Authlete で実装する MCP OAuth 認可サーバー #CIMD の実装を添えて

Copyright © 2025 Authlete, Inc. All Rights Reserved. 2 •
OAuth/OIDCリクエスト処理を代行するAPI • トークン管理のための永続的ストレージ • 鍵管理やクライアント設定の一元化 • ユーザーのセルフサービスや運用を支援する管理API Authlete: OAuth/OIDC化に必要な実装を提供 Resource Owner User Agent Client Authorization Server Resource Server APIリクエスト APIレスポンスイントロスペクションリクエストイントロスペクションレスポンスアクセス権限確認認可リクエスト認可レスポンストークンリクエストトークンレスポンスログインセッション確認認証情報照合アプリにアクセスコンテンツ返却ユーザー認証ログイン完了アプリにアクセス Authlete 認可リクエスト処理認可レスポンス生成トークンリクエスト処理イントロスペクションリクエスト処理

Copyright © 2025 Authlete, Inc. All Rights Reserved. • AuthleteはFAPI1,
FAPI2, FAPI-CIBAおよび各国のオープンファイナンスや先進的な OAuth/OIDC 拡張仕様を迅速に実装。またOpenID Foundationは「OpenID認定プログラム」における「適合性テスト」開発のテストベッドにAuthleteを活用。結果的に、同テストがリリースされた段階で、Authleteは他社に先んじて合格済みの状態になっている Authleteが選ばれる理由 OAuth/OIDC仕様への業界最速・最多準拠 • OpenID Providers (OP) & Profiles • Basic OP • Implicit OP • Hybrid OP • Config OP • Dynamic OP • Form Post OP • FAPI1-Advanced OPs & Profiles • FAPI OPs & Profiles • FAPI Adv. OP w/ MTLS • FAPI Adv. OP w/ MTLS, PAR • FAPI Adv. OP w/ Private Key • FAPI Adv. OP w/ Private Key, PAR • FAPI Adv. OP w/ MTLS, JARM • FAPI Adv. OP w/ Private Key, JARM • FAPI Adv. OP w/ MTLS, PAR, JARM • FAPI Adv. OP w/ Private Key, PAR, JARM • FAPI OP - UK Open Banking • UK-OB Adv. OP w/ MTLS • UK-OB Adv. OP w/ Private Key • FAPI OP - Australia CDR • AU-CDR Adv. OP w/ Private Key • AU-CDR Adv. OP w/ Private Key, PAR • FAPI OP - Brazil Open Banking • BR-OB Adv. OP w/ MTLS • BR-OB Adv. OP w/ Private Key • BR-OB Adv. OP w/ MTLS, PAR • BR-OB Adv. OP w/ Private Key, PAR • BR-OB Adv. OP w/ MTLS, JARM • BR-OB Adv. OP w/ Private Key, JARM • BR-OB Adv. OP w/ MTLS, PAR, JARM • BR-OB Adv. OP w/ Private Key, PAR, JARM • BR-OB Adv. OP DCR • FAPI OP - Brazil Open Insurance • BR-OB Adv. OP w/ MTLS • BR-OB Adv. OP w/ Private Key • BR-OB Adv. OP w/ MTLS, PAR • BR-OB Adv. OP w/ Private Key, PAR • BR-OB Adv. OP w/ MTLS, JARM • BR-OB Adv. OP w/ Private Key, JARM • BR-OB Adv. OP w/ MTLS, PAR, JARM • BR-OB Adv. OP w/ Private Key, PAR, JARM • BR-OB Adv. OP DCR • FAPI OP - KSA Open Banking • KSA-OB Adv. OP w/ MTLS, PAR • KSA-OB Adv. OP w/ Private Key, PAR [NEW] • FAPI-CIBA OPs • Certified OPs & Profiles • FAPI-CIBA OP Poll w/ MTLS • FAPI-CIBA OP Poll w/ Private Key • FAPI-CIBA OP Ping w/ MTLS • FAPI-CIBA OP Ping w/ Private Key • FAPI2 Providers & Profiles • FAPI 2.0 OP Security Profile Final & Message Signing Final • FAPI2SP OP MTLS + MTLS • FAPI2SP OP MTLS + DPoP • FAPI2SP OP private key + MTLS • FAPI2SP OP private key + DPoP • FAPI2SP OP OpenID Connect • FAPI2MS OP JAR • FAPI2MS OP JARM • Australia FAPI 2.0 OP ConnectID Final • FAPI2MS with ConnectId support 3 * https://openid.net/certification/ をもとに構成

