Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From prodsec-skills
Enforces OAuth 2.0 Protected Resource Metadata (RFC 9728) in MCP clients for authorization server discovery. Use when building or reviewing MCP client authentication flows.
npx claudepluginhub redhatproductsecurity/prodsec-skills --plugin prodsec-skillsHow this skill is triggered — by the user, by Claude, or both
Slash command
/prodsec-skills:mcp-client-protected-resource-metadataThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
MCP clients MUST use OAuth 2.0 Protected Resource Metadata (RFC 9728) to discover the authorized authorization servers for any MCP server they connect to. Clients MUST NOT hardcode or manually configure authorization server URLs when the MCP server provides Protected Resource Metadata.
Enforces OAuth 2.0 Protected Resource Metadata (RFC 9728) in MCP servers. Use when building, configuring, or reviewing MCP server authentication and authorization discovery.
Implements MCP server authentication using OAuth dynamic client registration (RFC 7591/8414), PKCE, bearer tokens, and API keys for admin UIs. Supports per-agent credentials, metadata discovery, token exchange, and tool sync for providers like Linear, Sentry.
Implements auth scopes on tools/resources and configures auth modes (none/jwt/oauth) for `@cyanheads/mcp-ts-core`. Use when adding declarative or dynamic authorization to MCP handlers.
Share bugs, ideas, or general feedback.
MCP clients MUST use OAuth 2.0 Protected Resource Metadata (RFC 9728) to discover the authorized authorization servers for any MCP server they connect to. Clients MUST NOT hardcode or manually configure authorization server URLs when the MCP server provides Protected Resource Metadata.
1. MCP client attempts to access MCP server resource
2. MCP server returns 401 with WWW-Authenticate header
3. MCP client fetches /.well-known/oauth-protected-resource from MCP server
4. Extract authorization_servers list from the metadata
5. Use the authorization server(s) listed for token acquisition
6. Authenticate with the authorization server and obtain token
7. Retry the original request with the obtained token
| Field | Usage |
|---|---|
authorization_servers | List of trusted authorization server URLs to use |
scopes_supported | Available scopes to request during authorization |
bearer_methods_supported | How to present the bearer token (e.g., header) |
/.well-known/oauth-protected-resource from the MCP serverauthorization_servers field and select appropriate serverscopes_supported to inform scope requestsbearer_methods_supported when presenting tokens