modelcontextprotocol
diff --git a/‎src/ModelContextProtocol.Core/Authentication/ClientOAuthProvider.cs‎
Lines changed: 47 additions & 16 deletions b/‎src/ModelContextProtocol.Core/Authentication/ClientOAuthProvider.cs‎
Lines changed: 47 additions & 16 deletions
diff --git a/‎src/ModelContextProtocol.Core/Client/McpClientImpl.cs‎
Lines changed: 8 additions & 1 deletion b/‎src/ModelContextProtocol.Core/Client/McpClientImpl.cs‎
Lines changed: 8 additions & 1 deletion
diff --git a/‎src/ModelContextProtocol.Core/Client/StreamableHttpClientSessionTransport.cs‎
Lines changed: 27 additions & 1 deletion b/‎src/ModelContextProtocol.Core/Client/StreamableHttpClientSessionTransport.cs‎
Lines changed: 27 additions & 1 deletion
diff --git a/‎src/ModelContextProtocol.Core/Protocol/ElicitRequestParams.cs‎
Lines changed: 16 additions & 0 deletions b/‎src/ModelContextProtocol.Core/Protocol/ElicitRequestParams.cs‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎src/ModelContextProtocol.Core/Protocol/ElicitResult.cs‎
Lines changed: 30 additions & 0 deletions b/‎src/ModelContextProtocol.Core/Protocol/ElicitResult.cs‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎src/ModelContextProtocol.Core/Server/McpServer.Methods.cs‎
Lines changed: 3 additions & 1 deletion b/‎src/ModelContextProtocol.Core/Server/McpServer.Methods.cs‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎tests/Common/Utils/NodeHelpers.cs‎
Lines changed: 18 additions & 2 deletions b/‎tests/Common/Utils/NodeHelpers.cs‎
Lines changed: 18 additions & 2 deletions
diff --git a/‎tests/ModelContextProtocol.AspNetCore.Tests/ClientConformanceTests.cs‎
Lines changed: 31 additions & 3 deletions b/‎tests/ModelContextProtocol.AspNetCore.Tests/ClientConformanceTests.cs‎
Lines changed: 31 additions & 3 deletions
@@ -44,6 +44,7 @@ internal sealed partial class ClientOAuthProvider : McpHttpClient
 
     private string? _clientId;
     private string? _clientSecret;
+    private string? _tokenEndpointAuthMethod;
     private ITokenCache _tokenCache;
     private AuthorizationServerMetadata? _authServerMetadata;
 
@@ -293,6 +294,9 @@ await _tokenCache.GetTokensAsync(cancellationToken).ConfigureAwait(false) is { R
             }
         }
 
+        // Determine the token endpoint auth method from server metadata if not already set by DCR.
+        _tokenEndpointAuthMethod ??= authServerMetadata.TokenEndpointAuthMethodsSupported?.FirstOrDefault();
+
         // Store auth server metadata for future refresh operations
         _authServerMetadata = authServerMetadata;
 
@@ -385,20 +389,15 @@ private static IEnumerable<Uri> GetWellKnownAuthorizationServerMetadataUris(Uri
 
     private async Task<string?> RefreshTokensAsync(string refreshToken, Uri resourceUri, AuthorizationServerMetadata authServerMetadata, CancellationToken cancellationToken)
     {
-        var requestContent = new FormUrlEncodedContent(new Dictionary<string, string>
+        Dictionary<string, string> formFields = new()
         {
             ["grant_type"] = "refresh_token",
             ["refresh_token"] = refreshToken,
-            ["client_id"] = GetClientIdOrThrow(),
-            ["client_secret"] = _clientSecret ?? string.Empty,
             ["resource"] = resourceUri.ToString(),
-        });
-
-        using var request = new HttpRequestMessage(HttpMethod.Post, authServerMetadata.TokenEndpoint)
-        {
-            Content = requestContent
         };
 
+        using var request = CreateTokenRequest(authServerMetadata.TokenEndpoint, formFields);
+
         using var httpResponse = await _httpClient.SendAsync(request, cancellationToken).ConfigureAwait(false);
 
         if (!httpResponse.IsSuccessStatusCode)
@@ -482,22 +481,17 @@ private async Task<string> ExchangeCodeForTokenAsync(
     {
         var resourceUri = GetRequiredResourceUri(protectedResourceMetadata);
 
