MCP Auth/RBAC Acceptance Matrix

Generate copyable acceptance checks for an MCP HTTP server moving from static bearer access to real OAuth resource-server behavior, per-request authorization, audit identity, and black-box tests.

Review order

1
Resource-server boundaryValidate protected resource metadata, audience/resource binding, and challenge headers.
2
Principal propagationEnsure tools, audit logs, and metrics use the resolved user or key owner, not a shared client label.
3
Per-request authorizationKeep server-level tool policy separate from runtime RBAC and context/subject checks.

Build matrix

Project label Primary auth model Surfaces to include

Protected resource metadata and `WWW-Authenticate` headers Real principal context for tools, audit, and metrics Per-request RBAC, context, and subject authorization Docker black-box BDD coverage

Non-sensitive implementation notes

Use placeholders only. Do not paste tokens, credential values, cookies, private endpoints, customer records, private screenshots, payment data, full names, private handles, or full transaction identifiers. This page runs locally in the browser and does not use network requests, browser storage, or a backend.

Acceptance matrix

When a paid report fits

Use the fixed-scope MCP report when you have one redacted auth design, one protected-resource metadata shape, one `WWW-Authenticate` challenge set, or one tool authorization matrix that needs a second pass. It is not a source-code audit, compliance certification, incident response, or private repo review.

Check paid report scope Open step-up trace reviewer

Source-backed problem set

MCP OAuth/RBAC issue Public issue for replacing static bearer access with real auth, RBAC, protected metadata, and audit identity. Black-box auth testing issue Public issue for Docker-based BDD coverage across auth schemes and MCP auth behavior. Official MCP authorization spec HTTP transport authorization, protected resource metadata, challenges, resource indicators, and scope handling.