Zero-Touch OAuth for MCP

	Zero-Touch OAuth for MCP(blog.modelcontextprotocol.io)
	274 points by niyikiza 1 day ago \| 102 comments
	tl;dr: The Model Context Protocol's Enterprise-Managed Authorization (EMA) extension is now stable, letting organizations centrally manage MCP server access through their identity provider instead of requiring per-user, per-server OAuth consent. It uses an Identity Assertion JWT Authorization Grant (ID-JAG) obtained during SSO to exchange for access tokens, enabling single sign-on across all connected MCP servers. Early adopters include Okta (first IdP), Anthropic and VS Code (clients), and servers like Asana, Atlassian, Figma, Linear, and Supabase.
	HN Discussion: ↑MCP's value lies in isolating auth flows, making EMA a significant security and UX improvement ↑Insiders and contributors celebrating the launch and broader applicability of ID-JAG beyond MCP ↑MCP auth has been painful and this release solves real production problems ~Current MCP auth implementation has gaps and frustrations like missing client_id support or cookie-based flows ↓Concerns about IdP delegating access on user's behalf without explicit awareness, or unclear advantages over regular OAuth