Skip to content

[Server][Auth] SEP-2207: Audit PRM to ensure offline_access is not advertised as a required scope #364

Open
Open
[Server][Auth] SEP-2207: Audit PRM to ensure offline_access is not advertised as a required scope#364
Labels
2026-07-28All issues and PRs related to the spec release 2026-07-28ServerIssues & PRs related to the Server componentauthIssues and PRs related to Authentication / OAuthenhancementRequest for a new feature that's not currently supportedimproves spec complianceImproves consistency with other SDKs such as TyepScript
@chr-hertel

Description

@chr-hertel
chr-hertel
opened on May 26, 2026

Implements the server-side portion of SEP-2207 for the MCP Spec 2026-07-28 release.

Tracked by umbrella #338.

Spec summary

MCP servers (as resource servers) SHOULD NOT advertise/require offline_access in their PRM (Protected Resource Metadata) responses — it's an AS concern, not RS.

PHP SDK changes

  • Audit PRM emission in src/Server/Transport/Http/OAuth/ to ensure offline_access is NOT included in the server's scopes_supported or required-scope advertisements.
  • Likely a small check/lint plus a unit test guarding against regression.

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    2026-07-28All issues and PRs related to the spec release 2026-07-28ServerIssues & PRs related to the Server componentauthIssues and PRs related to Authentication / OAuthenhancementRequest for a new feature that's not currently supportedimproves spec complianceImproves consistency with other SDKs such as TyepScript

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    2026-07-28 Spec Implementation
    Status
    Todo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions