test(conformance): wire up cross-app-access-complete-flow scenario

Adds a handler for the auth/cross-app-access-complete-flow extension
scenario. Uses CrossAppAccessProvider with requestJwtAuthorizationGrant
in the assertion callback to perform the full SEP-990 flow:

  1. RFC 9728 PRM discovery (provider)
  2. RFC 8693 token exchange at IdP: ID token -> ID-JAG (callback)
  3. RFC 7523 JWT bearer at AS: ID-JAG -> access token (provider,
     client_secret_basic)

Context schema mirrors conformance/src/schemas/context.ts.

Author: pcarleton

test/conformance/src/everythingClient.ts

@@ -12,7 +12,14 @@
  * consolidating all the individual test clients into one.
  */
 
-import { Client, ClientCredentialsProvider, PrivateKeyJwtProvider, StreamableHTTPClientTransport } from '@modelcontextprotocol/client';
+import {
+    Client,
+    ClientCredentialsProvider,
+    CrossAppAccessProvider,
+    PrivateKeyJwtProvider,
+    requestJwtAuthorizationGrant,
+    StreamableHTTPClientTransport
+} from '@modelcontextprotocol/client';
 import * as z from 'zod/v4';
 
 import { logger } from './helpers/logger.js';
@@ -42,6 +49,15 @@ const ClientConformanceContextSchema = z.discriminatedUnion('name', [
         name: z.literal('auth/client-credentials-basic'),
         client_id: z.string(),
         client_secret: z.string()
+    }),
+    z.object({
+        name: z.literal('auth/cross-app-access-complete-flow'),
+        client_id: z.string(),
+        client_secret: z.string(),
+        idp_client_id: z.string(),
+        idp_id_token: z.string(),
+        idp_issuer: z.string(),
+        idp_token_endpoint: z.string()
     })
 ]);
 
@@ -240,6 +256,54 @@ async function runClientCredentialsBasic(serverUrl: string): Promise<void> {
 
 registerScenario('auth/client-credentials-basic', runClientCredentialsBasic);
 
+/**
+ * Cross-App Access (SEP-990 Enterprise Managed Authorization).
+ *
+ * Exchanges an IdP-issued ID token for an ID-JAG (RFC 8693 token exchange at the IdP),
+ * then exchanges the ID-JAG for an access token at the AS (RFC 7523 JWT bearer grant
+ * with client_secret_basic). The provider drives discovery + the JWT bearer step; the
+ * assertion callback handles the IdP exchange using the context-supplied ID token.
+ */
+async function runCrossAppAccessCompleteFlow(serverUrl: string): Promise<void> {
+    const ctx = parseContext();
+    if (ctx.name !== 'auth/cross-app-access-complete-flow') {
+        throw new Error(`Expected cross-app-access context, got ${ctx.name}`);
+    }
+
+    const provider = new CrossAppAccessProvider({
+        clientId: ctx.client_id,
+        clientSecret: ctx.client_secret,
+        assertion: async authCtx => {
+            const result = await requestJwtAuthorizationGrant({
+                tokenEndpoint: ctx.idp_token_endpoint,
+                audience: authCtx.authorizationServerUrl,
+                resource: authCtx.resourceUrl,
+                idToken: ctx.idp_id_token,
+                clientId: ctx.idp_client_id,
+                fetchFn: authCtx.fetchFn
+            });
+            return result.jwtAuthGrant;
+        }
+    });
+
+    const client = new Client({ name: 'conformance-cross-app-access', version: '1.0.0' }, { capabilities: {} });
+
+    const transport = new StreamableHTTPClientTransport(new URL(serverUrl), {
+        authProvider: provider
+    });
+
+    await client.connect(transport);
+    logger.debug('Successfully connected with cross-app-access auth');
+
+    await client.listTools();
+    logger.debug('Successfully listed tools');
+
+    await transport.close();
+    logger.debug('Connection closed successfully');
+}
+
+registerScenario('auth/cross-app-access-complete-flow', runCrossAppAccessCompleteFlow);
+
 // ============================================================================
 // Elicitation defaults scenario
 // ============================================================================