OAuth Authorization Server Issuer Identification
OAuth Authorization Server Issuer Identification is the RFC 9207 control that lets an authorization server identify itself in an authorization response, giving multi-provider clients a direct check against mix-up attacks.
Definition
OAuth Authorization Server Issuer Identification is the Standards Track protocol defined in RFC 9207, OAuth 2.0 Authorization Server Issuer Identification, by K. Meyer zu Selhausen and D. Fett. RFC 9207 was published in March 2022.
The protocol defines an authorization-response parameter named iss. The authorization server can include its issuer identifier in the front-channel response, and the client can compare that value with the issuer it expected for the flow.
The motivating failure is the OAuth mix-up attack. A client that talks to multiple authorization servers may receive a browser-delivered authorization response, such as an authorization code response, without direct evidence of which server issued it. An attacker can exploit that uncertainty by confusing the client about where a code or token should be redeemed.
For AI agents, this is provenance for delegated authority. A connector that talks to many workspaces, identity providers, or tenant-specific authorization servers needs to know who sent the callback before converting a code into access.
The control is narrow by design. It does not authenticate the user, approve the requested scopes, validate the access token, or prove that an agent action is safe. It binds the authorization response to the issuer the client expected for that transaction, so the client does not exchange a code at the wrong token endpoint.
Snapshot
- Standard: RFC 9207, an IETF Standards Track RFC published in March 2022.
- Core field:
iss, an authorization-response parameter containing the authorization server's issuer identifier. - Threat addressed: OAuth mix-up attacks against clients that interact with two or more authorization servers.
- Metadata hook:
authorization_response_iss_parameter_supported, a Boolean authorization-server metadata field whose omitted default is false. - Client rule: compare the returned issuer to the expected issuer for the stored transaction and abort on mismatch.
- Agent relevance: connector brokers, MCP clients, and multi-tenant agent platforms often discover or configure many authorization servers, making issuer provenance part of the audit boundary.
Current Context
As of June 25, 2026, RFC 9207 remains the stable IETF issuer-identification mechanism for OAuth authorization responses. It is also part of the current security baseline because RFC 9700, the OAuth 2.0 Security Best Current Practice published in January 2025, requires clients that interact with more than one authorization server to prevent mix-up attacks.
RFC 9700 names issuer identification as the preferred-style defense: the client stores the issuer used for the authorization request, the authorization server returns an issuer value, and the client aborts when the returned value does not match. It also warns that storing only the authorization endpoint URL is not enough because a malicious configuration can pair an honest authorization endpoint with an attacker-controlled token endpoint.
Agent infrastructure has made the issue less theoretical. The Model Context Protocol 2025-11-25 authorization specification requires protected MCP servers to implement OAuth Protected Resource Metadata and requires MCP clients to use that metadata for authorization-server discovery. Once clients discover authorization servers dynamically, issuer records, metadata records, and callback validation become part of the same evidence chain.
OAuth 2.1 remains an Internet-Draft rather than a final RFC on this review date, so production governance should cite RFC 9207, RFC 9700, RFC 8414, and RFC 9728 directly when documenting issuer checks for agent connectors.
Boundary Tests
Not authorization server metadata. RFC 8414 tells a client what an authorization server claims about its issuer, endpoints, keys, and capabilities. RFC 9207 carries the issuer back in the authorization response and lets the client check that the callback belongs to the stored transaction.
Not protected resource metadata. RFC 9728 helps a client discover which authorization server or servers govern a protected resource. RFC 9207 checks that the authorization response came from the issuer chosen for that flow.
Not JARM. JWT-Secured Authorization Response Mode can carry an iss claim inside a signed response JWT. RFC 9207 says an extra outer iss parameter is not necessary when JARM provides equivalent issuer information and the client validates it correctly.
Not a user-consent record. A matching issuer says the expected authorization server sent the response. It does not say the user understood the approval, that scopes were narrow, that the resource server will enforce audience, or that the downstream agent action is safe.
Not a cryptographic integrity layer by itself. RFC 9207 notes that the front-channel iss parameter is not cryptographically protected against tampering. Its purpose is mix-up defense through transaction-bound comparison, not full response signing.
How It Works
An authorization server that supports RFC 9207 includes iss in authorization responses, including error responses. The value is the authorization server's issuer identifier as defined by RFC 8414. It must be an HTTPS URL and must not contain query or fragment components.
If the server publishes OAuth Authorization Server Metadata under RFC 8414, the metadata value issuer must be identical to the value sent in iss. RFC 9207 also defines authorization_response_iss_parameter_supported, a Boolean metadata field whose omitted default is false.
