Merge branch 'main' into feat/store-server-info-on-client-session

Author: shivama205

src/mcp/client/auth/oauth2.py

@@ -205,8 +205,9 @@ def prepare_token_auth(
             headers["Authorization"] = f"Basic {encoded_credentials}"
             # Don't include client_secret in body for basic auth
             data = {k: v for k, v in data.items() if k != "client_secret"}
-        elif auth_method == "client_secret_post" and self.client_info.client_secret:
-            # Include client_secret in request body
+        elif auth_method == "client_secret_post" and self.client_info.client_id and self.client_info.client_secret:
+            # Include client_id and client_secret in request body (RFC 6749 §2.3.1)
+            data["client_id"] = self.client_info.client_id
             data["client_secret"] = self.client_info.client_secret
         # For auth_method == "none", don't add any client_secret
 

src/mcp/shared/experimental/tasks/message_queue.py

@@ -12,6 +12,7 @@
 """
 
 from abc import ABC, abstractmethod
+from collections import deque
 from dataclasses import dataclass, field
 from datetime import datetime, timezone
 from typing import Any, Literal
@@ -151,13 +152,13 @@ class InMemoryTaskMessageQueue(TaskMessageQueue):
     """
 
     def __init__(self) -> None:
-        self._queues: dict[str, list[QueuedMessage]] = {}
+        self._queues: dict[str, deque[QueuedMessage]] = {}
         self._events: dict[str, anyio.Event] = {}
 
-    def _get_queue(self, task_id: str) -> list[QueuedMessage]:
+    def _get_queue(self, task_id: str) -> deque[QueuedMessage]:
         """Get or create the queue for a task."""
         if task_id not in self._queues:
-            self._queues[task_id] = []
+            self._queues[task_id] = deque()
         return self._queues[task_id]
 
     async def enqueue(self, task_id: str, message: QueuedMessage) -> None:
@@ -172,7 +173,7 @@ async def dequeue(self, task_id: str) -> QueuedMessage | None:
         queue = self._get_queue(task_id)
         if not queue:
             return None
-        return queue.pop(0)
+        return queue.popleft()
 
     async def peek(self, task_id: str) -> QueuedMessage | None:
         """Return the next message without removing it."""

tests/client/auth/extensions/test_client_credentials.py

@@ -252,6 +252,72 @@ async def test_exchange_token_client_credentials(self, mock_storage: MockTokenSt
         assert "scope=read write" in content
         assert "resource=https://api.example.com/v1/mcp" in content
 
+    @pytest.mark.anyio
+    async def test_exchange_token_client_secret_post_includes_client_id(self, mock_storage: MockTokenStorage):
+        """Test that client_secret_post includes both client_id and client_secret in body (RFC 6749 §2.3.1)."""
+        provider = ClientCredentialsOAuthProvider(
+            server_url="https://api.example.com/v1/mcp",
+            storage=mock_storage,
+            client_id="test-client-id",
+            client_secret="test-client-secret",
+            token_endpoint_auth_method="client_secret_post",
+            scopes="read write",
+        )
+        await provider._initialize()
+        provider.context.oauth_metadata = OAuthMetadata(
+            issuer=AnyHttpUrl("https://api.example.com"),
+            authorization_endpoint=AnyHttpUrl("https://api.example.com/authorize"),
+            token_endpoint=AnyHttpUrl("https://api.example.com/token"),
+        )
+        provider.context.protocol_version = "2025-06-18"
+
+        request = await provider._perform_authorization()
+
+        content = urllib.parse.unquote_plus(request.content.decode())
+        assert "grant_type=client_credentials" in content
+        assert "client_id=test-client-id" in content
+        assert "client_secret=test-client-secret" in content
+        # Should NOT have Basic auth header
+        assert "Authorization" not in request.headers
+
+    @pytest.mark.anyio
+    async def test_exchange_token_client_secret_post_without_client_id(self, mock_storage: MockTokenStorage):
+        """Test client_secret_post skips body credentials when client_id is None."""
+        provider = ClientCredentialsOAuthProvider(
+            server_url="https://api.example.com/v1/mcp",
+            storage=mock_storage,
+            client_id="placeholder",
+            client_secret="test-client-secret",
+            token_endpoint_auth_method="client_secret_post",
+            scopes="read write",
+        )
+        await provider._initialize()
+        provider.context.oauth_metadata = OAuthMetadata(
+            issuer=AnyHttpUrl("https://api.example.com"),
+            authorization_endpoint=AnyHttpUrl("https://api.example.com/authorize"),
+            token_endpoint=AnyHttpUrl("https://api.example.com/token"),
+        )
+        provider.context.protocol_version = "2025-06-18"
+        # Override client_info to have client_id=None (edge case)
+        provider.context.client_info = OAuthClientInformationFull(
+            redirect_uris=None,
+            client_id=None,
+            client_secret="test-client-secret",
+            grant_types=["client_credentials"],
+            token_endpoint_auth_method="client_secret_post",
+            scope="read write",
+        )
+
+        request = await provider._perform_authorization()
+
+        content = urllib.parse.unquote_plus(request.content.decode())
+        assert "grant_type=client_credentials" in content
+        # Neither client_id nor client_secret should be in body since client_id is None
+        # (RFC 6749 §2.3.1 requires both for client_secret_post)
+        assert "client_id=" not in content
+        assert "client_secret=" not in content
+        assert "Authorization" not in request.headers
+
     @pytest.mark.anyio
     async def test_exchange_token_without_scopes(self, mock_storage: MockTokenStorage):
         """Test token exchange without scopes."""

tests/experimental/tasks/test_message_queue.py

@@ -1,5 +1,6 @@
 """Tests for TaskMessageQueue and InMemoryTaskMessageQueue."""
 
+from collections import deque
 from datetime import datetime, timezone
 
 import anyio
@@ -270,7 +271,7 @@ async def is_empty_with_injection(tid: str) -> bool:
             if call_count == 2 and tid == task_id:
                 # Before second check, inject a message - this simulates a message
                 # arriving between event creation and the double-check
-                queue._queues[task_id] = [QueuedMessage(type="request", message=make_request())]
+                queue._queues[task_id] = deque([QueuedMessage(type="request", message=make_request())])
             return await original_is_empty(tid)
 
         queue.is_empty = is_empty_with_injection  # type: ignore[method-assign]