Skip to content

[auth]: support oauth client_secret_basic / none / custom methods #720

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 19 commits into
base: main
Choose a base branch
from
Draft

[auth]: support oauth client_secret_basic / none / custom methods #720

wants to merge 19 commits into from
+501 −28

Conversation

ochafik
Copy link
Contributor

@ochafik ochafik commented Jul 1, 2025
edited
Loading

This is an attempt to merge #531 and #552

Motivation and Context

This merges two sets of OAuth changes:

How Has This Been Tested?

WIP: testing in inspector

Breaking Changes

n/a

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

  • Main changes from McpError: MCP error -32601: Method not found #415:
    • Renamed callback to addClientAuthentication
    • Passed callback explicitly to refreshAuthorization & exchangeAuthorization, to avoid the awkwardness of them accepting a provider + other redundant parameters (codeVerifier, redirectUri)

jaredhanson and others added 19 commits May 21, 2025 19:14
@jaredhanson
Allow OAuthClientProvider to control authentication to token endpoint…
9b2915e 
… during authorization code exchange.
@jaredhanson
Include mockProvider in exchangeAuthorization tests.
c7737a8
@jaredhanson
Add test case for authToTokenEndpoint during exchangeAuthorization.
439a8d3
@jaredhanson
Allow OAuthClientProvider to control authentication to token endpoint…
92f9030 
… during refresh token exchange.
@jaredhanson
Add test case for authToTokenEndpoint during refreshAuthorization.
58c2332
@jaredhanson
Make provider an optional final argument to exchangeAuthorization and…
9ef072f 
… refreshAuthorization to maintain compatibility.
@jaredhanson
Add url argument to authToTokenEndpoint.
c0e9ef6
@SightStudio
feature. Add client_secret_basic and none authentication methods
a055fb3
@SightStudio
Merge branch 'main' into feat/oauth-client-auth-methods
562d487
@SightStudio
Merge branch 'main' into feat/oauth-client-auth-methods
ab2f890
@ochafik
Merge remote-tracking branch 'jaredhanson/jaredhanson/token-auth-ext'…
b803121 
… into ochafik/auth-merge-531-552
@ochafik
Merge remote-tracking branch 'SightStudio/feat/oauth-client-auth-meth…
38244b8 
…ods' into ochafik/auth-merge-531-552
@ochafik
Merge remote-tracking branch 'origin/main' into ochafik/auth-merge-53…
8bae46e 
…1-552
@ochafik
rename authToTokenEndpoint -> addClientAuthentication
afe1279
@ochafik
Merge branch 'main' into ochafik/auth-merge-531-552
474db45
@ochafik @claude
Fix HTTP Basic authentication in OAuth client
9195587 
The applyBasicAuth function was incorrectly trying to set headers using
array notation on a Headers object. Fixed by using the proper Headers.set()
method instead of treating it as a plain object.

This ensures that HTTP Basic authentication works correctly when
client_secret_basic is the selected authentication method.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@ochafik
update tests
c7f9e36
@ochafik
revert / minimize diffs
3444b67
@ochafik
cleanup
3ccff1c
This was referenced Jul 1, 2025
Closed
Closed
@ochafik ochafik added this to the auth milestone Jul 1, 2025
@ochafik ochafik requested a review from pcarleton July 1, 2025 17:24
@jaredhanson
Copy link

Thanks @ochafik ! This is looking pretty good. I'm experimenting with the branch right now, and have a suggested modification that I'll propose later tonight or tomorrow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pcarleton pcarleton Awaiting requested review from pcarleton

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
auth
Development

Successfully merging this pull request may close these issues.
3 participants
@ochafik @jaredhanson @SightStudio