Copyright © 2025 Authlete, Inc. All Rights Reserved. MCP で利用される関連仕様
対応状況 OAuth 2.1 IETF DRAFT (draft-ietf-oauth-v2-1-13) OAuth 2.0 + 拡張仕様のプラクティス集なので基本的には対応済み Authorization Server Metadata (RFC 8414) OpenID Connect Discovery とともに対応可能 Dynamic Client Registration Protocol (RFC 7591) 対応済み。Open Banking での実績あり。 Resource Indicators for OAuth 2.0 (RFC 8707) 対応済み。 OAuth Client ID Metadata Document (draft-ietf-oauth-client-id-metadata-document-00) ベータ版の提供開始 Authlete のサポート状況 New！

Copyright © 2025 Authlete, Inc. All Rights Reserved. Goodbye DCR,
Hello CIMD

Copyright © 2025 Authlete, Inc. All Rights Reserved. Goodbye DCR,
Hello CIMD • MCP Version 2025-06-18 – 認可サーバーと MCP クライアントは OAuth 2.0 Dynamic Client Registration Protocol (RFC7591) をサポートすべき (SHOULD) である • MCP Version 2025-11-25 – 認可サーバーと MCP クライアントは OAuth Client ID Metadata Documentをサポートすべき (SHOULD) である – Dynamic Client Registration: 後方互換または特別な要件で利用

Copyright © 2025 Authlete, Inc. All Rights Reserved. CIMD フロー
7

Copyright © 2025 Authlete, Inc. All Rights Reserved. メタデータによる認可サーバーの特定 401
Unauthorized protected resource metadata POST /mcp GET /.well-known/oauth-protected-resource/mcp MCP Client MCP Endpoint Metadata MCP Server 認可サーバー Metadata Registration Authorization

Copyright © 2025 Authlete, Inc. All Rights Reserved. Protected Resource
Metadata 401 Unauthorized protected resource metadata POST /mcp GET /.well-known/oauth-protected-resource/mcp MCP Client MCP Endpoint Metadata MCP Server 認可サーバー Metadata Registration Authorization HTTP 200 OK { "resource": "https://localhost:3443/mcp", "authorization_servers": [ "https://localhost:3443" ], "scopes_supported": [ "mcp:tickets:read", "mcp:tickets:write" ], "bearer_methods_supported": [ "header" ], "resource_documentation": "https://localhost:3443/docs/mcp", "resource_policy_uri": "https://localhost:3443/policy/mcp", "authorization_details_types_supported": [ "ticket-reservation“ ] }

Copyright © 2025 Authlete, Inc. All Rights Reserved. CIMD によるクライアント登録
401 Unauthorized protected resource metadata POST /mcp GET /.well-known/oauth-protected-resource/mcp MCP Client MCP Endpoint Metadata MCP Server 認可サーバー GET /.well-known/oauth-authorization-server Authorization Metadata Metadata

Copyright © 2025 Authlete, Inc. All Rights Reserved. Authorization Server
Metadata 401 Unauthorized protected resource metadata POST /mcp GET /.well-known/oauth-protected-resource/mcp MCP Client MCP Endpoint Metadata MCP Server 認可サーバー GET /.well-known/oauth-authorization-server Authorization Metadata Metadata クライアント登録 HTTP 200 OK { "issuer": "https://localhost:3443", "authorization_endpoint": "https://localhost:3443/oauth/authorize", "prompt_values_supported": [ "none", "login", "consent", "select_account", "create" ], "token_endpoint": "https://localhost:3443/oauth/token", "userinfo_endpoint": "https://localhost:3443/oauth/userinfo", "jwks_uri": "https://localhost:3443/.well-known/jwks.json", "registration_endpoint": "https://localhost:3443/oauth/register", "client_id_metadata_document_supported": true, "scopes_supported": [ "dcr", "mcp:tickets:read", "mcp:tickets:write", "profile:read" ], "response_types_supported": [ "code" ]... }

