When an MCP Client Trusts Multiple Authorization Servers: Stopping Mix-Up Attacks with RFC 9207

cover

The MCP (Model Context Protocol) Authorization spec rides on standard OAuth 2.1: the MCP Server is the Resource Server, the MCP Client is the OAuth Client, and behind them sits one or more Authorization Servers (AS). The most elegant — and most easily overlooked — property of this design is that a single MCP Client can talk to multiple authorization servers at once. The spec says it in black and white: the authorization_servers field of the Protected Resource Metadata “can define multiple authorization servers,” and “the responsibility for selecting which authorization server to use lies with the MCP client.”

Once “one client, many ASes” becomes the norm, an attack that barely exists in the single-AS world surfaces: the authorization server mix-up attack. This post walks through how the attack works, why the IETF wrote a dedicated RFC — RFC 9207 — just for it, and how to implement it in an OAuth 2.0 authorization server (including an issuer-inconsistency bug the implementation surfaced).

[Read More]

當 MCP Client 同時信任多個授權伺服器:用 RFC 9207 堵住 Mix-Up 攻擊

cover

MCP(Model Context Protocol)Authorization 規範 走的是標準 OAuth 2.1 那一套:MCP Server 當 Resource Server、MCP Client 當 OAuth Client、背後再接一個或多個 Authorization Server(以下簡稱 AS)。這套設計最漂亮、也最容易被忽略的一個特性是——同一個 MCP Client 可以同時對接多個授權伺服器。MCP 規範裡白紙黑字寫著:Protected Resource Metadata 的 authorization_servers 欄位「可以定義多個授權伺服器,由 MCP Client 自己決定要用哪一個」。

一旦「一個 client、多個 AS」成為常態,一種在單一 AS 世界裡幾乎不存在的攻擊就浮上檯面了:授權伺服器 Mix-Up 攻擊(AS mix-up attack)。這篇文章要談的,就是這個攻擊怎麼運作、為什麼 IETF 要為它單獨立一份 RFC 9207,以及在一台 OAuth 2.0 授權伺服器上要怎麼把它實作起來(附上我實作時踩到的一個 issuer 不一致 bug)。

[Read More]

When AI Can Already Write Code — Building Your AI Workflow: Agent Skill + MCP Hands-on Workshop Recap

cover

On July 1, 2026, I ran a 90-minute hands-on LAB workshop at iThome Cloud Summit Taiwan: “When AI Can Already Write Code — Building Your AI Workflow”. This article walks through the core content and hands-on exercises from that day, so friends who couldn’t make it can follow along and run through it themselves, and attendees have a set of notes to come back to.

On the same day I also gave a conference talk about our complete two-year journey of adopting AI Agentic Coding — the recap is here: From Watching on the Sidelines to Company-Wide Adoption: Two Years of AI Agentic Coding in Practice. That talk covered the “why and how to drive adoption”; this LAB was about rolling up our sleeves and actually doing it.

[Read More]

當 AI 已經能寫 Code——打造你的 AI 工作流:Agent Skill + MCP 實戰工作坊回顧

cover

2026 年 7 月 1 日,我在 iThome 臺灣雲端大會(Cloud Summit Taiwan)帶了一場 90 分鐘的 LAB 實戰工作坊:「當 AI 已經能寫 code——打造你的 AI 工作流」。這篇文章整理當天的核心內容與動手練習,讓沒能到場的朋友也能照著跑一次,也給參加過的朋友一份可以回頭查的筆記。

同一天我還有一場議程演講,聊的是兩年 AI Agentic Coding 導入的完整歷程,回顧文在這裡:從觀望到全公司落地:兩年 AI Agentic Coding 導入實戰。那場講「為什麼與怎麼推」,這場 LAB 則是捲起袖子「實際動手做」。

[Read More]

From Watching on the Sidelines to Company-Wide Adoption: Two Years of AI Agentic Coding in Practice

cover

Date: 2026.07.01 Event: 2026 Cloud Summit Taiwan Speaker: appleboy

This time last year, the question we were asking was “how can AI help us improve our productivity?” This year, the question has flipped: “how can we help AI so that it accelerates our work?” Swapping the subject and the object sounds like wordplay, but it is exactly the most fundamental mindset shift we went through over these two years of rolling out AI Agentic Coding across the company.

This article documents a road we actually traveled: from a handful of people quietly trying out Claude Code, to everyone in the company using it daily; from AI producing 66% of our output, all the way up to 97%; from engineers’ three wait-and-see attitudes — “I don’t trust it, I’m afraid of being replaced, I’m worried about security” — to letting results speak for themselves and packaging individual tricks into standardized Agent Skills; from every team writing its own MCP Server and triggering a project explosion, to pulling the security governance of the whole ecosystem back together with a unified authentication gateway and a Marketplace review process.

Three parts, in the order we actually lived through them: the full picture and the results of this year → from the sidelines to everyone on board → workflow integration and security governance.