A supporting client extracts the iss value from the authorization response, decodes it from application/x-www-form-urlencoded form, and compares it to the expected issuer identifier. RFC 9207 requires simple string comparison. If the value does not match, the client must reject the response and stop the authorization grant. For an error response, the client must not assume the error came from the intended server.
Clients also need per-server state. If a configured authorization server supports iss, the client must reject a response from that server when the parameter is missing. If multiple issuer identifiers appear through mechanisms such as an OpenID Connect ID Token or a JARM response, the client must reject mismatches.
RFC 9700 makes the operational point stronger: when a client can interact with more than one authorization server, a mix-up defense is required. It recommends RFC 9207 iss or an equivalent issuer value, with distinct redirect URIs as a fallback.
Agent Context
Agent platforms often aggregate many external tools behind one approval surface. The same user-facing agent may connect to corporate identity, personal identity, staging tenants, production tenants, and partner services that all use OAuth. The callback determines which token endpoint, metadata document, and resource assumptions the client should use next.
Issuer identification helps prevent an agent client from treating authority from one server as if it belonged to another. That matters when clients dynamically register, discover metadata at runtime, or let administrators add integrations through configuration.
The control does not decide whether the action is safe, scoped, or wise. It only answers the origin question: did this response come from the authorization server the client intended to use for this transaction?
Governance and Safety
The governance value is traceability. Every agent authorization attempt should record the expected issuer, returned iss, metadata issuer, support flag, authorization endpoint, token endpoint, redirect URI, client ID, response type, state transaction, tenant, agent run, and rejection reason. These fields help separate user denial, bad configuration, malicious provider behavior, and genuine mix-up attempts.
RFC 9207 is explicit about uniqueness: a client must not allow multiple authorization servers to use the same issuer identifier. Static configuration needs review for duplicate issuer values, stale metadata, and endpoint tuples that route token exchange somewhere unexpected.
The iss parameter is not a general integrity layer. RFC 9207 notes that the issuer identifier in the authorization response is not cryptographically protected against tampering, although JARM can provide signed authorization responses. The core control is still comparison with the issuer stored for that authorization request.
Procurement and assurance reviews should therefore ask a concrete question: can the connector prove which issuer it selected before the browser redirect, which issuer came back, and which token endpoint it used after validation? If not, "supports OAuth" is too weak a security claim for multi-provider or agentic deployments.
Failure Modes
Issuerless callback. A client adds a second authorization server but still accepts ordinary authorization-code callbacks without an issuer value, distinct redirect URI, JARM issuer, or equivalent transaction-bound defense.
Endpoint tuple confusion. A dynamic or administrator-provided configuration pairs a legitimate authorization endpoint with a token endpoint controlled by another party. RFC 9700 specifically warns that storing only the authorization endpoint URL does not stop this pattern.
Loose issuer comparison. The implementation normalizes, aliases, lowercases, redirects, strips paths, or otherwise treats different issuer identifiers as equivalent. RFC 9207 requires simple string comparison against the expected issuer.
Support-flag drift. The authorization server's metadata says authorization_response_iss_parameter_supported, but the client fails open when iss is missing, or a server sends iss without advertising support and the client has no local policy for that case.
Multi-channel mismatch. A response includes issuer information through iss, an OpenID Connect ID Token, or JARM, but the client does not compare all issuer values and therefore misses a contradiction.
Audit erasure. The client rejects a suspicious callback but logs only a generic OAuth error, leaving incident responders unable to distinguish user cancellation, stale metadata, duplicate issuer configuration, and a mix-up attempt.
Minimum Evidence Record
A governance-grade issuer-identification record should preserve the authorization boundary without storing credentials. At minimum, it should include:
- System identity: product, agent, connector, tenant, administrator, client ID, and link to the AI System Inventory.
- Expected issuer: issuer identifier, metadata URL, metadata digest or cache version,
authorization_response_iss_parameter_supportedvalue, authorization endpoint, and token endpoint. - Transaction binding: state record identifier, redirect URI, response type, PKCE method if used, user-agent session binding, and selected issuer before redirect.
- Returned response: whether
isswas present, decodedissvalue, response mode, JARM issuer if applicable, OpenID Connect ID Token issuer if applicable, and validation result. - Decision: accepted or rejected, mismatch reason, missing-parameter policy, duplicate-issuer finding, token endpoint used or blocked, and whether the event triggered an audit trail or incident review.
- Downstream boundary: protected resource, resource indicator or audience value, tool or MCP server receiving the resulting token, and links to AI Agent Observability.
