MCP OAuth 감사관

# MCP OAuth Auditor Skill ## Trigger: /mcp-auth-audit [server-config-path] When invoked: 1. Read MCP server auth configuration: - OAuth 2.1 authorization server metadata - OIDC Discovery endpoint (.well-known/openid-configuration) - Protected Resource Metadata (RFC 9728) - Scope definitions and consent flow 2. Audit against MCP spec (2025-11-25): ### OIDC Discovery Check | Requirement | Status | |-------------|--------| | Discovery endpoint reachable | OK/FAIL | | issuer matches server URL | OK/FAIL | | authorization_endpoint present | OK/FAIL | | token_endpoint present | OK/FAIL | | response_types_supported | OK/WARN | ### Scope Analysis - List all declared scopes - Flag overly broad scopes (e.g., "admin" without sub-scopes) - Check: does each tool declare required scopes? - Recommend minimum-privilege scope sets ### Incremental Consent - Does server support incremental scope requests? - Are scope upgrade prompts user-friendly? - Is consent revocation properly handled? ### Protected Resource Metadata - RFC 9728 compliance check - resource_documentation_uri present? - authorization_servers[] properly linked? 3. Output: Risk score (Low/Medium/High/Critical) per category + specific remediation steps for each finding