Copyright © 2025 Authlete, Inc. All Rights Reserved. 認可リクエストに https
の URI を指定 401 Unauthorized protected resource metadata POST /mcp GET /.well-known/oauth-protected-resource/mcp MCP Client MCP Endpoint Metadata MCP Server 認可サーバー GET /.well-known/oauth-authorization-server Authorization Metadata Metadata GET /oauth/authorization?client_id=https://mcp-client.example.com/client.json&... GET https://mcp-client.example.com/client.json

Copyright © 2025 Authlete, Inc. All Rights Reserved. client_id で指定されたメタデータを取得
401 Unauthorized protected resource metadata POST /mcp GET /.well-known/oauth-protected-resource/mcp MCP Client MCP Endpoint Metadata MCP Server 認可サーバー GET /.well-known/oauth-authorization-server Authorization Metadata Metadata GET /oauth/authorization?client_id=https://mcp-client.example.com/client.json&... GET https://mcp-client.example.com/client.json { "client_name": "MCP Client", "grant_types": ["authorization_code","refresh_token"], "response_types": ["code"], "token_endpoint_auth_method": "none", "application_type": "native", "client_id": " https://mcp-client.example.com/client.json", "client_uri": "https://mcp-client.example.com", "redirect_uris": [ "https://mcp-client.example.com/callback" ] }

Copyright © 2025 Authlete, Inc. All Rights Reserved. メタデータをもとにクライアント登録 401
Unauthorized protected resource metadata POST /mcp GET /.well-known/oauth-protected-resource/mcp MCP Client MCP Endpoint Metadata MCP Server 認可サーバー GET /.well-known/oauth-authorization-server Authorization Metadata Metadata GET /oauth/authorization?client_id=https://mcp-client.example.com/client.json&... クライアント登録 GET https://mcp-client.example.com/client.json

Copyright © 2025 Authlete, Inc. All Rights Reserved. パブリッククライアントでの
CIMD 401 Unauthorized protected resource metadata POST /mcp GET /.well-known/oauth-protected-resource/mcp MCP Client MCP Endpoint Metadata MCP Server 認可サーバー GET /.well-known/oauth-authorization-server Metadata Registration GET /oauth/authorization?client_id=https://mcp-client.example.com/client.json Authorization クライアント登録

Copyright © 2025 Authlete, Inc. All Rights Reserved. MCP クライアントのバックエンドで公開
401 Unauthorized protected resource metadata POST /mcp GET /.well-known/oauth-protected-resource/mcp MCP Client MCP Endpoint Metadata MCP Server 認可サーバー GET /.well-known/oauth-authorization-server Metadata Registration GET /oauth/authorization?client_id=https://mcp-client.example.com/client.json Authorization クライアント登録 GET /client.json Metadata MCP Client Backend

Copyright © 2025 Authlete, Inc. All Rights Reserved. ネイティブアプリ +
クライアント認証 MCP Client MCP Endpoint Metadata MCP Server MCP Endpoint Metadata MCP Server 認可サーバー Metadata Registration Authorization Metadata MCP Client Backend

Copyright © 2025 Authlete, Inc. All Rights Reserved. セキュアエレメントでキーペアを生成 MCP
Client MCP Endpoint Metadata MCP Server MCP Endpoint Metadata MCP Server 認可サーバー Metadata Registration Authorization Metadata MCP Client Backend Generate key-pare Secure Element

Copyright © 2025 Authlete, Inc. All Rights Reserved. 公開鍵をクライアントのバックエンドに送信 MCP
Client MCP Endpoint Metadata MCP Server MCP Endpoint Metadata MCP Server 認可サーバー Metadata Registration Authorization Metadata MCP Client Backend public key + Attestation Generate key-pare Secure Element

Copyright © 2025 Authlete, Inc. All Rights Reserved. 公開鍵を含むメタデータを生成 MCP
Client MCP Endpoint Metadata MCP Server MCP Endpoint Metadata MCP Server 認可サーバー Metadata Registration Authorization Metadata MCP Client Backend public key + Attestation Generate key-pare Secure Element

Copyright © 2025 Authlete, Inc. All Rights Reserved. メタデータ URI
をクライアントに応答 MCP Client MCP Endpoint Metadata MCP Server MCP Endpoint Metadata MCP Server 認可サーバー Metadata Registration Authorization Metadata MCP Client Backend public key + Attestation Generate key-pare Secure Element <app-guid>/client.json

