Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 13 additions & 10 deletions cmd/altinity-mcp/cimd.go
Original file line number Diff line number Diff line change
Expand Up @@ -483,17 +483,20 @@ func parseCIMDMetadata(clientIDURL string, body []byte) (*statelessRegisteredCli
switch gt {
case "authorization_code":
hasAuthCode = true
case "refresh_token":
// Tolerated in metadata, deliberately NOT honored in v1: a client
// publishing ["authorization_code","refresh_token"] (which
// claude.ai does today) silently gets no refresh capability —
// .well-known/oauth-authorization-server only advertises
// authorization_code and /token returns unsupported_grant_type
// for refresh. If/when refresh ships, do NOT treat the CIMD
// grant_types array as authoritative for what we issue — the AS
// metadata is the source of truth.
default:
return nil, fmt.Errorf("%w: unsupported grant_type %q", errCIMDInvalidMetadata, gt)
// Any other grant_type (refresh_token, and as of 2026-06 claude.ai
// also publishes urn:ietf:params:oauth:grant-type:jwt-bearer) is
// TOLERATED but deliberately NOT honored in v1. The CIMD grant_types
// array is advertising what the *client* can do, not what we issue:
// .well-known/oauth-authorization-server only lists authorization_code
// and /token returns unsupported_grant_type for everything else, so a
// client gets exactly the capabilities the AS metadata declares
// regardless of what it lists here. Hard-rejecting unknown entries
// just breaks resolution whenever a client adds a new grant_type to
// its published doc (this is what took claude.ai connectors down when
// jwt-bearer was added). Requiring authorization_code to be present is
// the only real constraint. If refresh ever ships, the AS metadata —
// not this array — remains the source of truth for what we issue.
}
}
if !hasAuthCode {
Expand Down
7 changes: 5 additions & 2 deletions cmd/altinity-mcp/cimd_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -160,7 +160,7 @@ func TestParseCIMDMetadata_OK(t *testing.T) {
"client_name": "Claude",
"client_uri": "https://claude.ai",
"redirect_uris": ["https://claude.ai/api/mcp/auth_callback"],
"grant_types": ["authorization_code","refresh_token"],
"grant_types": ["authorization_code","refresh_token","urn:ietf:params:oauth:grant-type:jwt-bearer"],
"response_types": ["code"],
"token_endpoint_auth_method": "none"
}`)
Expand All @@ -183,7 +183,10 @@ func TestParseCIMDMetadata_Reject(t *testing.T) {
"empty_redirect_uris": `{"client_id":"` + u + `","client_name":"X","redirect_uris":[],"token_endpoint_auth_method":"none"}`,
"duplicate_redirect_uris": `{"client_id":"` + u + `","client_name":"X","redirect_uris":["https://x/cb","https://x/cb"],"token_endpoint_auth_method":"none"}`,
"http_redirect_uri": `{"client_id":"` + u + `","client_name":"X","redirect_uris":["http://x/cb"],"token_endpoint_auth_method":"none"}`,
"unsupported_grant": `{"client_id":"` + u + `","client_name":"X","redirect_uris":["https://x/cb"],"token_endpoint_auth_method":"none","grant_types":["password"]}`,
// Unknown grant_types are now TOLERATED (claude.ai publishes jwt-bearer);
// this case still rejects, but because authorization_code is absent — not
// because "password" itself is unsupported. See parseCIMDMetadata.
"grant_types_without_authcode": `{"client_id":"` + u + `","client_name":"X","redirect_uris":["https://x/cb"],"token_endpoint_auth_method":"none","grant_types":["password"]}`,
"unsupported_response": `{"client_id":"` + u + `","client_name":"X","redirect_uris":["https://x/cb"],"token_endpoint_auth_method":"none","response_types":["token"]}`,
"empty_name": `{"client_id":"` + u + `","client_name":"","redirect_uris":["https://x/cb"],"token_endpoint_auth_method":"none"}`,
"oversize_name": `{"client_id":"` + u + `","client_name":"` + strings.Repeat("a", cimdMaxClientNameLength+1) + `","redirect_uris":["https://x/cb"],"token_endpoint_auth_method":"none"}`,
Expand Down