Skip to content

fix: pass new conformance auth scenarios, bump to 0.1.13 #1999

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
pcarleton wants to merge 7 commits into
base: main
Choose a base branch
from
+137 −4
Draft

fix: pass new conformance auth scenarios, bump to 0.1.13 #1999

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
7bff13c
fix: validate PRM resource match and handle DCR failure with pre-regi…
pcarleton Feb 5, 2026
84b85c1
fix: remove unnecessary DCR fallback, rely on storage-loaded client info
pcarleton Feb 5, 2026
f966fab
ci: bump conformance to 0.1.13
pcarleton Feb 5, 2026
297eded
fix: normalize trailing slashes in PRM resource validation
pcarleton Feb 5, 2026
ff57462
feat: add validate_resource_url callback to OAuthClientProvider
pcarleton Feb 5, 2026
fbd97ee
fix: correct PRM resource in auth tests to match server URL
pcarleton Feb 5, 2026
0e3d18a
test: add coverage for PRM resource validation
pcarleton Feb 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 22 additions & 1 deletion .github/actions/conformance/client.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -275,6 +275,27 @@ async def run_client_credentials_basic(server_url: str) -> None:
async def run_auth_code_client(server_url: str) -> None:
"""Authorization code flow (default for auth/* scenarios)."""
callback_handler = ConformanceOAuthCallbackHandler()
storage = InMemoryTokenStorage()

# Check for pre-registered client credentials from context
context_json = os.environ.get("MCP_CONFORMANCE_CONTEXT")
if context_json:
try:
context = json.loads(context_json)
client_id = context.get("client_id")
client_secret = context.get("client_secret")
if client_id:
await storage.set_client_info(
OAuthClientInformationFull(
client_id=client_id,
client_secret=client_secret,
redirect_uris=[AnyUrl("http://localhost:3000/callback")],
token_endpoint_auth_method="client_secret_basic" if client_secret else "none",
)
)
logger.debug(f"Pre-loaded client credentials: client_id={client_id}")
except json.JSONDecodeError:
Copy link
Copy Markdown
Member

@Kludex Kludex Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dont you want to see the exception if the json is wrong?

pass

oauth_auth = OAuthClientProvider(
server_url=server_url,
Expand All @@ -284,7 +305,7 @@ async def run_auth_code_client(server_url: str) -> None:
grant_types=["authorization_code", "refresh_token"],
response_types=["code"],
),
storage=InMemoryTokenStorage(),
storage=storage,
redirect_handler=callback_handler.handle_redirect,
callback_handler=callback_handler.handle_callback,
client_metadata_url="https://conformance-test.local/client-metadata.json",
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/conformance.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,4 +42,4 @@ jobs:
with:
node-version: 24
- run: uv sync --frozen --all-extras --package mcp
- run: npx @modelcontextprotocol/conformance@0.1.10 client --command 'uv run --frozen python .github/actions/conformance/client.py' --suite all
- run: npx @modelcontextprotocol/conformance@0.1.13 client --command 'uv run --frozen python .github/actions/conformance/client.py' --suite all
17 changes: 17 additions & 0 deletions src/mcp/client/auth/oauth2.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -476,6 +476,21 @@ async def _handle_oauth_metadata_response(self, response: httpx.Response) -> Non
metadata = OAuthMetadata.model_validate_json(content)
self.context.oauth_metadata = metadata

def _validate_resource_match(self, prm: ProtectedResourceMetadata) -> None:
"""Validate that PRM resource matches the server URL per RFC 8707."""
if not prm.resource:
return
default_resource = resource_url_from_server_url(self.context.server_url)
prm_resource = str(prm.resource)
# Normalize: Pydantic AnyHttpUrl adds trailing slash to root URLs
# (e.g. "https://example.com/") while resource_url_from_server_url may not.
if not default_resource.endswith("/"):
default_resource += "/"
if not prm_resource.endswith("/"):
prm_resource += "/"
if not check_resource_allowed(requested_resource=default_resource, configured_resource=prm_resource):
raise OAuthFlowError(f"Protected resource {prm_resource} does not match expected {default_resource}")

async def async_auth_flow(self, request: httpx.Request) -> AsyncGenerator[httpx.Request, httpx.Response]:
"""HTTPX auth flow integration."""
async with self.context.lock:
Expand Down Expand Up @@ -517,6 +532,8 @@ async def async_auth_flow(self, request: httpx.Request) -> AsyncGenerator[httpx.

prm = await handle_protected_resource_response(discovery_response)
if prm:
# Validate PRM resource matches server URL (RFC 8707)
self._validate_resource_match(prm)
self.context.protected_resource_metadata = prm

# todo: try all authorization_servers to find the OASM
Expand Down
Loading