Skip to content

v1.4.0

Latest
Latest

Choose a tag to compare

View all tags
@jeffhandley jeffhandley released this 04 Jun 17:52
v1.4.0
06e3604
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

v1.4.0 introduces support for the Identity Assertion Authorization Grant (ID-JAG) flow via the new IdentityAssertionGrantProvider, enabling enterprise SSO scenarios where users authenticate once via their enterprise Identity Provider and access MCP servers without per-server authorization prompts. The release also adds a new InheritEnvironmentVariables option on StdioClientTransportOptions for controlling the child server's environment, alongside two security hardening fixes: the stdio client transport no longer enumerates child-process environment variables in Trace logs, and DELETE on a Streamable HTTP session now requires the same authenticated user that initiated the session.

What's Changed

  • Stop logging stdio transport environment variables #1538 by @halter73 (co-authored by @Copilot)
  • Add InheritEnvironmentVariables to StdioClientTransportOptions #1563 by @halter73 (co-authored by @Copilot)
  • Validate user on Streamable HTTP session DELETE #1604 by @halter73 (co-authored by @Copilot)
    • HandleDeleteRequestAsync now mirrors the HasSameUserId check already enforced on GET and POST. A DELETE with a valid Mcp-Session-Id but a different authenticated user now returns 403 Forbidden instead of terminating the session — defense-in-depth against a leaked session ID being used to DoS the original owner.
  • Add Enterprise Managed Authorization (SEP-990) support #1305 by @aniket-okta (backported in #1625)
    • Adds IdentityAssertionGrantProvider and supporting option/response types in ModelContextProtocol.Authentication implementing the Identity Assertion Authorization Grant flow: RFC 8693 token exchange at the enterprise IdP (ID Token → JWT Authorization Grant) followed by RFC 7523 JWT bearer grant at the MCP authorization server (JAG → access token). See the new Cross-Application Access section in the transport docs for full usage details.

Documentation Updates

Repository Infrastructure Updates

  • Update release processes to support release servicing branches #1620 by @jeffhandley (co-authored by @Copilot)

Acknowledgements

Full Changelog: v1.3.0...v1.4.0

Contributors

halter73, jeffhandley, and 6 other contributors
Assets 8
Loading