Validate the RFC 9207 iss authorization-response parameter against the
recorded issuer of the selected authorization server, per RFC 9207
Section 2.4 (the MCP 2025-11-25 / draft "Authorization Response Validation"
requirement, mitigating authorization-server mix-up attacks).
responseIss is the raw iss value extracted from the authorization
redirect (empty when absent); recordedIssuer is the issuer value from the
selected AS's validated metadata; issParameterSupported reflects the AS's
authorization_response_iss_parameter_supported metadata.
The comparison is a simple string comparison with no normalization. Returns
true when the response is acceptable; false when it MUST be rejected
(without acting on the authorization code or any error parameters):
- iss present and != recordedIssuer -> reject (mismatch)
- iss absent but issParameterSupported -> reject (required but missing)
- iss present and == recordedIssuer -> accept
- iss absent and not supported -> accept (nothing to validate)
Validate the RFC 9207 iss authorization-response parameter against the recorded issuer of the selected authorization server, per RFC 9207 Section 2.4 (the MCP 2025-11-25 / draft "Authorization Response Validation" requirement, mitigating authorization-server mix-up attacks).
responseIss is the raw iss value extracted from the authorization redirect (empty when absent); recordedIssuer is the issuer value from the selected AS's validated metadata; issParameterSupported reflects the AS's authorization_response_iss_parameter_supported metadata.
The comparison is a simple string comparison with no normalization. Returns true when the response is acceptable; false when it MUST be rejected (without acting on the authorization code or any error parameters): - iss present and != recordedIssuer -> reject (mismatch) - iss absent but issParameterSupported -> reject (required but missing) - iss present and == recordedIssuer -> accept - iss absent and not supported -> accept (nothing to validate)