MCP Authorization Server now supports unauthenticated flows
Aembit’s MCP Authorization Server now supports OAuth flows that don’t require end-user authentication. This enables use cases like ChatGPT apps and other MCP integrations where user sign-in isn’t needed or desired.
What’s new:
- An Enforce SSO option on Client Workloads with the Redirect URI identifier type. Enforce SSO is on by default, preserving the current behavior of requiring user authentication.
- When Enforce SSO is on, a multi-select dropdown lets you choose which SSO identity providers appear on the MCP authentication page. By default, all configured identity providers are selected.
- When Enforce SSO is off, the MCP Authorization Server issues access tokens without redirecting users to an identity provider. No Trust Provider is needed, but a Credential Provider is still required.
- Access Policies still apply as an authorization control. You can turn off policies or entities to block token issuance.
To use this feature, edit your Client Workload, select the Redirect URI client identifier, and configure Enforce SSO under MCP Authorization Configuration.
For details, see Authentication support and MCP Authorization Server architecture.