** Please make sure you read the contribution guide and file the issues in the right place. **
Contribution guide.
Is your feature request related to a problem? Please describe.
MCP clients created via ADK does not implement Resource Indicators for OAuth 2.0 as defined in RFC 8707 to explicitly specify the target resource for which the token is being requested.
Implementing this will ensure that access tokens are bound to their intended resources and cannot be misused across different services.
Describe the solution you'd like
The resource parameter:
MUST be included in both authorization requests and token requests.
MUST identify the MCP server that the client intends to use the token with.
MUST use the canonical URI of the MCP server as defined in RFC 8707 Section 2.
MCP clients MUST send this parameter regardless of whether authorization servers support it.
E.g.
&resource=https%3A%2F%2Fmcp.example.com
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization#token-audience-binding-and-validation
https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization#access-token-privilege-restriction
https://auth0.com/blog/mcp-specs-update-all-about-auth/
** Please make sure you read the contribution guide and file the issues in the right place. **
Contribution guide.
Is your feature request related to a problem? Please describe.
MCP clients created via ADK does not implement Resource Indicators for OAuth 2.0 as defined in RFC 8707 to explicitly specify the target resource for which the token is being requested.
Implementing this will ensure that access tokens are bound to their intended resources and cannot be misused across different services.
Describe the solution you'd like
The resource parameter:
MUST be included in both authorization requests and token requests.
MUST identify the MCP server that the client intends to use the token with.
MUST use the canonical URI of the MCP server as defined in RFC 8707 Section 2.
MCP clients MUST send this parameter regardless of whether authorization servers support it.
E.g.
&resource=https%3A%2F%2Fmcp.example.com
Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.
Additional context
https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization#token-audience-binding-and-validation
https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization#access-token-privilege-restriction
https://auth0.com/blog/mcp-specs-update-all-about-auth/