Skip to content

OAuth hardening: identity, discovery, lifecycle, and adversarial coverage #843

Description

@dcramer

Objective

Track the provider-agnostic gaps found by auditing Junior's generic plugin OAuth and MCP OAuth implementations end to end: identity and audience binding, discovery, registration, PKCE/state, callback lifecycle, refresh, resume, unlink, telemetry, and deterministic test coverage.

Issue #832 is explicitly excluded from this program: its Cloudflare-specific premise was not reproducible and the issue is closed. The items below are backed by current origin/main code paths and standards/SDK behavior.

No active exploitation was identified. The highest-risk gaps are workspace/audience credential binding, OAuth discovery network and header isolation, and non-atomic MCP registration/refresh/attempt state.

Confirmed correctness and security gaps

Deliberate hardening and lifecycle work

Verification infrastructure

Recommended delivery order

  1. Expand the deterministic OAuth/MCP mock enough to prove each boundary (Expand the mock OAuth E2E server for adversarial protocol coverage #838).
  2. Contain cross-tenant, cross-resource, and cross-origin credential leakage (Scope stored OAuth credentials to Slack workspace identity #834, Bind MCP OAuth credentials and registrations to resource and issuer #837, Enforce MCP OAuth discovery URL policy and isolate request headers #835, Sanitize OAuth telemetry and harden callback HTTP responses #842).
  3. Replace implicit MCP attempt state and serialize DCR/refresh/callback transitions (Make MCP OAuth attempts atomic and eliminate orphan auth sessions #833, Serialize MCP OAuth registration, refresh, and credential updates #836, Make OAuth callback failure and resume outcomes durable #840).
  4. Repair incremental scope reauthorization (Support runtime permission escalation for MCP providers #694).
  5. Move interaction behind click-time intents and harden generic OAuth (Add first-party OAuth start URLs for provider authorization #782, Add PKCE and bounded callback token exchange to generic OAuth #841).
  6. Add provider-side revocation (Revoke OAuth grants when users unlink connected accounts #839).

Cross-cutting completion gates

  • Credential identity is workspace-bound and MCP credentials are resource/issuer/redirect-bound.
  • No resource token or static resource header crosses into another OAuth or resource origin.
  • OAuth discovery and redirects use one explicit URL policy with bounded time and response size.
  • Every authorization attempt reaches an explicit terminal or resumable state.
  • Refresh, DCR, callback claim, and credential updates are serialized or versioned.
  • Provider-controlled bodies and secrets never enter telemetry.
  • Deterministic integration tests cover happy paths, denial, replay, concurrency, redirects, PKCE, scope escalation, and malicious metadata.
  • Evals cover only user-visible agent continuation behavior.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions