Address review: iss in introspection, tighten field comments

maxisbey · maxisbey · commit a857cfc25ff0 · 2026-05-26T13:09:44.000Z
- Example introspection response now includes iss so resource servers can
  key identity on (iss, sub).
- subject comment notes uniqueness is per-issuer; drop "verified" from
  the claims comment since the SDK only stores what the verifier returns.
- Keep subject=username in the example: the nearby user_id is regenerated
  per login and would not be a stable subject.
diff --git a/examples/servers/simple-auth/mcp_simple_auth/auth_server.py b/examples/servers/simple-auth/mcp_simple_auth/auth_server.py
@@ -121,6 +121,7 @@ async def introspect_handler(request: Request) -> Response:
                 "token_type": "Bearer",
                 "aud": access_token.resource,  # RFC 8707 audience claim
                 "sub": access_token.subject,  # RFC 7662 subject
+                "iss": str(server_settings.server_url),
             }
         )
 
diff --git a/src/mcp/server/auth/provider.py b/src/mcp/server/auth/provider.py
@@ -42,8 +42,8 @@ class AccessToken(BaseModel):
     scopes: list[str]
     expires_at: int | None = None
     resource: str | None = None  # RFC 8707 resource indicator
-    subject: str | None = None  # RFC 7662/9068 `sub`: resource owner the token was issued for
-    claims: dict[str, Any] | None = None  # additional verified claims (e.g. `iss`, `act`)
+    subject: str | None = None  # RFC 7662/9068 `sub`: resource owner; unique only per issuer
+    claims: dict[str, Any] | None = None  # additional claims (e.g. `iss`, `act`)
 
 
 RegistrationErrorCode = Literal[

Original file line number	Diff line number	Diff line change
`@@ -121,6 +121,7 @@ async def introspect_handler(request: Request) -> Response:`
`121`	`121`	`"token_type": "Bearer",`
`122`	`122`	`"aud": access_token.resource, # RFC 8707 audience claim`
`123`	`123`	`"sub": access_token.subject, # RFC 7662 subject`
	`124`	`+ "iss": str(server_settings.server_url),`
`124`	`125`	`}`
`125`	`126`	`)`
`126`	`127`