-        var requestContent = new FormUrlEncodedContent(new Dictionary<string, string>
+        Dictionary<string, string> formFields = new()
         {
             ["grant_type"] = "authorization_code",
             ["code"] = authorizationCode,
             ["redirect_uri"] = _redirectUri.ToString(),
-            ["client_id"] = GetClientIdOrThrow(),
             ["code_verifier"] = codeVerifier,
-            ["client_secret"] = _clientSecret ?? string.Empty,
             ["resource"] = resourceUri.ToString(),
-        });
-
-        using var request = new HttpRequestMessage(HttpMethod.Post, authServerMetadata.TokenEndpoint)
-        {
-            Content = requestContent
         };
 
+        using var request = CreateTokenRequest(authServerMetadata.TokenEndpoint, formFields);
+
         using var httpResponse = await _httpClient.SendAsync(request, cancellationToken).ConfigureAwait(false);
         await httpResponse.EnsureSuccessStatusCodeWithResponseBodyAsync(cancellationToken).ConfigureAwait(false);
 
@@ -506,6 +500,38 @@ private async Task<string> ExchangeCodeForTokenAsync(
         return tokens.AccessToken;
     }
 
+    /// <summary>
+    /// Creates an HTTP request to the token endpoint, applying the appropriate authentication
+    /// method based on <see cref="_tokenEndpointAuthMethod"/>.
+    /// </summary>
+    private HttpRequestMessage CreateTokenRequest(Uri tokenEndpoint, Dictionary<string, string> formFields)
+    {
+        HttpRequestMessage request = new(HttpMethod.Post, tokenEndpoint);
+
+        var clientId = GetClientIdOrThrow();
+        if (string.Equals(_tokenEndpointAuthMethod, "client_secret_basic", StringComparison.Ordinal))
+        {
+            // Per RFC 6749 §2.3.1: send client_id:client_secret as HTTP Basic auth.
+            request.Headers.Authorization = new(
+                "Basic",
+                Convert.ToBase64String(Encoding.UTF8.GetBytes($"{Uri.EscapeDataString(clientId)}:{Uri.EscapeDataString(_clientSecret ?? string.Empty)}")));
+        }
+        else if (string.Equals(_tokenEndpointAuthMethod, "none", StringComparison.Ordinal))
+        {
+            // Public client: include client_id in the body but no secret.
+            formFields["client_id"] = clientId;
+        }
+        else
+        {
+            // Default to client_secret_post: include credentials in the body.
+            formFields["client_id"] = clientId;
+            formFields["client_secret"] = _clientSecret ?? string.Empty;
+        }
+
+        request.Content = new FormUrlEncodedContent(formFields);
+        return request;
+    }
+
     private async Task<TokenContainer> HandleSuccessfulTokenResponseAsync(HttpResponseMessage response, CancellationToken cancellationToken)
     {
         using var stream = await response.Content.ReadAsStreamAsync(cancellationToken).ConfigureAwait(false);
@@ -620,6 +646,11 @@ private async Task PerformDynamicClientRegistrationAsync(
             _clientSecret = registrationResponse.ClientSecret;
         }
 
+        if (!string.IsNullOrEmpty(registrationResponse.TokenEndpointAuthMethod))
+        {
+            _tokenEndpointAuthMethod = registrationResponse.TokenEndpointAuthMethod;
+        }
+
         LogDynamicClientRegistrationSuccessful(_clientId!);
 
         if (_dcrResponseDelegate is not null)
 
@@ -197,6 +197,7 @@ private void RegisterHandlers(McpClientOptions options, NotificationHandlers not
                                 async ct =>
                                 {
                                     var result = await elicitationHandler(request, ct).ConfigureAwait(false);
+                                    result = ElicitResult.WithDefaults(request, result);
                                     return JsonSerializer.SerializeToElement(result, McpJsonUtilities.JsonContext.Default.ElicitResult);
                                 },
                                 options.SendTaskStatusNotifications,
@@ -205,6 +206,7 @@ private void RegisterHandlers(McpClientOptions options, NotificationHandlers not
 
