fix: include "none" in token_endpoint_auth_methods_supported metadata#2261
Open
namabile wants to merge 1 commit intomodelcontextprotocol:v1.xfrom
Open
fix: include "none" in token_endpoint_auth_methods_supported metadata#2261namabile wants to merge 1 commit intomodelcontextprotocol:v1.xfrom
namabile wants to merge 1 commit intomodelcontextprotocol:v1.xfrom
Conversation
2 tasks
The `build_metadata()` function hardcoded `token_endpoint_auth_methods_supported` to `["client_secret_post", "client_secret_basic"]`, but the registration handler already supports `token_endpoint_auth_method: "none"` for public clients. MCP clients like Claude Code follow the metadata to determine supported auth methods. Without "none" advertised, public client flows break: the client registers successfully (no client_secret), but then cannot complete the token exchange because the metadata implies a secret is required. Also includes "none" in `revocation_endpoint_auth_methods_supported` for consistency. Fixes modelcontextprotocol#2260
namabile
force-pushed
the
fix/token-endpoint-auth-methods-none
branch
from
a78316c to
6839133
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
build_metadata()inmcp/server/auth/routes.pyhardcodestoken_endpoint_auth_methods_supportedto["client_secret_post", "client_secret_basic"], omitting"none". This breaks public client OAuth flows used by MCP clients like Claude Code and Cursor.Spec References
token_endpoint_auth_method: "none"— "The client is a public client as defined in OAuth 2.0, Section 2.1, and does not have a client secret."token_endpoint_auth_methods_supporteduses values from RFC 7591, which includes"none".token_endpoint_auth_methods_supported: ['none']— the Python SDK is the outlier.The Problem
The registration handler (
register.py:54-60) already supports public clients — it skipsclient_secretgeneration whentoken_endpoint_auth_method: "none". But the metadata doesn't advertise this capability, so clients assume a secret is always required and fail during token exchange.Changes:
"none"totoken_endpoint_auth_methods_supportedinbuild_metadata()"none"torevocation_endpoint_auth_methods_supportedfor consistencyFixes #2260
Test plan
uv run pytest tests/client/test_auth.py::test_build_metadata— 2 passed, 1 xfaileduv run pytest tests/server/fastmcp/auth/test_auth_integration.py— 40 passeduv run ruff check— all checks passeduv run ruff format --check— already formatted"none", allowing Claude Code to complete public client OAuth flow