Table of Contents

Class IdentityAssertionGrantProviderOptions

Namespace
ModelContextProtocol.Authentication
Assembly
ModelContextProtocol.Core.dll

Configuration options for the IdentityAssertionGrantProvider.

public sealed class IdentityAssertionGrantProviderOptions
Inheritance
IdentityAssertionGrantProviderOptions
Inherited Members

Properties

ClientId

Gets or sets the MCP client ID used for the JWT Bearer grant (RFC 7523) at the MCP authorization server.

public required string ClientId { get; set; }

Property Value

string

ClientSecret

Gets or sets the MCP client secret used for the JWT Bearer grant at the MCP authorization server. Optional; only required if the MCP authorization server requires client authentication.

public string? ClientSecret { get; set; }

Property Value

string

IdTokenCallback

Gets or sets the callback that supplies the OIDC ID token for the Cross-Application Access flow.

public required IdentityAssertionGrantIdTokenCallback IdTokenCallback { get; set; }

Property Value

IdentityAssertionGrantIdTokenCallback

Remarks

This callback is invoked after the MCP resource and authorization server URLs have been discovered. It receives a IdentityAssertionGrantContext with these URLs and should return the OIDC ID token string obtained from the enterprise Identity Provider (e.g., from an SSO login session).

The provider will use the returned ID token to internally perform the RFC 8693 token exchange at the configured IdP, obtaining a JWT Authorization Grant, which is then exchanged for an access token at the MCP authorization server via RFC 7523.

IdpClientId

Gets or sets the client ID for authentication with the enterprise Identity Provider (RFC 8693 token exchange).

public required string IdpClientId { get; set; }

Property Value

string

IdpClientSecret

Gets or sets the client secret for authentication with the enterprise Identity Provider. Optional.

public string? IdpClientSecret { get; set; }

Property Value

string

IdpScope

Gets or sets the scopes to request from the enterprise Identity Provider (space-separated). Optional.

public string? IdpScope { get; set; }

Property Value

string

IdpTokenEndpoint

Gets or sets the enterprise Identity Provider token endpoint URL for RFC 8693 token exchange. When provided, skips IdP metadata discovery. Either this or IdpUrl must be provided.

public string? IdpTokenEndpoint { get; set; }

Property Value

string

IdpUrl

Gets or sets the enterprise Identity Provider base URL for OAuth/OIDC metadata discovery. Used to discover IdpTokenEndpoint automatically when IdpTokenEndpoint is not set. Either this or IdpTokenEndpoint must be provided.

public string? IdpUrl { get; set; }

Property Value

string

Scope

Gets or sets the scopes to request from the MCP authorization server (space-separated). Optional.

public string? Scope { get; set; }

Property Value

string
Edit this page