                         // Normal synchronous execution - serialize result to JsonElement
                         var elicitResult = await elicitationHandler(request, cancellationToken).ConfigureAwait(false);
+                        elicitResult = ElicitResult.WithDefaults(request, elicitResult);
                         return JsonSerializer.SerializeToElement(elicitResult, McpJsonUtilities.JsonContext.Default.ElicitResult);
                     },
                     McpJsonUtilities.JsonContext.Default.ElicitRequestParams,
@@ -214,7 +216,11 @@ private void RegisterHandlers(McpClientOptions options, NotificationHandlers not
             {
                 requestHandlers.Set(
                     RequestMethods.ElicitationCreate,
-                    (request, _, cancellationToken) => elicitationHandler(request, cancellationToken),
+                    async (request, _, cancellationToken) =>
+                    {
+                        var result = await elicitationHandler(request, cancellationToken).ConfigureAwait(false);
+                        return ElicitResult.WithDefaults(request, result);
+                    },
                     McpJsonUtilities.JsonContext.Default.ElicitRequestParams,
                     McpJsonUtilities.JsonContext.Default.ElicitResult);
             }
@@ -671,4 +677,5 @@ public override async ValueTask DisposeAsync()
 
     [LoggerMessage(Level = LogLevel.Information, Message = "{EndpointName} client resumed existing session.")]
     private partial void LogClientSessionResumed(string endpointName);
+
 }
@@ -1,5 +1,6 @@
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Logging.Abstractions;
+using System.Diagnostics;
 using System.Net.Http.Headers;
 using System.Net.ServerSentEvents;
 using System.Text.Json;
@@ -239,7 +240,19 @@ await SendGetSseRequestWithRetriesAsync(
             if (shouldDelay)
             {
                 var delay = state.RetryInterval ?? _options.DefaultReconnectionInterval;
-                await Task.Delay(delay, cancellationToken).ConfigureAwait(false);
+
+                // Subtract time already elapsed since the SSE stream ended to more accurately
+                // honor the retry interval. Without this, processing overhead (HTTP response
+                // disposal, condition checks, etc.) inflates the observed reconnection delay.
+                if (state.StreamEndedTimestamp != 0)
+                {
+                    delay -= ElapsedSince(state.StreamEndedTimestamp);
+                }
+
+                if (delay > TimeSpan.Zero)
+                {
+                    await Task.Delay(delay, cancellationToken).ConfigureAwait(false);
+                }
             }
             shouldDelay = true;
 
@@ -336,9 +349,11 @@ private async Task<SseResponse> ProcessSseResponseAsync(
         }
         catch (Exception ex) when (ex is IOException or HttpRequestException)
         {
+            state.StreamEndedTimestamp = Stopwatch.GetTimestamp();
             return new() { IsNetworkError = true };
         }
 
+        state.StreamEndedTimestamp = Stopwatch.GetTimestamp();
         return default;
     }
 
@@ -435,6 +450,8 @@ private sealed class SseStreamState
     {
         public string? LastEventId { get; set; }
         public TimeSpan? RetryInterval { get; set; }
+        /// <summary>Timestamp (via Stopwatch.GetTimestamp()) when the last SSE stream ended, used to discount processing overhead from the retry delay.</summary>
+        public long StreamEndedTimestamp { get; set; }
     }
 
     /// <summary>
@@ -445,4 +462,13 @@ private readonly struct SseResponse
         public JsonRpcMessageWithId? Response { get; init; }
         public bool IsNetworkError { get; init; }
     }
+
+    private static TimeSpan ElapsedSince(long stopwatchTimestamp)
+    {
+#if NET
+        return Stopwatch.GetElapsedTime(stopwatchTimestamp);
+#else
+        return TimeSpan.FromSeconds((double)(Stopwatch.GetTimestamp() - stopwatchTimestamp) / Stopwatch.Frequency);
+#endif
+    }
 }
@@ -143,6 +143,22 @@ protected private PrimitiveSchemaDefinition()
         {
         }
 
