Table of Contents

Class IdentityAssertionGrantProvider

Namespace
ModelContextProtocol.Authentication
Assembly
ModelContextProtocol.Core.dll

Provides Cross-Application Access authorization as a standalone, non-interactive provider that can be used alongside the MCP client's OAuth infrastructure.

public sealed class IdentityAssertionGrantProvider
Inheritance
IdentityAssertionGrantProvider
Inherited Members

Examples

var provider = new IdentityAssertionGrantProvider(
    new IdentityAssertionGrantProviderOptions
    {
        ClientId = "mcp-client-id",
        IdpTokenEndpoint = "https://company.okta.com/oauth2/token",
        IdpClientId = "idp-client-id",
        IdTokenCallback = (context, ct) =>
            mySsoClient.GetIdTokenAsync(ct)
    },
    httpClient: myHttpClient);

var tokens = await provider.GetAccessTokenAsync(
    resourceUrl: new Uri("https://mcp-server.example.com"),
    authorizationServerUrl: new Uri("https://auth.example.com"),
    cancellationToken: ct);

Remarks

This provider implements the full Identity Assertion Authorization Grant flow as specified at https://github.com/modelcontextprotocol/ext-auth/blob/main/specification/draft/enterprise-managed-authorization.mdx:

  1. The IdTokenCallback is called to obtain an OIDC ID token. It receives a IdentityAssertionGrantContext with the discovered resource and authorization server URLs.
  2. The provider performs the RFC 8693 token exchange at the enterprise Identity Provider (using the configured IdpTokenEndpoint or discovered from IdpUrl), exchanging the ID token for a JWT Authorization Grant (JAG).
  3. The JAG is then exchanged for an access token at the MCP Server's authorization server via the RFC 7523 JWT Bearer grant.

Constructors

IdentityAssertionGrantProvider(IdentityAssertionGrantProviderOptions, HttpClient, ILoggerFactory?)

Initializes a new instance of the IdentityAssertionGrantProvider class.

public IdentityAssertionGrantProvider(IdentityAssertionGrantProviderOptions options, HttpClient httpClient, ILoggerFactory? loggerFactory = null)

Parameters

options IdentityAssertionGrantProviderOptions

Configuration for the Cross-Application Access provider.

httpClient HttpClient

The HTTP client to use for token exchange requests. The caller is responsible for the lifetime of this instance.

loggerFactory ILoggerFactory

Optional logger factory.

Exceptions

ArgumentNullException

options or httpClient is null.

ArgumentException

Required option values are missing.

Methods

GetAccessTokenAsync(Uri, Uri, CancellationToken)

Performs the full Cross-Application Access flow to obtain an access token for the given MCP resource.

public Task<TokenContainer> GetAccessTokenAsync(Uri resourceUrl, Uri authorizationServerUrl, CancellationToken cancellationToken = default)

Parameters

resourceUrl Uri

The MCP resource server URL.

authorizationServerUrl Uri

The MCP authorization server URL.

cancellationToken CancellationToken

The CancellationToken to monitor for cancellation requests.

Returns

Task<TokenContainer>

A TokenContainer containing the access token.

Exceptions

IdentityAssertionGrantException

Thrown when any step of the flow fails.

InvalidateCache()

Clears any cached tokens, forcing a fresh token exchange on the next call to GetAccessTokenAsync(Uri, Uri, CancellationToken).

public void InvalidateCache()
Edit this page