Description
Is your feature request related to a problem? Please describe.
No. It is a request in response to the draft Authorization update to the MCP Spec described here.
Describe the solution you'd like
Planning now and eventually implementation for hooking into existing OAuth infrastructure to support the spec.
Describe alternatives you've considered
Ktor has an OAuth implementation. Perhaps something framework-agnostic but similar could work here. I would imagine the main thing is to delegate to add as little burden as possible to this library.
Additional context
As described in this post, the key part of the implementation is recognizing the clean separation between the MCP Server serving as a Resource Provider (RP) and Authorization Server (AS). Every MCP Server will have to host a Protected Resource Metadata document, which the MCP Client will discover and use to initiate the OAuth PKCE Flow.
This post provides more background.
Again, the spec update is in draft, so immediate action is not necessary. However, I would consider this a critical step to implementing MCP at scale for real, so I think it's important for the team to start thinking about how the implementation might look when the time comes.