+        /// <summary>Gets the default value for this schema as a <see cref="JsonElement"/>, if one is defined.</summary>
+        internal JsonElement? GetDefaultAsJsonElement() => this switch
+        {
+            StringSchema { Default: { } s } => JsonSerializer.SerializeToElement(s, McpJsonUtilities.JsonContext.Default.String),
+            NumberSchema { Default: { } n } => JsonSerializer.SerializeToElement(n, McpJsonUtilities.JsonContext.Default.Double),
+            BooleanSchema { Default: { } b } => JsonSerializer.SerializeToElement(b, McpJsonUtilities.JsonContext.Default.Boolean),
+            UntitledSingleSelectEnumSchema { Default: { } s } => JsonSerializer.SerializeToElement(s, McpJsonUtilities.JsonContext.Default.String),
+            TitledSingleSelectEnumSchema { Default: { } s } => JsonSerializer.SerializeToElement(s, McpJsonUtilities.JsonContext.Default.String),
+            UntitledMultiSelectEnumSchema { Default: { } a } => JsonSerializer.SerializeToElement(a, McpJsonUtilities.JsonContext.Default.IListString),
+            TitledMultiSelectEnumSchema { Default: { } a } => JsonSerializer.SerializeToElement(a, McpJsonUtilities.JsonContext.Default.IListString),
+#pragma warning disable MCP9001 // LegacyTitledEnumSchema is deprecated but supported for backward compatibility
+            LegacyTitledEnumSchema { Default: { } s } => JsonSerializer.SerializeToElement(s, McpJsonUtilities.JsonContext.Default.String),
+#pragma warning restore MCP9001
+            _ => null,
+        };
+
         /// <summary>Gets or sets the type of the schema.</summary>
         [JsonPropertyName("type")]
         public abstract string Type { get; set; }
 
@@ -56,6 +56,36 @@ public sealed class ElicitResult : Result
     /// </remarks>
     [JsonPropertyName("content")]
     public IDictionary<string, JsonElement>? Content { get; set; }
+
+    /// <summary>
+    /// Applies default values from the elicitation request schema to any missing fields in the result content.
+    /// </summary>
+    internal static ElicitResult WithDefaults(ElicitRequestParams? requestParams, ElicitResult result)
+    {
+        if (result.IsAccepted && requestParams?.RequestedSchema?.Properties is { } properties)
+        {
+            Dictionary<string, JsonElement>? newContent = null;
+
+            foreach (KeyValuePair<string, ElicitRequestParams.PrimitiveSchemaDefinition> kvp in properties)
+            {
+                if ((result.Content is null || !result.Content.ContainsKey(kvp.Key)) &&
+                    kvp.Value.GetDefaultAsJsonElement() is { } element)
+                {
+                    newContent ??= result.Content is not null ?
+                        new Dictionary<string, JsonElement>(result.Content) :
+                        [];
+                    newContent[kvp.Key] = element;
+                }
+            }
+
+            if (newContent is not null)
+            {
+                return new ElicitResult { Action = result.Action, Content = newContent, Meta = result.Meta };
+            }
+        }
+
+        return result;
+    }
 }
 
 /// <summary>
 
@@ -309,13 +309,15 @@ public async ValueTask<ElicitResult> ElicitAsync(
         Throw.IfNull(requestParams);
         ThrowIfElicitationUnsupported(requestParams);
 
-        return await SendRequestWithTaskStatusTrackingAsync(
+        var result = await SendRequestWithTaskStatusTrackingAsync(
             RequestMethods.ElicitationCreate,
             requestParams,
             McpJsonUtilities.JsonContext.Default.ElicitRequestParams,
             McpJsonUtilities.JsonContext.Default.ElicitResult,
             "Waiting for user input",
             cancellationToken).ConfigureAwait(false);
+
+        return ElicitResult.WithDefaults(requestParams, result);
     }
 
     /// <summary>
 
@@ -83,10 +83,11 @@ public static ProcessStartInfo ConformanceTestStartInfo(string arguments)
         var repoRoot = FindRepoRoot();
         var binPath = Path.Combine(repoRoot, "node_modules", ".bin", "conformance");
 
