Implement SEP-990: Enterprise Managed Authorization (Extension)

[felixweinberger]

This is a tracking issue for implementation of SEP-990.

Summary

This extension enables secure authorization of MCP clients within enterprise environments by leveraging existing enterprise Identity Provider (IdP) infrastructure. The C# SDK needs to implement client-side OAuth flows including OpenID Connect/SAML integration, RFC8693 Token Exchange to obtain Identity Assertion JWT Authorization Grants (ID-JAG), and RFC7523 JWT Bearer Grant flows. Server-side implementations need JWT validation including signature verification, claims validation, and replay prevention. This extension provides seamless single sign-on for users while enabling enterprise administrators to control which MCP servers can be accessed and enforce policies through existing IdP infrastructure.

Related Issues & PRs

• Implementation PRs: n/a
• Related PRs: n/a
• Related Issues: n/a

[mikekistler]

@felixweinberger Since this SEP is for an extension, is this required to be implemented for an SDK to claim compliance with the 2025-11-25 spec?

[felixweinberger]

@felixweinberger Since this SEP is for an extension, is this required to be implemented for an SDK to claim compliance with the 2025-11-25 spec?

I'm actually not 100% sure of the requirements here as the Extensions SEP wasn't finalized modelcontextprotocol/modelcontextprotocol#1724 - @pja-ant working on the extensions SEP probably has the best PoV here.

The language of the SEP (though not merged) suggests SDKs DO NOT have to implement extensions to claim 100% compliance. I.e. implementing extensions is optional and up to SDK maintainers.

[pja-ant]

Since this SEP is for an extension, is this required to be implemented for an SDK to claim compliance with the 2025-11-25 spec?

Strictly speaking, no (i.e. as far as tiering goes). However, I do expect this to be highly desirable from users!

[mikekistler]

I wanted to assign this to @aniket-okta but GitHub wouldn't let me. Maybe Aniket needs to be added to the ModelContextProtocol org for this to work?

In the interim, I've assigned this to myself so we don't wind up with multiple people working on this.

[aniket-okta]

@mikekistler Thanks for the mention! It can be assigned to me as I’ve already started the implementation.

[mikekistler]

@aniket-okta Any update on this work item?

[aniket-okta]

I've opened a PR implementing this: #1305