[Read More]

從觀望到全公司落地:兩年 AI Agentic Coding 導入實戰

cover

日期:2026.07.01 活動:2026 Cloud Summit 台灣雲端大會 講者:appleboy

去年這個時候,我們在想的是「AI 怎麼協助我們改善工作效率」;今年,問題反過來了——「我們該怎麼協助 AI,讓它加速我們的工作」。主詞和受詞對調,聽起來像文字遊戲,但這正是這兩年公司內部 AI Agentic Coding 導入路上,最核心的一次心態轉變。

這篇文章記錄的是一段真實走過的路:從少數人偷偷試用 Claude Code,到全公司日常使用;從 AI 產出佔比 66%,一路衝到 97%;從工程師「不信任、怕被取代、擔心資安」的三種觀望心態,到用成果說話、把個人技巧封裝成標準化的 Agent Skill;從每個團隊各自寫 MCP Server 導致的專案爆炸,到用統一認證閘道與 Marketplace 審查機制把整個生態圈的資安治理收攏起來。

三個部分,跟著我們真實走過的順序:這一年的全貌與成果 → 從觀望到全員 → 流程整合與安全治理

[Read More]

Stop Letting Every MCP Server Collect Its Own PAT: A Unified OAuth2 Front Door with Kong + AuthGate

cover

Once MCP (Model Context Protocol) exploded inside the company, almost every team ended up running an MCP server or two of their own: one fronting Gitea, one for Sentry, one for the internal Wiki, one for a database. They’re genuinely useful — but there’s a question everyone collectively ignored: how do these MCP servers actually authenticate?

The answer is usually unsettling: each one collects its own PAT (Personal Access Token). Every MCP server defines its own token, stuffs it into an environment variable, and validates it itself. So the company quietly accumulates a pile of static tokens — “long-lived, sitting in a file, equivalent to someone’s account” — scattered across dev machines, CI, even pasted into Slack messages. This post is about using Kong together with AuthGate to put a single OAuth2 front door in front of every MCP server and clean up that PAT sprawl in one move.

The full example code lives in go-authgate/kong-mcp-oauth2. This post walks through the motivation, the architecture, the security considerations, and the actual verification steps.

[Read More]

別再讓 MCP Server 各自收 PAT:用 Kong + AuthGate 做企業統一 OAuth2 入口

cover

MCP(Model Context Protocol) 在公司內部爆量之後,幾乎每個團隊都自己跑了一兩個 MCP Server:接 Gitea 的、接 Sentry 的、接內部 Wiki 的、接資料庫的。它們很好用,但有一個被集體忽略的問題——這些 MCP Server 到底是怎麼認證的?

答案多半令人不安:各自收各自的 PAT(Personal Access Token)。每個 MCP Server 自己定義一套 token、自己塞進環境變數、自己驗。於是公司內部出現了一堆「長期有效、放在檔案裡、等同某個帳號權限」的靜態 token,散落在開發機、CI、甚至貼在 Slack 訊息裡。這篇文章要談的,就是怎麼用 Kong 搭配 AuthGate,在所有 MCP Server 前面架起單一的 OAuth2 入口,把這堆 PAT 一次收掉。

完整的範例程式碼在 go-authgate/kong-mcp-oauth2,本文會帶你走過設計動機、架構、安全考量到實際驗證。

[Read More]

Introduction to OAuth Client ID Metadata Document

cover

In 2025, I introduced MCP (Model Context Protocol) at the iThome Taiwan Cloud Summit. At that time, I mentioned that the official team has been continuously revising the authentication protocol to address complex authentication flows. The previous design involved DCR (Dynamic Client Registration), so as expected, on 2025/11/25, a new Authorization mechanism was released. This authentication mechanism is called “Client ID Metadata Documents, abbreviated as CIMD”.

When installing a Model Context Protocol (MCP) server, the most challenging part is often not the protocol itself, but how to establish trust between the client and server. If you’ve ever tried to connect an MCP client to an MCP server it has never encountered before, you’ve probably run into what’s known as the “registration wall”.

Pre-registering with every possible authorization server is simply not scalable, and while Dynamic Client Registration (DCR) helps, it lacks reliable mechanisms to verify client identity, making it vulnerable to phishing attacks. Beyond security concerns, DCR also creates operational overhead by generating an ever-growing number of duplicate client identities that need to be managed.

[Read More]

OAuth Client ID Metadata Document 簡介

cover

2025 年在 iThome 臺灣雲端大會介紹過 MCP (Model Context Protocol),那時候就有提到在認證協議部分,官方其實一直都在改版解決複雜的認證流程,之前設計的 DCR (Dynamic Client Registration),所以沒意外去年 2025/11/25 又推出一版 Authorization 機制,此認證機制取名叫『Client ID Metadata Documents 簡稱 CIMD』。

安裝 Model Context Protocol(MCP)伺服器時,最棘手的部分往往不是協議本身,而是如何讓客戶端與伺服器彼此建立信任。如果你曾嘗試讓一個 MCP 客戶端連線到一個從未接觸過的 MCP 伺服器,你大概遇過所謂的「註冊高牆(registration wall)」。

要預先在每一個可能的授權伺服器完成註冊根本無法擴展,而 Dynamic Client Registration(DCR)雖然有所幫助,但因為缺乏可靠的機制來驗證客戶端身份,所以容易遭受網路釣魚攻擊。除了安全性問題之外,DCR 還會造成營運負擔,因為它會產生越來越多需要管理的重複客戶端身份。

[Read More]