Skip to main content

Deterministic MCP authorization fail-closed conformance checker.

Project description

reizan-mcpcheck

reizan-mcpcheck

reizan-mcpcheck is the fail-closed authorization conformance checker the official MCP conformance suite does not cover. It probes MCP HTTP authorization implementations for the MCP-2026 OAuth hardening requirements with deterministic PASS/FAIL/INCONCLUSIVE verdicts, exact HTTP evidence, and SHA-256-attested transcripts. No LLM is used in the verdict path.

This v0 tracks the draft MCP authorization specification as of 2026-06-26, targeting the MCP-2026 final release expected on 2026-07-28.

Scope and authorization

Use this only against MCP servers, authorization servers, and test fixtures that you own or are explicitly authorized to assess. Reports contain exact request and response evidence, including bearer tokens from the run.

reizan-mcpcheck is not a vulnerability scanner for third-party systems. The target config requires "owner_authorized": true so CI jobs make that boundary explicit.

Probes

  • resource_param_mandatory: verifies that resource is sent in both the authorization request and token request, then checks that omitting it is rejected fail-closed.
  • rfc9207_iss_validation: validates the authorization response iss against the configured issuer using exact string comparison, with no URI normalization.
  • token_not_replayable_across_services: mints a token for resource A and verifies that resource B rejects it.
  • fail_closed_missing_invalid_resource_or_audience: verifies rejection for invalid resource indicators, missing Authorization, invalid bearer tokens, and wrong-audience tokens.

Each probe returns a deterministic verdict and a transcript_sha256 over the canonical JSON representation of the exact HTTP request/response transcript. The top-level report also includes a report_sha256.

Install

python3 -m venv .venv
source .venv/bin/activate
pip install -e ".[dev]"

CLI

reizan-mcpcheck examples/compliant.json --json
reizan-mcpcheck examples/compliant.json --out reports/mcpcheck.json

Exit codes:

  • 0: no probe returned FAIL.
  • 1: one or more probes returned FAIL.
  • 2: config or invocation error.

Use --fail-on-inconclusive if CI should also reject INCONCLUSIVE probes.

Target config

{
  "name": "my-owned-mcp-lab",
  "owner_authorized": true,
  "allow_insecure_http": false,
  "authorization_server": {
    "issuer": "https://auth.example.test",
    "authorization_endpoint": "https://auth.example.test/oauth/authorize",
    "token_endpoint": "https://auth.example.test/oauth/token",
    "authorization_response_iss_parameter_supported": true
  },
  "client": {
    "client_id": "mcpcheck",
    "redirect_uri": "http://127.0.0.1:65535/callback",
    "scope": "mcp:tools"
  },
  "resources": [
    {
      "name": "service-a",
      "resource": "https://mcp-a.example.test/mcp",
      "endpoint": "https://mcp-a.example.test/mcp"
    },
    {
      "name": "service-b",
      "resource": "https://mcp-b.example.test/mcp",
      "endpoint": "https://mcp-b.example.test/mcp"
    }
  ],
  "invalid_resource": "https://mcp-a.example.test/not-a-valid-resource"
}

The v0 runner assumes a noninteractive authorization endpoint that redirects with an authorization code. Browser/login-driven flows may return INCONCLUSIVE unless wrapped by a self-run lab harness.

Deterministic demo

make demo

The demo starts two local, key-free fixtures:

  • http://127.0.0.1:8765: compliant fixture, expected PASS.
  • http://127.0.0.1:8766: deliberately misconfigured fixture, expected FAIL.

It writes:

  • examples/compliant.json
  • examples/misconfigured.json
  • reports/demo-compliant.json
  • reports/demo-misconfigured.json

Tests

make test

References

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

reizan_mcpcheck-0.1.0.tar.gz (19.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

reizan_mcpcheck-0.1.0-py3-none-any.whl (21.0 kB view details)

Uploaded Python 3

File details

Details for the file reizan_mcpcheck-0.1.0.tar.gz.

File metadata

  • Download URL: reizan_mcpcheck-0.1.0.tar.gz
  • Upload date:
  • Size: 19.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.12

File hashes

Hashes for reizan_mcpcheck-0.1.0.tar.gz
Algorithm Hash digest
SHA256 b85da04d16e3f1fb3a80cc8ff22d54bb6eb3990f46d0f48e41843b00434f75df
MD5 090a3914d90b1775e55aac09e14d6919
BLAKE2b-256 9a91e10381298ebef0edd7ac783f8b817b8482ca3d363f1d6a25997b5ac4ede9

See more details on using hashes here.

File details

Details for the file reizan_mcpcheck-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for reizan_mcpcheck-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 f2729a718497a7752ff8e901d771cf784467674f3e1674611ac5fef84dd90312
MD5 950927560605a606f150c3c3b79e4a0a
BLAKE2b-256 c734f90ad2c46c96178c8a21618b666d7661ef5b78153e94aba5733234407031

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page