Skip to content

feat: Add Enterprise Managed Authorization (SEP-990) support#1

Open
aniket-okta wants to merge 115 commits intomainfrom
feature/enterprise-managed-authorization
Open

feat: Add Enterprise Managed Authorization (SEP-990) support#1
aniket-okta wants to merge 115 commits intomainfrom
feature/enterprise-managed-authorization

Conversation

@aniket-okta
Copy link
Copy Markdown
Owner

@aniket-okta aniket-okta commented Dec 10, 2025
edited
Loading

Summary

Implements Enterprise Managed Authorization (SEP-990) for the C# MCP SDK, enabling MCP Clients to leverage enterprise Identity Providers for seamless authorization without per-server user authentication.

Flow

  1. SSO: User authenticates to the MCP Client via enterprise IdP (Okta, Auth0, Azure AD, etc.)
  2. Token Exchange (RFC 8693): Client exchanges ID Token for Identity Assertion JWT Authorization Grant (ID-JAG) at the IdP
  3. JWT Bearer Grant (RFC 7523): Client exchanges ID-JAG for Access Token at the MCP Server

Design

Layer 2: EnterpriseAuth static class — standalone utilities (~680 lines)

  • RequestJwtAuthorizationGrantAsync() — RFC 8693 token exchange (ID Token → ID-JAG)
  • DiscoverAndRequestJwtAuthorizationGrantAsync() — convenience wrapper with IdP discovery
  • ExchangeJwtBearerGrantAsync() — RFC 7523 JWT bearer grant (ID-JAG → Access Token)
  • DiscoverAuthServerMetadataAsync() — OAuth authorization server metadata discovery
  • Option types: RequestJwtAuthGrantOptions, DiscoverAndRequestJwtAuthGrantOptions, ExchangeJwtBearerGrantOptions
  • Response types: JagTokenExchangeResponse, JwtBearerAccessTokenResponse, OAuthErrorResponse

Layer 3: EnterpriseAuthProvider — high-level provider with caching (~230 lines)

  • Assertion callback pattern decouples IdP interaction from the provider
  • Automatic token caching with InvalidateCache()
  • EnterpriseAuthProviderOptions for configuration (ClientId, ClientSecret, Scope, AssertionCallback)

Tests

36 unit tests covering both layers across net8.0, net9.0, and net10.0.

Related

dependabot bot and others added 30 commits December 8, 2025 15:59
@dependabot
Bump actions/setup-node from 6.0.0 to 6.1.0 (modelcontextprotocol#1074)
ef62e6e 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump danielpalme/ReportGenerator-GitHub-Action from 5.5.0 to 5.5.1 (m…
9f6fc36 
…odelcontextprotocol#1073)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot @jeffhandley
Bump actions/checkout from 5.0.1 to 6.0.0 (modelcontextprotocol#1005)
66ba342 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jeff Handley <jeffhandley@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@stephentoub
Remove s_additionalProperties from McpClientTool (modelcontextprotoco…
20d726b 
…l#1080)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
@stephentoub
Migrate from Anthropic.SDK to official Anthropic package (modelcontex…
f9239b0 
…tprotocol#1083)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
@stephentoub
Update Microsoft.Extensions.AI dependencies to 10.1.0 (modelcontextpr…
cd1052b 
…otocol#1082)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
@jeffhandley
Bump version to 0.5.0-preview.2. Update NuGet Project URL. (modelcont…
80e1882 
…extprotocol#1078)
@stephentoub
Improve caching in XmlToDescriptionGenerator (modelcontextprotocol#1010)
828d51e
@halter73
Support incremental scope consent (SEP-835) (modelcontextprotocol#1084)
31f8d20
@PederHP @halter73 @mikekistler
Resource subscribe should be true if handler provided (modelcontextpr…
9bbae84 
…otocol#676)