+        ProcessStartInfo startInfo;
         if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
         {
             // On Windows, node_modules/.bin contains .cmd shims that can be executed directly
-            return new ProcessStartInfo
+            startInfo = new ProcessStartInfo
             {
                 FileName = $"{binPath}.cmd",
                 Arguments = arguments,
@@ -98,7 +99,7 @@ public static ProcessStartInfo ConformanceTestStartInfo(string arguments)
         }
         else
         {
-            return new ProcessStartInfo
+            startInfo = new ProcessStartInfo
             {
                 FileName = binPath,
                 Arguments = arguments,
@@ -108,6 +109,21 @@ public static ProcessStartInfo ConformanceTestStartInfo(string arguments)
                 CreateNoWindow = true
             };
         }
+
+        // On macOS, disable .NET mini-dump file generation for child processes. When
+        // dotnet test runs with --blame-crash, it sets DOTNET_DbgEnableMiniDump=1 in the
+        // environment. This is inherited by grandchild .NET processes (e.g. ConformanceClient
+        // launched via node). On macOS, the createdump tool can hang indefinitely due to
+        // ptrace/SIP restrictions, causing the entire test run to hang. Disabling mini-dumps
+        // only suppresses the dump file creation; the runtime still prints crash diagnostics
+        // (stack traces, signal info, etc.) to stderr, which the test captures.
+        if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX))
+        {
+            startInfo.Environment["DOTNET_DbgEnableMiniDump"] = "0";
+            startInfo.Environment["COMPlus_DbgEnableMiniDump"] = "0";
+        }
+
+        return startInfo;
     }
 
     /// <summary>
 
@@ -24,17 +24,32 @@ public ClientConformanceTests(ITestOutputHelper output)
     [Theory(Skip = "Node.js is not installed. Skipping client conformance tests.", SkipUnless = nameof(IsNodeInstalled))]
     [InlineData("initialize")]
     [InlineData("tools_call")]
+    [InlineData("elicitation-sep1034-client-defaults")]
+    [InlineData("sse-retry")]
     [InlineData("auth/metadata-default")]
     [InlineData("auth/metadata-var1")]
     [InlineData("auth/metadata-var2")]
     [InlineData("auth/metadata-var3")]
     [InlineData("auth/basic-cimd")]
-    // [InlineData("auth/2025-03-26-oauth-metadata-backcompat")]
-    // [InlineData("auth/2025-03-26-oauth-endpoint-fallback")]
     [InlineData("auth/scope-from-www-authenticate")]
     [InlineData("auth/scope-from-scopes-supported")]
     [InlineData("auth/scope-omitted-when-undefined")]
     [InlineData("auth/scope-step-up")]
+    [InlineData("auth/scope-retry-limit")]
+    [InlineData("auth/token-endpoint-auth-basic")]
+    [InlineData("auth/token-endpoint-auth-post")]
+    [InlineData("auth/token-endpoint-auth-none")]
+    [InlineData("auth/resource-mismatch")]
+    [InlineData("auth/pre-registration")]
+
+    // Backcompat: Legacy 2025-03-26 OAuth flows (no PRM, root-location metadata) we don't implement.
+    // [InlineData("auth/2025-03-26-oauth-metadata-backcompat")]
+    // [InlineData("auth/2025-03-26-oauth-endpoint-fallback")]
+
+    // Extensions: Require ES256 JWT signing (private_key_jwt) and client_credentials grant support.
+    // [InlineData("auth/client-credentials-jwt")]
+    // [InlineData("auth/client-credentials-basic")]
+
     public async Task RunConformanceTest(string scenario)
     {
         // Run the conformance test suite
@@ -88,7 +103,20 @@ public async Task RunConformanceTest(string scenario)
         process.BeginOutputReadLine();
         process.BeginErrorReadLine();
 
-        await process.WaitForExitAsync();
+        using var cts = new CancellationTokenSource(TimeSpan.FromMinutes(5));
+        try
+        {
+            await process.WaitForExitAsync(cts.Token);
+        }
+        catch (OperationCanceledException)
+        {
+            process.Kill(entireProcessTree: true);
+            return (
+                Success: false,
+                Output: outputBuilder.ToString(),
+                Error: errorBuilder.ToString() + "\nProcess timed out after 5 minutes and was killed."
+            );
+        }
 
         return (
             Success: process.ExitCode == 0,