Build the upstream authorization redirect for a proxied /authorize,
gated on per-client user consent (confused-deputy mitigation).
The MCP authorization spec requires that a proxy using a static upstream
client_id obtain user consent for EACH dynamically-registered client
before forwarding it to the third-party authorization server. This
overload enforces that: it throws ConsentRequiredException unless the
client (identified by its clientRedirectUri, the per-client identity the
proxy holds since the client_id is shared) has been approved via
grantConsent. The integrator presents a consent screen, records approval,
then retries.
Build the upstream authorization redirect for a proxied /authorize, gated on per-client user consent (confused-deputy mitigation).
The MCP authorization spec requires that a proxy using a static upstream client_id obtain user consent for EACH dynamically-registered client before forwarding it to the third-party authorization server. This overload enforces that: it throws ConsentRequiredException unless the client (identified by its clientRedirectUri, the per-client identity the proxy holds since the client_id is shared) has been approved via grantConsent. The integrator presents a consent screen, records approval, then retries.