SEP-2207: OIDC-flavored refresh token guidance — rust-sdk impact
Spec PR: modelcontextprotocol/modelcontextprotocol#2207
Track: Specification · Stage: final · Theme: Enterprise Readiness
Needs code changes: Already implemented (verify only) — None
Summary
Guidance for MCP clients talking to OIDC-flavored authorization servers about requesting refresh
tokens via the offline_access scope, and that MCP servers should not include
offline_access in their responses. Pure additive guidance, no behavior change required.
rust-sdk status
Already implemented. crates/rmcp/src/transport/auth.rs has
AuthorizationManager::add_offline_access_if_supported(..), called from select_scopes(..), with a
comment explicitly citing SEP-2207: "when the AS advertises offline_access in scopes_supported,
append it so OIDC-flavored Authorization Servers will issue refresh tokens." It also guards against
duplicate/empty appends. The SEP itself lists rust-sdk#676 as the implementing PR.
Proposed work (verification only)
Affected areas
crates/rmcp/src/transport/auth.rs (only if a gap is found on a token path).
Notes
- Effectively a no-op beyond verification; included for release completeness.
Related work
This issue is verification-only: confirm the existing implementation satisfies the finalized SEP-2207 guidance across all token paths. Close as done if it does.
SEP-2207: OIDC-flavored refresh token guidance — rust-sdk impact
Spec PR: modelcontextprotocol/modelcontextprotocol#2207
Track: Specification · Stage: final · Theme: Enterprise Readiness
Needs code changes: Already implemented (verify only) — None
Summary
Guidance for MCP clients talking to OIDC-flavored authorization servers about requesting refresh
tokens via the
offline_accessscope, and that MCP servers should not includeoffline_accessin their responses. Pure additive guidance, no behavior change required.rust-sdk status
Already implemented.
crates/rmcp/src/transport/auth.rshasAuthorizationManager::add_offline_access_if_supported(..), called fromselect_scopes(..), with acomment explicitly citing SEP-2207: "when the AS advertises
offline_accessinscopes_supported,append it so OIDC-flavored Authorization Servers will issue refresh tokens." It also guards against
duplicate/empty appends. The SEP itself lists rust-sdk#676 as the implementing PR.
Proposed work (verification only)
add_offline_access_if_supportedis exercised on all token-request paths (initial auth + refresh + step-up re-auth), not just the initial one.offline_accessin its ownscopes_supported.Affected areas
crates/rmcp/src/transport/auth.rs(only if a gap is found on a token path).Notes
Related work
AuthorizationManager::add_offline_access_if_supported).