feat: expose token_endpoint_auth_method in gateway admin UI

Olivier Gintrand · Olivier Gintrand · commit 76e5fb2fa0ca · 2026-04-13T12:27:56.000+02:00
Add a dropdown selector for token_endpoint_auth_method (RFC 6749 Section 2.3)
to both the gateway create and edit forms. Supports client_secret_post (default)
and client_secret_basic methods.

Changes:
- admin.py: Parse token_endpoint_auth_method from form data in add/edit endpoints
- admin.html: Add select dropdown to create and edit gateway modals
- gateways.js: Populate field value when editing existing gateways
diff --git a/mcpgateway/admin.py b/mcpgateway/admin.py
@@ -12139,6 +12139,11 @@ async def admin_add_gateway(request: Request, db: Session = Depends(get_db), use
                     if scopes:
                         oauth_config["scopes"] = scopes
 
+                # Token endpoint auth method (RFC 6749 Section 2.3)
+                oauth_token_endpoint_auth_method = str(form.get("oauth_token_endpoint_auth_method", ""))
+                if oauth_token_endpoint_auth_method:
+                    oauth_config["token_endpoint_auth_method"] = oauth_token_endpoint_auth_method
+
                 LOGGER.info(f"✅ Assembled OAuth config from UI form fields: grant_type={oauth_grant_type}, issuer={oauth_issuer}")
                 LOGGER.info(f"DEBUG: Complete oauth_config = {oauth_config}")
 
@@ -12411,6 +12416,11 @@ async def admin_edit_gateway(
                     if scopes:
                         oauth_config["scopes"] = scopes
 
+                # Token endpoint auth method (RFC 6749 Section 2.3)
+                oauth_token_endpoint_auth_method = str(form.get("oauth_token_endpoint_auth_method", ""))
+                if oauth_token_endpoint_auth_method:
+                    oauth_config["token_endpoint_auth_method"] = oauth_token_endpoint_auth_method
+
                 LOGGER.info(f"✅ Assembled OAuth config from UI form fields (edit): grant_type={oauth_grant_type}, issuer={oauth_issuer}")
 
         user_email = get_user_email(user)
diff --git a/mcpgateway/admin_ui/gateways.js b/mcpgateway/admin_ui/gateways.js
@@ -400,6 +400,9 @@ export const editGateway = async function (gatewayId) {
     const oauthRedirectUriField = safeGetElement("oauth-redirect-uri-gw-edit");
     const oauthIssuerField = safeGetElement("oauth-issuer-gw-edit");
     const oauthScopesField = safeGetElement("oauth-scopes-gw-edit");
+    const oauthTokenEndpointAuthMethodField = safeGetElement(
+      "oauth-token-endpoint-auth-method-gw-edit"
+    );
     const oauthAuthCodeFields = safeGetElement(
       "oauth-auth-code-fields-gw-edit"
     );
@@ -526,6 +529,13 @@ export const editGateway = async function (gatewayId) {
               ? config.scopes.join(" ")
               : "";
           }
+          if (
+            oauthTokenEndpointAuthMethodField &&
+            config.token_endpoint_auth_method
+          ) {
+            oauthTokenEndpointAuthMethodField.value =
+              config.token_endpoint_auth_method;
+          }
         }
         break;
       case "query_param":
diff --git a/mcpgateway/templates/admin.html b/mcpgateway/templates/admin.html
@@ -5965,6 +5965,25 @@ <h3 class="text-lg font-bold mb-4 dark:text-gray-200">
                       read:user")
                     </p>
                   </div>
+
+                  <div>
+                    <label
+                      class="block text-sm font-medium text-gray-700 dark:text-gray-300"
+                    >
+                      Token Endpoint Auth Method
+                    </label>
+                    <select
+                      name="oauth_token_endpoint_auth_method"
+                      id="oauth-token-endpoint-auth-method-gw"
+                      class="mt-1 px-1.5 block w-full rounded-md border border-gray-300 dark:border-gray-700 shadow-sm focus:border-indigo-500 focus:ring-indigo-500 dark:bg-gray-900 dark:text-gray-300"
+                    >
+                      <option value="client_secret_post">client_secret_post (credentials in POST body)</option>
+                      <option value="client_secret_basic">client_secret_basic (HTTP Basic Auth header)</option>
+                    </select>
+                    <p class="mt-1 text-sm text-gray-500">
+                      How client credentials are sent to the token endpoint (RFC 6749 Section 2.3)
+                    </p>
+                  </div>
                 </div>
               </div>
 
@@ -10274,6 +10293,25 @@ <h3 class="text-lg font-medium text-gray-900 dark:text-gray-100">
                               read:user")
                             </p>
                           </div>
+
+                          <div>
+                            <label
+                              class="block text-sm font-medium text-gray-700 dark:text-gray-300"
+                            >
+                              Token Endpoint Auth Method
+                            </label>
+                            <select
+                              name="oauth_token_endpoint_auth_method"
+                              id="oauth-token-endpoint-auth-method-gw-edit"
+                              class="mt-1 px-1.5 block w-full rounded-md border border-gray-300 shadow-sm focus:border-indigo-500 focus:ring-indigo-500 dark:bg-gray-900 dark:text-gray-300"
+                            >
+                              <option value="client_secret_post">client_secret_post (credentials in POST body)</option>
+                              <option value="client_secret_basic">client_secret_basic (HTTP Basic Auth header)</option>
+                            </select>
+                            <p class="mt-1 text-sm text-gray-500">
+                              How client credentials are sent to the token endpoint (RFC 6749 Section 2.3)
+                            </p>
+                          </div>
                         </div>
                       </div>
                     </div>
