Add AuthSec: provider-list entry + provider guide#76
Open
ritamAN77 wants to merge 2 commits into
Open
Conversation
AuthSec passes the MCP compatibility test at https://prod.api.authsec.ai/authsec/oauth/.well-known/oauth-authorization-server (5 successes, 1 warning for DCR). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Mirrors the structure of the Logto and Keycloak guides. Covers: - Issuer URL (clarifies AuthSec's SPIRE-federation vs user-facing OAuth endpoints) - Configuring scopes - Retrieving user identity (incl. tenant_id and spiffe_id claims) - RFC 8707 resource indicator usage - Manually registering an MCP client (first-party vs third-party) - AuthSec's delegate-svid endpoint for agent-on-behalf-of-user flows Registers the new page in sidebars.ts under Provider Guides. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
ritamAN77
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds AuthSec to MCP Auth — both the Provider List table and a full provider guide.
AuthSec is an agent-first identity layer for autonomous AI (OAuth 2.1, SPIFFE/mTLS, RBAC, MFA WebAuthn, MCP Server authentication, Voice Agent authentication).
Test results
Tested URL: `https://prod.api.authsec.ai/authsec/oauth/.well-known/oauth-authorization-server\`
Result: Compatible with MCP — 5 successes, 1 warning:
What's included
Provider list entry (`src/pages/provider-list.mdx`):
Provider guide (`docs/provider-guides/authsec.mdx`):
Sidebar (`sidebars.ts`):
Why the DCR footnote / why the guide notes it as roadmap
AuthSec already has a client-registration endpoint, but it sits behind authentication (which violates RFC 7591's "public, no-auth" requirement for DCR). Rather than advertise an auth-gated `registration_endpoint` that MCP clients cannot use, the discovery document intentionally omits it until the public DCR handler is live. The footnote and the guide's "Register MCP client" section both spell this out, so the listing stays honest and users have manual-registration instructions in the meantime.
Resource Indicator support
AuthSec's discovery doc sets `resource_indicators_supported: true` (RFC 8707), so the Resource Indicator column is ✅. The guide covers how to use the `resource` parameter when requesting a token for an MCP server.
Why two `/.well-known` documents
The guide includes a short table near the top distinguishing AuthSec's two well-known endpoints:
The two are kept separate because merging them would break SPIRE federation. Calling this out in the guide is intended to prevent integrators from pointing MCP at the wrong endpoint.