
The MCP (Model Context Protocol) Authorization spec rides on standard OAuth 2.1: the MCP Server is the Resource Server, the MCP Client is the OAuth Client, and behind them sits one or more Authorization Servers (AS). The most elegant — and most easily overlooked — property of this design is that a single MCP Client can talk to multiple authorization servers at once. The spec says it in black and white: the authorization_servers field of the Protected Resource Metadata “can define multiple authorization servers,” and “the responsibility for selecting which authorization server to use lies with the MCP client.”
Once “one client, many ASes” becomes the norm, an attack that barely exists in the single-AS world surfaces: the authorization server mix-up attack. This post walks through how the attack works, why the IETF wrote a dedicated RFC — RFC 9207 — just for it, and how to implement it in an OAuth 2.0 authorization server (including an issuer-inconsistency bug the implementation surfaced).
[Read More]

