Spot the OAuth misconfiguration in this MCP server implementation
Click any words you think contain an error. Click again to unmark.
The token exchange skips PKCE verification, so an attacker who steals the authorization code can redeem it as the server, a classic confused-deputy escalation.
Imagine a coat-check desk that gives you a ticket when you drop off your coat. PKCE is like writing a secret word on your half of the ticket and keeping the matching half in your pocket. When you return, the attendant checks both halves agree before handing back the coat. This server skips that check. It gives the coat to whoever shows up with any ticket stub, even one snatched from the trash. Worse, the server fetches the coat using its own master key, which opens far more closets than yours ever should. So a thief with a stolen stub walks away wearing the server's privileges, not just your own.
Detailed answer & concept explanation~7 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
5 min: locate the missing PKCE check, explain verifier and challenge binding, trace code interception to the confused-deputy escalation, then give the four-part secure pattern.
| Aspect | Vulnerable code | Secure pattern |
|---|---|---|
| PKCE check | Verifier never validated | Verifier re-hashed and matched before token issue |
| Token model | One static token reused across users | Per-user token minted at consent |
| Audience binding | Token accepted by any backend | Token scoped to one intended audience |
| Blast radius | Server's full credential scope | Single consenting user's scope |
| Consent | Implicit and server-wide | Explicit, per scope per user |
Real products, models, and research that use this idea.
- The MCP authorization spec adopted OAuth 2.1 with mandatory PKCE in 2025, and reference servers like the GitHub and Sentry remote MCP servers verify the code_verifier server-side.
- The OWASP MCP Top 10 (2025) lists confused-deputy and token-passthrough abuse as distinct high-severity risks for remote MCP servers.
- Cloudflare and Stytch MCP OAuth guides explicitly warn against token passthrough and require per-user tokens with audience-restricted scopes.
What an interviewer would ask next. Try answering before peeking at the approach.
QBeyond PKCE, what makes token passthrough such a dangerous anti-pattern for remote MCP servers?
QHow does audience binding via the aud claim actually stop a confused-deputy replay?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Thinking PKCE is only for public clients. OAuth 2.1 makes it mandatory for every client, including server-side MCP integrations that hold broad scopes.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.