Is Mcp a Security Nightmare?: a Look Into Mcp Authorization with Oauth2
Posted4 months agoActive4 months ago
cefboud.comTechstory
calmneutral
Debate
0/100
Oauth2McpSecurityAuthorization
Key topics
Oauth2
Mcp
Security
Authorization
The article examines the security implications of using OAuth2 for authorization in MCP (Multi-Cluster Platform), sparking a discussion on the potential security nightmares associated with it.
Snapshot generated from the HN discussion
Discussion Activity
Light discussionFirst comment
33m
Peak period
1
0-1h
Avg / period
1
Key moments
- 01Story posted
Sep 21, 2025 at 8:46 PM EDT
4 months ago
Step 01 - 02First comment
Sep 21, 2025 at 9:20 PM EDT
33m after posting
Step 02 - 03Peak activity
1 comments in 0-1h
Hottest window of the conversation
Step 03 - 04Latest activity
Sep 21, 2025 at 9:20 PM EDT
4 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45328039Type: storyLast synced: 11/17/2025, 1:06:03 PM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
A few nits:
- scopes are often set up at the administrative level, but approved by the user. In general, a client should only ask for the scopes they need at the time of authorization, and step up/step down over time
- other than with a bit of hand waving, the author doesn't talk about the security risks of MCP servers. I was hoping to hear more about that.
- a key part of security for MCP servers is what happens between the MCP server and the data/functionality/APIs it is protecting. I have found articles about this to be sorely lacking, probably because it is bespoke to each MCP server. I expect the provided to MCP is not passed through, but then what is? And how is that authorization managed.