Co-authored-by: Stephen Halter <halter73@gmail.com>
Co-authored-by: Mike Kistler <mikekistler@microsoft.com>
@stephentoub
Fix Icon.Theme documentation to match MCP specification (modelcontext…
3aedd3c 
…protocol#1090)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
Co-authored-by: Stephen Toub <stoub@microsoft.com>
@stephentoub
Update Microsoft.Extensions.AI* packages to latest versions (modelcon…
c3910e9 
…textprotocol#1093)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
@stephentoub
Document HttpRequestException thrown by McpClient.CreateAsync (modelc…
5b74ee2 
…ontextprotocol#1095)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
@dependabot
Bump actions/checkout from 6.0.0 to 6.0.1 (modelcontextprotocol#1100)
ff5e8b0 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump becheran/mlc from 1.0.0 to 1.2.0 (modelcontextprotocol#1098)
ebda856 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot @eiriktsarpalis
Bump actions/upload-artifact from 5.0.0 to 6.0.0 (modelcontextprotoco…
8a7d132 
…l#1099)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eirik Tsarpalis <eirik.tsarpalis@gmail.com>
@dependabot
Bump actions/download-artifact from 6.0.0 to 7.0.0 (modelcontextproto…
a78008c 
…col#1097)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot @eiriktsarpalis
Bump the other-testing group with 1 update (modelcontextprotocol#1101)
d0ee6a0 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eirik Tsarpalis <eirik.tsarpalis@gmail.com>
@stephentoub
Add request duration to LogRequestHandlerCompleted and LogRequestHand…
31fcc1e 
…lerException log messages (modelcontextprotocol#1092)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
@stephentoub
Add missing exception documentation to public API surface (modelconte…
1b846cb 
…xtprotocol#1103)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
Co-authored-by: Stephen Toub <stoub@microsoft.com>
@stephentoub @eiriktsarpalis
Fix session timeout due to timestamp frequency mismatch and activity …
aaffd71 
…tracking (modelcontextprotocol#1106)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
Co-authored-by: eiriktsarpalis <2813363+eiriktsarpalis@users.noreply.github.com>
@stephentoub @halter73
Remove private reflection from tests (modelcontextprotocol#1107)
8b73a42 
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
Co-authored-by: halter73 <54385+halter73@users.noreply.github.com>
Add CS1066 suppressor for MCP server methods with optional parameters (
8316aa0 
…modelcontextprotocol#1110)
@gewarren
Improve docs landing page (modelcontextprotocol#1114)
aa2f8f4
@dependabot
Bump Anthropic from 11.0.0 to 12.0.1 (modelcontextprotocol#1118)
0897ca1 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@mikekistler
Add CONTRIBUTING.md (modelcontextprotocol#1125)
db0beeb
@stephentoub @MackinnonBuck
Fix CreateSamplingHandler to use ChatRole.Tool for tool result messag…
bafbb0a 
…es (modelcontextprotocol#1128)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
Co-authored-by: Stephen Toub <stoub@microsoft.com>
Co-authored-by: MackinnonBuck <10456961+MackinnonBuck@users.noreply.github.com>
Co-authored-by: Mackinnon Buck <mackinnon.buck@gmail.com>
@dependabot
Bump the other-testing group with 1 update (modelcontextprotocol#1124)
6ff2712
@mikekistler
Install mono in dev container (modelcontextprotocol#1133)
f3fb617
@mikekistler @halter73
Add client conformance tests (modelcontextprotocol#1102)
14f9735 
Co-authored-by: Stephen Halter <halter73@gmail.com>
halter73 and others added 13 commits February 12, 2026 22:26
@halter73
Add tests to verify McpClient.DisposeAsync doesn't hang (modelcontext…
b4c7ded 
…protocol#1252)
@halter73
Change ProtectedResourceMetadata URI properties to strings and build …
dbf91bc 
…resource strings directly (modelcontextprotocol#1264)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: halter73 <54385+halter73@users.noreply.github.com>
Co-authored-by: Stephen Halter <halter73@gmail.com>
Log tool call name on success, not just failure (modelcontextprotocol…
53e9ed8 
…#1256)
Add auth regression test for missing resource in PRM (modelcontextpro…
b8ae4fe 
…tocol#1265)
@halter73
Fix test for CannotAuthenticate when metadata is missing (modelcontex…
ec2983b 
…tprotocol#1266)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: halter73 <54385+halter73@users.noreply.github.com>
@halter73
Fix HttpClient timeout for long-running tools without event stream st…
fb2daf2 
…ore (modelcontextprotocol#1268)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: halter73 <54385+halter73@users.noreply.github.com>
@dependabot
Bump qs from 6.14.1 to 6.14.2 in the npm_and_yarn group across 1 dire…
f76f6f6 
…ctory (modelcontextprotocol#1271)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@stephentoub
Fix flaky stderr test: call WaitForExit() after WaitForExitAsync() to…
3caac28 
… flush ErrorDataReceived events (modelcontextprotocol#1278)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
@stephentoub
Fix stderr event loss due to missing WaitForExit in DisposeProcess (m…
1dd06e7 
…odelcontextprotocol#1280)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
@dependabot
Bump the other-testing group with 2 updates (modelcontextprotocol#1283)
5cec467 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@mikekistler
Unskip GetRequest_Receives_UnsolicitedNotifications test (modelcontex…
da91b64 
…tprotocol#1286)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@dependabot
Bump Anthropic from 12.3.0 to 12.5.0 (modelcontextprotocol#1284)
2c7eefa 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@dependabot
Bump Microsoft.Extensions.AI from 10.2.0 to 10.3.0 (modelcontextproto…
d7ca79b 
…col#1285)