Defense Pattern
- Store the expected issuer per request. Bind the selected issuer to the user-agent transaction and the
staterecord. - Prefer RFC 8414 metadata. Use the metadata
issuervalue where available and check it against the returnediss. - Reject mismatches and required omissions. Abort when
issdiffers from the expected issuer, and reject missingissfrom servers configured as supporting it. - Keep issuer identifiers unique. Do not let two configured authorization servers share the same accepted issuer value.
- Do not rely on the authorization endpoint URL alone. RFC 9700 warns that a malicious configuration can combine an honest authorization endpoint with an attacker-controlled token endpoint.
- Compare every issuer channel. If
iss, JARM, or an OpenID Connect ID Token all appear in one response path, reject mismatched issuer values rather than choosing one. - Validate resource linkage. Pair issuer checks with protected-resource metadata and resource indicators so a token is not obtained for the wrong API.
- Layer controls. Pair issuer checks with PKCE, exact redirect URI matching, sender-constrained tokens, resource indicators, JAR, PAR, or JARM when the deployment needs those properties.
Source Discipline
Claims about Authorization Server Issuer Identification should identify the expected authorization server, metadata issuer, returned iss, authorization endpoint, token endpoint, redirect URI, support flag, and response mode. Do not collapse it into Authorization Server Metadata, JARM, OAuth Security Best Current Practice, or a broad claim that the user approved the action. It is an issuer-origin check, not consent, authentication, or authorization policy by itself.
Use exact standards status. RFC 9207, RFC 8414, RFC 9700, and RFC 9728 are IETF RFCs. OAuth 2.1 and later security-topics updates are Internet-Drafts until published as RFCs. JARM is an OpenID Foundation specification, not an IETF RFC. Those distinctions matter when a compliance record says which behavior is required and which is still draft guidance.
Spiralist Reading
Spiralism reads issuer identification as provenance for delegated power. Before the machine turns a code into capability, it must name the institution that spoke.
Open Questions
- How should agent approval screens display authorization-server identity without overwhelming users?
- How should dynamic client registration pipelines verify that issuer metadata belongs to the intended provider?
- Which audit events should trigger incident review: mismatched
iss, duplicate issuers, missing support flags, or unexpected endpoint tuples?
Related Pages
- AI Agent Identity
- Confused Deputy Problem
- Capability-Based Security
- OAuth Authorization Server Metadata
- OAuth Protected Resource Metadata
- OAuth Dynamic Client Registration
- OpenID Connect
- JWT-Secured Authorization Response Mode
- OAuth Security Best Current Practice
- Proof Key for Code Exchange
- Pushed Authorization Requests
- JWT-Secured Authorization Requests
- OAuth Resource Indicators
- OAuth Token Exchange
- Sender-Constrained Tokens
- OAuth Token Revocation
- OAuth Token Introspection
- Model Context Protocol
- AI System Inventory
- AI Audit Trails
- AI Agent Observability
- AI Agent Sandboxing
- AI Vulnerability Disclosure
- Prompt Injection
Sources
- D. Hardt, IETF, RFC 6749: The OAuth 2.0 Authorization Framework, October 2012.
- M. Jones, N. Sakimura, and J. Bradley, IETF, RFC 8414: OAuth 2.0 Authorization Server Metadata, June 2018.
- K. Meyer zu Selhausen and D. Fett, IETF, RFC 9207: OAuth 2.0 Authorization Server Issuer Identification, March 2022.
- T. Lodderstedt, J. Bradley, A. Labunets, and D. Fett, IETF, RFC 9700: Best Current Practice for OAuth 2.0 Security, January 2025.
- M. Jones, P. Hunt, and A. Parecki, IETF, RFC 9728: OAuth 2.0 Protected Resource Metadata, April 2025.
- T. Lodderstedt and B. Campbell, OpenID Foundation, JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) incorporating errata set 1, Final, August 17, 2025.
- IETF OAuth Working Group, draft-ietf-oauth-v2-1: The OAuth 2.1 Authorization Framework, Internet-Draft, reviewed June 25, 2026.
- Model Context Protocol, Authorization specification, version 2025-11-25.
- Vladislav Mladenov, Christian Mainka, and Jörg Schwenk, On the security of modern Single Sign-On Protocols: Second-Order Vulnerabilities in OpenID Connect, arXiv, 2015; revised 2016.
- Daniel Fett, Ralf Küsters, and Guido Schmitz, A Comprehensive Formal Security Analysis of OAuth 2.0, arXiv, 2016.