Copyright © 2025 Authlete, Inc. All Rights Reserved. 認可リクエスト 401
Unauthorized protected resource metadata POST /mcp GET /.well-known/oauth-protected-resource/mcp MCP Client MCP Endpoint Metadata MCP Server MCP Endpoint Metadata MCP Server 認可サーバー GET /.well-known/oauth-authorization-server Metadata Registration GET /oauth/authorization?client_id=https://mcp-client.example.com/<app-guid>/client.json Authorization Metadata MCP Client Backend public key + Attestation Generate key-pare Secure Element <app-guid>/client.json

Unauthorized protected resource metadata POST /mcp GET /.well-known/oauth-protected-resource/mcp MCP Client MCP Endpoint Metadata MCP Server MCP Endpoint Metadata MCP Server 認可サーバー GET /.well-known/oauth-authorization-server Metadata Registration GET /oauth/authorization?client_id=https://mcp-client.example.com/<app-guid>/client.json Authorization GET /<app-guid>/client.json Metadata MCP Client Backend public key + Attestation クライアント登録 Generate key-pare Secure Element <app-guid>/client.json

Copyright © 2025 Authlete, Inc. All Rights Reserved. private_key_jwt などでクライアント認証可
401 Unauthorized protected resource metadata POST /mcp GET /.well-known/oauth-protected-resource/mcp MCP Client MCP Endpoint Metadata MCP Server MCP Endpoint Metadata MCP Server 認可サーバー GET /.well-known/oauth-authorization-server Metadata Registration GET /oauth/authorization?client_id=https://mcp-client.example.com/<app-guid>/client.json Authorization GET /<app-guid>/client.json Metadata MCP Client Backend public key + Attestation クライアント登録 Generate key-pare Secure Element <app-guid>/client.json

Copyright © 2025 Authlete, Inc. All Rights Reserved. Authlete は
CIMD を代行 401 Unauthorized protected resource metadata POST /mcp GET /.well-known/oauth-protected-resource/mcp MCP Client MCP Endpoint Metadata MCP Server MCP Endpoint Metadata MCP Server 認可サーバー GET /.well-known/oauth-authorization-server Metadata Registration GET /oauth/authorization?client_id=https://mcp-client.example.com/<app-guid>/client.json Authorization GET /<app-guid>/client.json Metadata MCP Client Backend public key + Attestation クライアント登録 Generate key-pare Secure Element <app-guid>/client.json

Copyright © 2025 Authlete, Inc. All Rights Reserved. 27 Authlete
3.0 でお試しいただけます参考: https://console.authlete.com/

Copyright © 2025 Authlete, Inc. All Rights Reserved. VS Code
に保存された MCP 用の DCR クライアント ID & トークンキャッシュを削除するには removeDynamicAuthenticationProviders コマンドを使おうお得な情報チェックをつけて OK でクライアント ID とトークンキャッシュが削除される

Copyright © 2025 Authlete, Inc. All Rights Reserved. • 1.
認可サーバーがクライアントを信頼する仕組みが存在しない – 6.8 Client ID Domain Trust で信頼するドメインで制限する • 2. クライアントが公開したメタデータを認可サーバーがカスタマイズする方法が定義されていない – OpenID Connect Relying Party Metadata Choices が利用できるのでは – OpenID Federation の Metadata Policy が利用できるのでは • 3. 認可サーバーが登録した内容をクライアントに伝える手段がない – 今のところ困ることはなさそうだけど、2 でいろいろカスタマイズしたら必要になってくるかも課題

Copyright © 2025 Authlete, Inc. All Rights Reserved. 35 •
CIMD で MCP の相互運用性が高まることが期待される • 仕様がざっくりしているので、認可サーバーが考慮すべき点が多い • Authlete は Confidential Client 登録を含む CIMD をサポートしている • Authlete の独自機能で認可サーバーの実装負担をカバー • とはいえ発展途上の仕様なので、ぜひ利用いただいてフィードバックくださいまとめ

Copyright © 2025 Authlete, Inc. All Rights Reserved. Authorization Server
Metadata 401 Unauthorized protected resource metadata POST /mcp GET /.well-known/oauth-protected-resource/mcp MCP Client MCP Endpoint Metadata MCP Server 認可サーバー GET /.well-known/oauth-authorization-server Metadata Registration Authorization

