What is the RFC 9207 iss parameter and what does MCP SEP-2468 do with it?

RFC 9207 defines an iss parameter — a URL identifying the authorization server that produced an authorization response. MCP SEP-2468 adopts this: authorization servers can advertise iss support in their metadata and include it in their authorization responses, and clients must compare it byte-for-byte (per RFC 3986 §6.2.1 simple string comparison) against the issuer recorded when the flow started. Any response whose iss does not match is rejected before the client proceeds to the token exchange; for ASes that don't advertise iss support, the client may apply local policy.

Why does an MCP client need this if it already does capability scoping?

Capability scoping limits the blast radius of any compromised tool but does not tell the client which authorization server replied. OAuth mix-up attacks abuse exactly that confusion: an attacker controlling, or holding a valid registration at, one of multiple trusted IdPs swaps responses between authorization servers, so the client believes it is talking to one IdP while it has actually authenticated against another. SEP-2468 sits a layer below scoping — a structural defense that removes the confusion at the protocol level with no policy tuning, so the rest of the guardrail stack (capability scoping, the Lethal Trifecta framing) starts from a known-correct issuer instead of an inferred one.

How does SEP-2468 compare to the other MCP SEPs landing this month?

SEP-2468 hardens OAuth across multi-IdP MCP clients, SEP-2663 lands async task handles so long-running tools no longer pin client connections, and SEP-2577 starts the deprecation timer on three legacy features. They sit at different layers of the protocol — authorization, tool execution, and feature lifecycle — and the security model assumed by SEP-2663's task handles and SEP-2577's migration windows leans on the same OAuth foundation SEP-2468 is reinforcing. Production MCP hosts running more than one IdP should adopt all three in sequence: hardened auth, async tools, and a migration plan for the deprecated surfaces.

MCP SEP-2468 — RFC 9207 iss parameter for OAuth mix-up defense

Agent

learnaivisually.com/ai-explained/mcp-sep-2468-iss-oauth-mix-up

TL;DR

What is it: MCP SEP-2468 aligns the MCP authorization flow with RFC 9207: authorization servers can advertise iss support and include the iss parameter on their responses; clients are required to validate that iss byte-for-byte against the issuer they had originally recorded for the flow.
Why it’s needed: An MCP host often trusts more than one identity provider — corporate SSO plus a partner IdP plus a developer IdP for local testing — and without a signal naming the AS, an attacker who controls (or holds a valid registration at) any trusted IdP can mix authorization codes between servers and trick the client into spending an attacker code at a legitimate token endpoint.
vs previous: The previous flow had no issuer field on the authorization response, so clients had to guess from session state — the structural gap the OAuth mix-up attack family exploits, and the one capability scoping cannot close because the attacker is abusing the client's uncertainty about which AS replied, not abusing a scope.

Jargon

MCP: The Model Context Protocol — an open protocol for connecting LLM hosts to external tool servers. The host runs the model and the agent loop; servers expose tools, resources, and prompts over JSON-RPC. Authorization across hosts and servers is increasingly standardized on OAuth 2.0, which is what SEP-2468 hardens.
SEP: Specification Enhancement Proposal — MCP's RFC-style change document. SEP-2468 is the proposal that brings RFC 9207's iss parameter into MCP authorization. Companion proposals include SEP-2663 (async task handles) and SEP-2577 (feature deprecations).
AS (Authorization Server): The OAuth role that authenticates the user and issues the authorization code and the access token. In MCP, your corporate SSO, a partner identity provider, and a developer-local IdP can all be ASes the client trusts at the same time.
iss parameter (RFC 9207): A URL string the AS includes in its authorization responses when it advertises RFC 9207 support in its metadata, identifying which AS produced the response. Defined in RFC 9207. Clients are required to compare it byte-for-byte (per RFC 3986 §6.2.1 simple string comparison) against the issuer they had recorded when they started the flow; when an AS does not advertise iss support, clients may apply local policy.
OAuth mix-up attack: A documented attack family where a client that trusts multiple ASes is tricked into sending one AS's authorization code or token to a different AS. The result is that the client believes it is talking to one IdP while it has actually authenticated to another — a privilege confusion the rest of the agent stack has no signal to detect.
Capability scoping: The defense pattern of granting tools the minimum capability they need (e.g. read-only file access for a summarizer). Capability scoping is a complementary defense — it limits the blast radius of any compromised tool but does NOT tell you which AS issued a given auth response. Goes deeper here.
Structural defense: A defense that removes a confusion at the protocol layer rather than relying on policy. The iss parameter is structural: the client cannot accidentally validate against the wrong issuer because the response itself names the AS that produced it.

