Skip to content

docs: rework the authorization tutorial around CIMD#3070

Draft
claude[bot] wants to merge 8 commits into
claude/delegate-auth-spec-to-rfcs-splitfrom
claude/rc-auth-tutorial
Draft

docs: rework the authorization tutorial around CIMD#3070
claude[bot] wants to merge 8 commits into
claude/delegate-auth-spec-to-rfcs-splitfrom
claude/rc-auth-tutorial

Conversation

@claude

@claude claude Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Requested by Den Delimarsky · Slack thread

The authorization tutorial previously taught Dynamic Client Registration with a session-keyed example server. It now teaches Client ID Metadata Documents (CIMD) as the primary registration path and de-emphasizes DCR. The examples are sessionless and follow the 2026-07-28 draft authorization flows.

Motivation and Context

Prepares the docs for the 2026-07-28 release. The tutorial predated the draft authorization changes.

Closes #3026
Closes #3027
Closes #3028
Closes #3034
Closes #3035
Closes #3038
Closes #3048

Supersedes #2155.

This PR is stacked on #3062 and should merge after it.

It also includes the authorization tutorial portion of #3031, which was closed by the stateless lifecycle PR.

How Has This Been Tested?

Documentation-only change. npm run check:docs passes locally (Prettier formatting, the MDX JS-comment check, and the Mint broken-links check).

Breaking Changes

None.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

The CIMD tutorial rewrite is ported from #2155 by @localden. Per AI_POLICY.md: this PR was drafted with AI assistance, and a human contributor reviews the full content before merge.


Generated by Claude Code

localden and others added 7 commits July 10, 2026 06:05
* Version the documentation section alongside the specification

The Documentation tab now uses the same Mintlify version picker as the
Specification tab. The current guides move to docs/docs/2026-07-28/ as
the canonical, in-progress version, and identical snapshots are stored
under 2025-11-25, 2025-06-18, 2025-03-26, and 2024-11-05 so every
released spec version has matching docs. No content backfill: the
snapshots are a copy of today's docs.

Internal links inside each versioned tree point within that version.
Old unversioned /docs/ URLs redirect to the 2026-07-28 pages, and a
/docs/latest alias mirrors /specification/latest so links and the
warning banner survive future version bumps. The spec version warning
script is generalized to also show a banner on older docs versions.

Version labels are chosen so the picker entries unify with the
Specification tab when cut-release.yml promotes the draft spec to
2026-07-28 on this branch.

:house: Remote-Dev: homespace

* Use a Draft docs version, promoted to a dated version at release cut

Replace the docs/docs/2026-07-28 directory with docs/docs/draft so the
Documentation tab mirrors the Specification tab exactly: dated released
versions plus a Draft entry. Both tabs now share identical version
labels, so the picker unifies immediately instead of after the cut.

Unversioned /docs/... URLs and /docs/latest now point at the latest
released version (2025-11-25), matching the spec's redirect semantics.

cut-release.yml promotes docs/docs/draft alongside the spec draft:
copies it to docs/docs/<version>, rewrites internal links, patches the
Documentation tab nav, retargets the latest-alias and legacy redirects
(including /specification/latest, which was never retargeted), and adds
dated siblings for draft-source redirects. Also fixes the promoted
version being inserted after older versions instead of first.

:house: Remote-Dev: homespace

* Reorder top nav: Documentation, Specification, Extensions first

:house: Remote-Dev: homespace

* Propagate base-branch docs updates into all versioned copies after rebase

During the rebase onto docs/2026-07-28-release, git's rename detection
paired the old docs/docs/* paths only with the 2025-06-18 snapshot, so
docs edits that landed on the base branch (Rust client tutorial, Claude
Desktop connector UI text, requestedSchema fix, Kotlin SDK tier, auth
sample link, OAuth URL validation guidance) were merged into that copy
alone. Copy the merged 2025-06-18 files over draft, 2025-11-25,
2025-03-26, and 2024-11-05 with internal links rewritten to each
version's prefix, keeping all snapshots identical per the PR's intent.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01N5Z3TGJTN8cH6goHhdekqc

---------

Co-authored-by: Claude <noreply@anthropic.com>
Cover RFC 9728 well-known fallback discovery, RFC 9207 iss validation,
multiple authorization servers with issuer-keyed registration state,
application_type and redirect URI rejection handling in DCR, incremental
scope consent and step-up authorization, and CIMD registration details.
Point Security Best Practices links at the relocated docs page, migrate
the TypeScript examples to the v2 SDK packages, and align the examples
and pitfalls with the sessionless draft transport.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_016WBaED7Rta4YsYVz66Qoru
The CIMD getClient example now rejects documents whose client_id does not
match the URL or that lack the required fields, matching the authorization
server MUSTs in the Client Registration spec, and the surrounding prose
describes exactly that. The Common Issues note lists only the spec-required
metadata fields. The session identifier pitfall now scopes header handling
to servers that support only the draft revision instead of stating it as
universal behavior.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_016WBaED7Rta4YsYVz66Qoru
The getClient prose now notes the remaining AS-side MUST, validating the
redirect_uri in each authorization request against the metadata document's
redirect_uris, and scopes the callback's checks to document-level validation.
The discovery fallback text now attributes the root well-known URI to the MCP
spec's extension of RFC 9728 rather than to the RFC itself. Also removes two
leftover screenshot placeholder comments in the Stytch walkthrough.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_016WBaED7Rta4YsYVz66Qoru
The Keycloak example accepted any active token from introspection and the
Stytch example verified JWTs without an audience check. Both now reject
tokens whose aud claim does not match the server, using checkResourceAllowed
from @modelcontextprotocol/server, as the authorization spec requires.

Both examples also mounted /mcp with no auth middleware, so the 401
challenge described earlier in the tutorial never happened. The route is
now guarded by requireBearerAuth bound to the provider, with a
resource_metadata pointer in the WWW-Authenticate challenge.

Also drops an unused createOAuthMetadata import from the Keycloak example.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_016WBaED7Rta4YsYVz66Qoru
@github-actions github-actions Bot added the documentation Improvements or additions to documentation label Jul 10, 2026
Trim asides that restated what underlying RFCs allow before stating
what MCP requires, and drop redundant justifications. Requirements and
spec pointers are unchanged.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01PiRGukoDqKwVRsvDWP2EsN
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants