OAuth 2.1

The Model Context Protocol (MCP) defines how AI agents connect to external tools and data sources. When an MCP client (like Claude Desktop or a custom AI agent) needs to access a protected MCP server, it uses OAuth 2.1 — not OAuth 2.0 — as the authorization mechanism. This article explains exactly how MCP authentication works, what makes it different from traditional OAuth, and which identity providers actually support it. ...

OAuth 2.1 is an updated version of the OAuth 2.0 authorization framework that includes enhancements for security and usability. These updates address common vulnerabilities and improve the overall security posture of applications using OAuth for authorization. What is OAuth 2.1? OAuth 2.1 builds upon OAuth 2.0 by introducing new features such as Proof Key for Code Exchange (PKCE) for all public clients and Token Binding to enhance security. These changes aim to protect against authorization code interception attacks and ensure that tokens are used securely. ...

Visual Overview: sequenceDiagram participant User participant App as Client App participant AuthServer as Authorization Server participant Resource as Resource Server User->>App: 1. Click Login App->>AuthServer: 2. Authorization Request AuthServer->>User: 3. Login Page User->>AuthServer: 4. Authenticate AuthServer->>App: 5. Authorization Code App->>AuthServer: 6. Exchange Code for Token AuthServer->>App: 7. Access Token + Refresh Token App->>Resource: 8. API Request with Token Resource->>App: 9. Protected Resource OAuth 2.1 is the next major evolution of the OAuth 2.0 authorization framework. It consolidates best practices, removes insecure legacy features, and improves security and developer experience for modern applications. ...

Visual Overview: sequenceDiagram participant User participant App as Client App participant AuthServer as Authorization Server participant Resource as Resource Server User->>App: 1. Click Login App->>AuthServer: 2. Authorization Request AuthServer->>User: 3. Login Page User->>AuthServer: 4. Authenticate AuthServer->>App: 5. Authorization Code App->>AuthServer: 6. Exchange Code for Token AuthServer->>App: 7. Access Token + Refresh Token App->>Resource: 8. API Request with Token Resource->>App: 9. Protected Resource OAuth 2.1 introduces refinements to enhance the security and usability of OAuth flows, especially around refresh tokens. Understanding how refresh tokens work in OAuth 2.1, their lifecycle, and best practices is essential for developers and security architects aiming to build robust authentication systems. ...