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@aniket-okta aniket-okta self-assigned this Feb 17, 2026
Copilot AI and others added 15 commits February 17, 2026 09:30
@stephentoub
Document https:// direct-fetch provision in ReadResourceRequestParams (
392e47e 
…modelcontextprotocol#1296)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
Add serialization roundtrip tests for all Protocol namespace types (m…
4cef394 
…odelcontextprotocol#1289)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@stephentoub @halter73
Align InitializeResult.instructions XML docs with latest MCP spec g…
49fbc51 
…uidance (modelcontextprotocol#1290)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
Co-authored-by: Stephen Toub <stoub@microsoft.com>
Co-authored-by: Stephen Halter <halter73@gmail.com>
@stephentoub
Align sampling specification XML docs with spec revision d165cd6 (mod…
43a302f 
…elcontextprotocol#1293)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
@stephentoub
Add X-Accel-Buffering header to SSE responses (modelcontextprotocol#1294
2e17550 
)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
@stephentoub
Clarify request-scoped tool semantics in CreateMessageRequestParams (m…
6a38242 
…odelcontextprotocol#1295)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
@stephentoub
Fix flaky sse-retry conformance test caused by CI timing sensitivity (m…
6fa8b50 
…odelcontextprotocol#1279)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
Co-authored-by: Stephen Toub <stoub@microsoft.com>
@dependabot
Bump the serilog-testing group with 1 update (modelcontextprotocol#1282)
5651e9e 
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
@stephentoub
Update McpErrorCode XML docs and fix error code usage to align with M…
186cb93 
…CP spec (modelcontextprotocol#1291)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
@stephentoub
Fix StdioServerTransport.DisposeAsync() hang: CancellableStdinStream …
841e810 
…missing Dispose override (modelcontextprotocol#1276)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
@stephentoub
Add validation and error signaling guidance to MCP tool XML docs (mod…
ec4c732 
…elcontextprotocol#1275)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
@stephentoub
Update tests for @modelcontextprotocol/server-everything 2026.1.26 (m…
a502efb 
…odelcontextprotocol#1273)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>
@dependabot
Bump the testing-frameworks group with 1 update (modelcontextprotocol…
92cbbca 
…#1281)
@dependabot
Bump ajv from 8.17.1 to 8.18.0 in the npm_and_yarn group across 1 dir…
c3bb9c1 
…ectory (modelcontextprotocol#1302)
@aniket-okta
feat: Add Enterprise Managed Authorization (SEP-990) support
c945019
@aniket-okta aniket-okta force-pushed the feature/enterprise-managed-authorization branch from 65750ba to c945019 Compare February 18, 2026 08:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@aniket-okta aniket-okta

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.