Skip to content

Refine authentication/authorization langugage#8

Open
PieterKas wants to merge 1 commit intomodelcontextprotocol:dmcadams-wif-extenstionfrom
PieterKas:patch-1
Open

Refine authentication/authorization langugage#8
PieterKas wants to merge 1 commit intomodelcontextprotocol:dmcadams-wif-extenstionfrom
PieterKas:patch-1

Conversation

@PieterKas
Copy link

@PieterKas PieterKas commented Nov 13, 2025

Refine language for clarity and consistency in the Workload Identity Federation document, including updates to terminology and structure.

Motivation and Context

How Has This Been Tested?

Breaking Changes

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

@PieterKas
Refine authentication/authorization langugage
6354084 
Refine language for clarity and consistency in the Workload Identity Federation document, including updates to terminology and structure.
@PieterKas PieterKas requested a review from a team November 13, 2025 02:07
D-McAdams
D-McAdams reviewed Dec 3, 2025
View reviewed changes
specification/draft/workload-identity-federation.mdx
functions as a workload within a workload platform (such as Kubernetes or cloud
provider environments). Like the Client Credentials extension, this pattern
addresses machine-to-machine authentication use cases.
operates as an autonomous workload without any user interaction. In these
Copy link
Contributor

@D-McAdams D-McAdams Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The original text aimed to avoid pedantic arguments about whether a workload is truly "autonomous without any user interaction" when the use case is a microservice deep in a call stack that is originally triggered by user interaction. In my prior experience, this was the most common situation we heard from customers and the intention was that readers not mistakenly think this spec was inapplicable for them. Hence, language anchored on how the workload authenticates and authorizes itself, rather than getting into nuances of autonomy. The original text could definitely be tightened up, though. Any thoughts on balancing these considerations?

Copy link
Author

@PieterKas PieterKas Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is a very good point - the original text may suffice. But perhaps that needs to be made more explicit so that readers have clear guidance that this applies to any workload that may be in a call chain, including when the call chain was initiated by a user? How about something like this:

Suggested change
operates as an autonomous workload without any user interaction. In these
Workload Identity Federation enables MCP clients to authenticate and authorize using their own workload identity, without relying on interactive end-user OAuth flows. This model applies whether the workload is fully autonomous or acting within a user-initiated request path, as long as the client performs non-interactive authentication. MCP clients are typically deployed within workload platforms such as Kubernetes, virtual machines, or cloud provider environments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@D-McAdams D-McAdams D-McAdams left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@PieterKas @D-McAdams