AuthPlane’s authserver implements the subset of each standard needed for MCP authorization — not less, not more. Where a spec offers multiple approaches (token formats, client auth methods), it picks the secure-by-default option and documents deviations explicitly. Every deviation is tied to an ADR (Architecture Decision Record) so you can trace the reasoning.
Full discovery flow (PRM → AS metadata → DCR → authorize → token), CIMD support, resource indicators. Tested against Claude Code, Claude Desktop, and MCP Inspector.
PRM is the resource server’s contract, so it is served by the MCP server’s process via the AuthPlane Go, Python, and TypeScript SDKs at the path-scoped /.well-known/oauth-protected-resource/<mcp-path>. The AS itself is not a protected resource; its discovery surface is RFC 8414.
Authorization code grant with PKCE enforcement; scope validation against registered scopes; client auth none, client_secret_basic, client_secret_post; error responses per §5.2. Client credentials grant for machine-to-machine tokens (confidential clients only, client_credentials.enabled, off by default).
The resource parameter binds tokens to a specific resource server; access tokens carry it as the aud claim. Exact string matching — trailing slashes matter. No prefix or wildcard matching.
PKCE required, exact redirect URI matching, refresh token rotation, no implicit grant.
Documented deviation (ADR-012): when oauth.require_scope: false, a missing scope in authorize requests defaults to all registered scopes for the resource instead of rejecting — a deviation from RFC 6749 §3.3 (“MUST NOT assume a default scope”). It is opt-in and disabled by default.
Full metadata at /.well-known/oauth-authorization-server: issuer, all endpoint URLs, response_types_supported, grant_types_supported, token_endpoint_auth_methods_supported, code_challenge_methods_supported, scopes_supported, resource_indicators_supported, plus dpop_signing_alg_values_supported when DPoP is on.
OpenID Connect Discovery
Alias + upstream
/.well-known/openid-configuration returns the same document as the RFC 8414 endpoint. AuthPlane also acts as an OIDC relying party for upstream enterprise login via /oidc/start and /oidc/callback.
When client_id is a URL, AuthPlane fetches the metadata document, validates its fields, and caches it. cimd.require_https: true by default in production.
Full proof validation (typ, alg, jwk, htm, htu, iat, jti, nonce). Algorithms: ES256, RS256, PS256 — alg: none and all symmetric algorithms rejected; a private key in the jwk header is rejected. JKT computed per RFC 7638; token binding via cnf.jkt; token_type: DPoP. Server-issued nonces (DPoP-Nonce header, configurable TTL) and database-backed JTI replay prevention with background purge. ath validation on resource requests. Without a proof, requests fall back to standard Bearer tokens.
Implemented (token_exchange.enabled, off by default)
Impersonation (no actor token, sub preserved) and delegation (nested act claim per §4.1) with correct multi-hop chain nesting. Subject tokens validated for signature, issuer, expiry, and revocation. Scope narrowing only (requested ⊆ subject scope). Configurable chain depth limit (1–10, default 5). Policy enforcement via self-exchange rules, the may_act claim, and a config allowlist. DPoP binding propagates to exchanged tokens.
Enterprise-managed authorization: grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer with ID-JAG assertions (typ: oauth-id-jag+jwt) validated for signature, issuer, audience, and expiry. Trusted IdP registry with SSRF-protected JWKS discovery and caching. Policy engine evaluates IdP + client_id + scope + resource constraints; subject mapping in auto_map or strict mode; assertion JTI is single-use (replay prevention); policy scopes narrow the issued token. No deviations from RFC 7523 §2.1.
Agent identity claims
AuthPlane extension
agent_id claim (set to client_id when the issuing client has is_agent=true) and agent_chain (ordered list from the delegation act chain, capped at 8). Agents register via DCR with agent: true. Advertised as authplane_agent_identity_supported in AS metadata.
Error responses combine OAuth fields (error, error_description) with Problem Details fields (type, title, detail, status). Content-Type: application/problem+json. See the API reference for an example.
CIBA, Pushed Authorization Requests (RFC 9126), Rich Authorization Requests (RFC 9396), and the Device Authorization grant (RFC 8628) — not currently implemented.
The supported grant types are exactly: authorization_code, refresh_token, client_credentials, urn:ietf:params:oauth:grant-type:token-exchange, and urn:ietf:params:oauth:grant-type:jwt-bearer. Anything else returns unsupported_grant_type.
