes, indicate testing environment or confirmation that security-sensitive content was reviewed.
Merge Conflict Detection	⚠️ Warning	❌ Merge conflicts detected (10 files): ⚔️ en/asgardeo/docs/apis/organization-apis/restapis/application.yaml (content) ⚔️ en/asgardeo/docs/apis/organization-apis/restapis/org-application-mgt.yaml (content) ⚔️ en/asgardeo/docs/apis/restapis/application-management.yaml (content) ⚔️ en/identity-server/next/docs/apis/organization-apis/restapis/application.yaml (content) ⚔️ en/identity-server/next/docs/apis/organization-apis/restapis/org-application-mgt.yaml (content) ⚔️ en/identity-server/next/docs/apis/restapis/application.yaml (content) ⚔️ en/identity-server/next/docs/apis/restapis/configs.yaml (content) ⚔️ en/includes/guides/agentic-ai/mcp/index.md (content) ⚔️ en/includes/guides/authorization/rich-authorization-requests.md (content) ⚔️ en/includes/guides/fragments/manage-app/oidc-settings/access-token.md (content) These conflicts must be resolved before merging into master.	Resolve conflicts locally and push changes to this branch.
Title check	❓ Inconclusive	The title 'Improve MCP Auth docs' is vague and generic, using non-specific language that doesn't clearly convey the substantive nature of the documentation restructuring.	Use a more specific title that reflects the key changes, such as 'Add comprehensive MCP authorization flows and specification documentation' or 'Restructure MCP auth docs with flows and permissions guidance'.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@en/includes/guides/agentic-ai/mcp/index.md`:
- Around line 109-111: Update the product casing in the link text "MCP Server
Quick Start - Typescript" to use the correct branding "TypeScript"; locate the
link label in the MCP guide content (the string "MCP Server Quick Start -
Typescript") and change it to "MCP Server Quick Start - TypeScript" so the
rendered link displays the proper casing.
- Around line 92-93: The note in the MCP guide contains inconsistent template
variable spacing: replace the inline occurrence of "{{product_name}}" in the
note text with the project's standard "{{ product_name }}" formatting so it
matches other occurrences in the document (search for the string
"{{product_name}}" and update it to "{{ product_name }}").
- Around line 101-103: Update the text for the "OpenID Connect Core 1.0" line:
replace the awkward phrase "Verifies the identity of users and agents
interactions." with a grammatically correct version such as "Verifies the
identity of users and agents in interactions." so the entry for OpenID Connect
Core 1.0 reads clearly about verifying user and agent identities during
interactions.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix inconsistent template variable spacing.

Line 93 uses {{product_name}}, while the rest of the doc uses {{ product_name }}. Use a consistent template style to avoid rendering or style inconsistencies.

📝 Suggested fix

-    While the MCP Authorization specification doesn't currently mandate identifying the MCP Host (agent) with its own credentials and permissions, this is a crucial {{product_name}} implementation. It enables secure, auditable agentic systems for autonomous agents by providing clear attribution, better permission management, clear auditability, and enhanced security.
+    While the MCP Authorization specification doesn't currently mandate identifying the MCP Host (agent) with its own credentials and permissions, this is a crucial {{ product_name }} implementation. It enables secure, auditable agentic systems for autonomous agents by providing clear attribution, better permission management, clear auditability, and enhanced security.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	!!! note
	While the MCP Authorization specification doesn't currently mandate identifying the MCP Host (agent) with its own credentials and permissions, this is a crucial {{product_name}} implementation. It enables secure, auditable agentic systems for autonomous agents by providing clear attribution, better permission management, clear auditability, and enhanced security.
	!!! note
	While the MCP Authorization specification doesn't currently mandate identifying the MCP Host (agent) with its own credentials and permissions, this is a crucial {{ product_name }} implementation. It enables secure, auditable agentic systems for autonomous agents by providing clear attribution, better permission management, clear auditability, and enhanced security.

🤖 Prompt for AI Agents

In `@en/includes/guides/agentic-ai/mcp/index.md` around lines 92 - 93, The note in
the MCP guide contains inconsistent template variable spacing: replace the
inline occurrence of "{{product_name}}" in the note text with the project's
standard "{{ product_name }}" formatting so it matches other occurrences in the
document (search for the string "{{product_name}}" and update it to "{{
product_name }}").

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@en/includes/guides/agentic-ai/mcp/index.md`:
- Around line 110-111: Remove the stray trailing comma from the "What’s Next?"
lead-in by editing the sentence "Get hands-on with MCP server authorization," to
end with a period (or appropriate ending punctuation) instead of a comma so the
fragment reads as a complete lead-in; update the text where the phrase "Get
hands-on with MCP server authorization," appears in the document to "Get
hands-on with MCP server authorization." ensuring consistency with the
surrounding "What’s Next?" section.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Remove trailing comma in the “What’s Next?” lead-in.

The sentence ends with a comma and no continuation; tighten the punctuation.

✏️ Proposed fix

-Get hands-on with MCP server authorization, 
+Get hands-on with MCP server authorization.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	Get hands-on with MCP server authorization,
	Get hands-on with MCP server authorization.

🤖 Prompt for AI Agents

In `@en/includes/guides/agentic-ai/mcp/index.md` around lines 110 - 111, Remove
the stray trailing comma from the "What’s Next?" lead-in by editing the sentence
"Get hands-on with MCP server authorization," to end with a period (or
appropriate ending punctuation) instead of a comma so the fragment reads as a
complete lead-in; update the text where the phrase "Get hands-on with MCP server
authorization," appears in the document to "Get hands-on with MCP server
authorization." ensuring consistency with the surrounding "What’s Next?"
section.