The news. On May 17, 2026, MCP SEP-2468 was merged into the Model Context Protocol specification — proposed March 25, accepted May 5. The change recommends that authorization servers advertise iss support in their metadata and include the parameter in their authorization responses, and requires clients to validate it against the recorded issuer using simple string comparison per RFC 3986 §6.2.1. The motivation, taken directly from RFC 9207, is to close the long-standing OAuth mix-up attack in clients that trust multiple identity providers.

Picture the doorman. He has one name on his guest list — say, idp-a.example — and tonight that is the only venue whose guests he is letting in. A guest walks up. Without a wrist stamp, the doorman has no way to know which venue's list this person came from. Maybe it really is the right venue. Maybe it's someone from the bar next door who is hoping you don't check. The doorman has to guess. That is the OAuth mix-up scenario before SEP-2468: the client kicks off an authorization flow with one AS, an authorization response comes back, and the only signal the client has is its own session state — which the attacker is actively trying to confuse.

The fast path is each guest gets a stamp, printed with the venue name. The doorman doesn't have to remember faces. He reads the stamp, compares it letter by letter to the name on his list, and decides on the spot. The stamp is the iss parameter. It is not the token. It is metadata about which AS produced the response. The client compares response.iss against the issuer it had recorded when it started the flow, character for character. Match → continue to the token exchange. Mismatch → reject the response, no matter how convincing the rest of the payload looks.

The catch — and this is what makes the structural defense load-bearing — is that capability scoping and other content-layer checks can't fill in for the issuer check. Suppose every tool in your agent is read-only and every scope is minimal. An attacker still wins the mix-up if the client takes an authorization code minted by idp-b.evil and exchanges it at idp-a.example's token endpoint, because the eventual access token will be for the legitimate IdP — minted from the wrong user's session. The compromised data does not flow through a tool's parameters; it flows through the client's confusion about which IdP authenticated the user. That is a layer above the tool attack surface the rest of the agent's guardrails are built to police, which is exactly why the Layered Guardrails module sequences structural defenses before policy.

Consider a concrete illustration. Picture a workplace MCP host that trusts two authorization servers — idp-a.example (corporate SSO) and idp-b.example (a partner) — and 1,000 agent sessions per hour each completing one OAuth flow. Imagine an attacker who can substitute responses on 0.1% of flows. Pre-iss, the client has no signal to reject substituted responses, so the substitution rate equals the attack rate: 1,000 × 0.001 = 1 mix-up per hour, or ~24 per day (illustrative). Post-iss, a substituted response would carry iss=https://idp-b.example while the client recorded https://idp-a.example. The string-equality check fails for every substituted response that includes iss, so the post-defense rate drops to ~0 mix-ups per day (illustrative) — independent of how clever the substitution gets, with the residual restricted to ASes that do not advertise iss support and where client policy falls back to local rules.

Where the change earns its keep

The shape of what SEP-2468 actually adds is small. The table below contrasts the legacy flow with the SEP-2468 flow.

Aspect	Legacy MCP auth flow	SEP-2468 (RFC 9207)
Issuer field on auth response	None	`iss` required when AS metadata advertises support
How client knows which AS replied	Inference from session state	Server tells you, via `iss`
OAuth mix-up defense	Out of scope — client policy	String-equal `response.iss` against recorded issuer
String comparison rule	N/A	RFC 3986 §6.2.1 simple string comparison
Server discovery	N/A	AS advertises `iss` support in its metadata; clients may apply local policy on servers that don't
Layer of defense	Capability scoping only	Structural (issuer) plus capability scoping

The defense slots in neatly next to the existing guardrail stack. Capability scoping limits the blast radius of any single misuse. The Lethal Trifecta framing limits how private data, untrusted content, and exfiltration vectors are allowed to combine. SEP-2468 sits one layer below both — it ensures the client has not been silently rerouted to a different IdP before any of those checks even runs. None of the layers replaces the others; the value is in stacking them.

There is also a related lesson worth knowing. Mix-up is part of a broader pattern where protocol metadata gets repurposed as protocol contract. RFC 9207's iss is a small, fixed-shape addition with a single rule: equal or not. That makes it both easy to implement correctly and hard to mis-implement, which is exactly the property a defense-in-depth layer needs — every layer that requires nuanced configuration becomes its own attack surface.

The boundary of what SEP-2468 changes is not "how OAuth works." Existing single-IdP flows are unaffected; the comparison is trivially https://idp-a.example == https://idp-a.example and continues. The boundary is "what happens when a client trusts more than one AS at the same time" — the multi-IdP topology that production MCP hosts are increasingly running into. For those, the iss check is the difference between a structural defense and a hopeful one.

Goes deeper in: Agent Engineering → Layered Guardrails → Defense in depth

MCP SEP-2468 — RFC 9207 iss parameter for OAuth mix-up defense

Where the change earns its keep

Related explainers

Frequently Asked Questions