Copyright © 2025 Authlete, Inc. All Rights Reserved. registration_endpoint を特定
401 Unauthorized protected resource metadata POST /mcp GET /.well-known/oauth-protected-resource/mcp MCP Client MCP Endpoint Metadata MCP Server 認可サーバー GET /.well-known/oauth-authorization-server Metadata Registration Authorization HTTP 200 OK { "issuer": "https://localhost:3443", "authorization_endpoint": "https://localhost:3443/oauth/authorize", "prompt_values_supported": [ "none", "login", "consent", "select_account", "create" ], "token_endpoint": "https://localhost:3443/oauth/token", "userinfo_endpoint": "https://localhost:3443/oauth/userinfo", "jwks_uri": "https://localhost:3443/.well-known/jwks.json", "registration_endpoint": "https://localhost:3443/oauth/register", "scopes_supported": [ "dcr", "mcp:tickets:read", "mcp:tickets:write", "profile:read" ], "response_types_supported": [ "code" ]... }

Copyright © 2025 Authlete, Inc. All Rights Reserved. registration_endpoint に
POST リクエスト 401 Unauthorized protected resource metadata POST /mcp GET /.well-known/oauth-protected-resource/mcp MCP Client MCP Endpoint Metadata MCP Server 認可サーバー GET /.well-known/oauth-authorization-server POST /oauth/register Metadata Registration Authorization

Copyright © 2025 Authlete, Inc. All Rights Reserved. 登録リクエストの例 401
Unauthorized protected resource metadata POST /mcp GET /.well-known/oauth-protected-resource/mcp MCP Client MCP Endpoint Metadata MCP Server 認可サーバー GET /.well-known/oauth-authorization-server POST /oauth/register Metadata Registration Authorization POST /oauth/register { "redirect_uris": [ "http://localhost:6274/oauth/callback" ], "token_endpoint_auth_method": "none", "grant_types": [ "authorization_code", "refresh_token" ], "response_types": [ "code" ], "client_name": "MCP Inspector", "scope": "mcp:tickets:read mcp:tickets:write“ ... }

Unauthorized protected resource metadata POST /mcp GET /.well-known/oauth-protected-resource/mcp MCP Client MCP Endpoint Metadata MCP Server 認可サーバー GET /.well-known/oauth-authorization-server POST /oauth/register Metadata Registration Authorization クライアント登録

Copyright © 2025 Authlete, Inc. All Rights Reserved. 登録レスポンスの例 401
Unauthorized protected resource metadata POST /mcp GET /.well-known/oauth-protected-resource/mcp MCP Client MCP Endpoint Metadata MCP Server 認可サーバー GET /.well-known/oauth-authorization-server POST /oauth/register Metadata Registration Authorization クライアント登録 HTTP 200 OK { "default_max_age": 0, "client_id": "3022400119", "client_id_issued_at": 1756178051, "id_token_signed_response_alg": "RS256", "redirect_uris": [ "http://localhost:6274/oauth/callback" ], ... }

Copyright © 2025 Authlete, Inc. All Rights Reserved. 登録した client
情報を使い認可リクエスト 401 Unauthorized protected resource metadata POST /mcp GET /.well-known/oauth-protected-resource/mcp MCP Client MCP Endpoint Metadata MCP Server 認可サーバー GET /.well-known/oauth-authorization-server POST /oauth/register Metadata Registration GET /oauth/authorization?client_id=3022400119&redirect_uri=http://localhost:6274... Authorization

Copyright © 2025 Authlete, Inc. All Rights Reserved. DCR によるクライアント登録
401 Unauthorized protected resource metadata POST /mcp GET /.well-known/oauth-protected-resource/mcp MCP Client MCP Endpoint Metadata MCP Server 認可サーバー GET /.well-known/oauth-authorization-server POST /oauth/register Metadata Registration GET /oauth/authorization?client_id=3022400119&redirect_uri=http://localhost:6274... Authorization HTTP 200 OK { "default_max_age": 0, "client_id": "3022400119", "client_id_issued_at": 1756178051, "id_token_signed_response_alg": "RS256", "redirect_uris": [ "http://localhost:6274/oauth/callback" ], ... }

Authlete で実装する MCP OAuth 認可サーバー #CIMD の実装を添えて

Authlete で実装する MCP OAuth 認可サーバー #CIMD の実装を添えて

Other Decks in Technology

Featured

Transcript