Last month, we explored how to secure Spring AI MCP Servers[1] with the OAuth2 authorization framework. In the conclusion of that article, we mentioned we'd explore using standalone Authorization Servers for MCP Security and deviate from the then-current specification. Since we published the article, the community has been very active in revising the original version of the specification. The new draft is simpler, and the major change does match what we had imagined for security. MCP Servers are still OAuth2 Resource Servers, meaning they authorize incoming requests using access tokens passed in a header. However, they do not need to be Authorization Servers themselves: access tokens can now be issued by an external Authorization Server. In this blog post, we'll describe how to implement the newest revision of the specification in MCP Servers, and how to secure your MCP clients. Feel free to take a peek at the previous blog post for a refresher on OAuth2 and MCP. Securing the MCP Server In this example, we will add OAuth 2 support to a sample MCP Server – the "Weather" MCP tool from our Spring AI examples repository. First, we import the required Boot starter in pom.xml: <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-oauth2-resource-server</artifactId> </dependency> Then, we configure our MCP Server to be an OAuth2 Resource Server by updating application.properties: # Update the port so it does not clash with our Client…Read More