feat(oauth): select token_endpoint_auth_method from AS metadata (RFC 8414)#62
Merged
shigechika merged 2 commits intomainfrom May 7, 2026
Merged
feat(oauth): select token_endpoint_auth_method from AS metadata (RFC 8414)#62shigechika merged 2 commits intomainfrom
shigechika merged 2 commits intomainfrom
Conversation
…8414) Read `token_endpoint_auth_methods_supported` from RFC 8414 Authorization Server Metadata and pick the best supported auth method for the token endpoint (preference: none → client_secret_post → client_secret_basic). Apply the selected method consistently across DCR, code exchange, token refresh, and Device Authorization Grant polling. RFC 6749 §2.3.1 `client_secret_basic` sends credentials as `Authorization: Basic base64(percent_encode(id):percent_encode(secret))` instead of in the request body. The selected method is stored in `TokenData.token_endpoint_auth_method` so refresh reuses it without re-reading the discovery document. Fixes compatibility with Microsoft Entra ID v2 and other enterprise OIDC providers that publish only `client_secret_basic` in `token_endpoint_auth_methods_supported` and reject `none`/body-credential requests. Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
Verify that client_secret_basic sends credentials in the Authorization header (not the request body) for the device authorization request itself (Step 1, RFC 8628 §3.1), not just the token polling loop. Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
token_endpoint_auth_methods_supportedfrom RFC 8414 AS metadata and dynamically pick the best supported auth method for the token endpoint (preference:none→client_secret_post→client_secret_basic)client_secret_basic: credentials sent asAuthorization: Basic base64(percent_encode(id):percent_encode(secret))instead of in the request bodyTokenData.token_endpoint_auth_methodso refresh reuses it without re-reading the discovery document"none"with a warning when AS advertises no methods recognized by mcp-stdio (e.g.private_key_jwtonly)Motivation
Fixes compatibility with Microsoft Entra ID v2 and other enterprise OIDC providers that publish only
client_secret_basicintoken_endpoint_auth_methods_supported. Those servers reject requests that send credentials in the POST body (client_secret_post) or omit them entirely (none).mcp-remote hardcodes
token_endpoint_auth_method: noneand always sends credentials in the POST body (mcp-remote#184, mcp-remote#217).Changes
token_store.py: addtoken_endpoint_auth_method: str = "none"field toTokenData(backward-compatible default)oauth.py:OAuthMetadata: capturetoken_endpoint_auth_methods_supported_pick_token_endpoint_auth_method(): preference-order selection helperClientRegistration.auth_method: carry selected method from DCRexchange_code,refresh_access_token: accept and applyauth_method; Basic auth branch addsAuthorizationheader and excludes credentials from body_token_response_to_data: storeauth_methodinTokenDatarefresh_cached_token,_run_authorization_flow,_run_device_authorization_flow: threadauth_methodend-to-endWORKAROUNDS.md: document the mcp-remote regression this fixesREADME.md/README.ja.md: update RFC 7591 bullet; add RFC 6749 §2.3.1 bulletTest plan
pytest tests/ -v— 390 tests passTestPickTokenEndpointAuthMethod— 8 tests covering preference order,Noneinput, fallback + warning for unsupported methodsTestDiscoverMetadataAuthMethods— 2 tests for field parsing from discoveryTestExchangeCodeBasicAuth— 3 tests: Basic header present, percent-encoding,client_secret_postbodyTestRefreshTokenBasicAuth— 2 tests: Basic header and post method on refreshTestRegisterClientAuthMethod— 3 tests: DCR picks correct methodTestTokenEndpointAuthMethodPersistence— 4 tests including legacy-token backward compat and round-trip refresh🤖 Generated with Claude Code