Skip to content

Implement RFC 7523 JWT flows #1247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 43 commits into
base: main
Choose a base branch
from
Open

Implement RFC 7523 JWT flows #1247

wants to merge 43 commits into from
+442 −52

Conversation

@LucaButBoring
Copy link
Contributor

@LucaButBoring LucaButBoring commented Aug 7, 2025
edited
Loading

Implements support for the RFC 7523 authentication flows. This PR is a trimmed-down version of #1020, but will likely be superceded by a future authlib-based implementation (see #1240).

Compared to #1020, this implements the flow via a separate httpx.Auth subclass, which is in-line with prior maintainer feedback on how to grow these auth implementations.

Motivation and Context

Implementation example for modelcontextprotocol/modelcontextprotocol#1046.

How Has This Been Tested?

Unit tests (TBD: unit tests for section 2.2 flow). Planning to spot test with Keycloak setup once that gets published.

Breaking Changes

None.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

LucaButBoring and others added 30 commits June 23, 2025 10:52
@LucaButBoring
Implement client credentials auth flow
873bbe0
@LucaButBoring
Add example client and server for client_credentials flow
7c65d76
@LucaButBoring
Set issuer to AS URI for RFC8414 compliance in auth example
d927bc0
@LucaButBoring
Merge RS/AS in client_credentials example
20b5dfc
@LucaButBoring
Revert "Merge RS/AS in client_credentials example"
1a5f104 
This reverts commit 20b5dfc.
@LucaButBoring
Implement simplified RS+AS token mapping without DCR
fe548e5
@LucaButBoring
Update naming and docs for client credentials example
7e0dfaf
@LucaButBoring
Implement client_secret_post support in client credentials example
4ab922c
@LucaButBoring
Don't use client_credentials by default; fix test
e3a2b6d
@LucaButBoring
Merge branch 'main' of https://github.com/modelcontextprotocol/python…
ed2a486 
…-sdk into feat/client-credentials
@LucaButBoring
Add tests for client_credentials flow
a8067e1
@LucaButBoring
Merge branch 'main' into feat/client-credentials
0be70c4
@LucaButBoring
Update function name in PRM unit tests
13b3478
@LucaButBoring
Merge branch 'main' into feat/client-credentials
aaf2cc7
@LucaButBoring
Use client_metadata to determine if 2LO should be used
efecc7d
@LucaButBoring
Merge branch 'main' into feat/client-credentials
f1d1591
@LucaButBoring
Merge branch 'main' into feat/client-credentials
06177d1
@LucaButBoring
Merge branch 'main' into feat/client-credentials
2a2f562
@LucaButBoring
Fix Markdown formatting
31eeb63
@LucaButBoring
Merge branch 'main' of https://github.com/modelcontextprotocol/python…
ac75345 
…-sdk into feat/client-credentials
@LucaButBoring
Merge branch 'main' into feat/client-credentials
c3c6725
@LucaButBoring
Update auth tests to fix mock behavior
4a4c007
@LucaButBoring
Merge branch 'main' of https://github.com/modelcontextprotocol/python…
6677894 
…-sdk into feat/client-credentials
@LucaButBoring
Implement RFC 7523 authorization grant flow
fc8331c
@yannj-fr @LucaButBoring
Implement RFC 7523 Section 2.2 for client_credentials
39758e2
@LucaButBoring
Add case for preconfigured assertion in RFC7523 S2.2 flow
36532fd
@LucaButBoring
Remove 2LO example for now
ed23997 
No longer doing external integration examples as of modelcontextprotocol#1011. Will likely bring this back later as a standalone example.
@LucaButBoring
Remove 2LO in this branch, limit to RFC7523
e10f7c9
@LucaButBoring
Fix rfc8707 test error
bcc5b39 
Python default parameters reuse their references, so we can't use a collection like a dict as a default parameter value or we'll dirty our state.
@LucaButBoring
Merge branch 'main' into feat/rfc7523
b90a6c2
@LucaButBoring LucaButBoring requested review from a team and ochafik August 12, 2025 19:10
@LucaButBoring
Copy link
Contributor Author

Now sep 1046 was approved do you want to move forward?

Updated the PR and opened.

@ochafik ochafik mentioned this pull request Sep 4, 2025
Open
@felixweinberger felixweinberger added pending SEP approval When a PR is attached as an implementation detail to a SEP, we mark it as such for triage. needs sync Needs sync with latest main branch to ensure CI passes labels Sep 23, 2025
@felixweinberger
Copy link
Contributor

Pending modelcontextprotocol/modelcontextprotocol#1047

@ochafik ochafik linked an issue Sep 30, 2025 that may be closed by this pull request
Implement SEP-1046: Support OAuth client credentials flow in authorization #1342
Open
@felixweinberger felixweinberger added the auth Issues and PRs related to Authentication / OAuth label Oct 3, 2025
@felixweinberger felixweinberger marked this pull request as draft October 13, 2025 15:36
@felixweinberger
Copy link
Contributor

Marking this as a draft for now to remove from our review queue while we wait for the SEP approval - modelcontextprotocol/modelcontextprotocol#1047

Please reopen once the SEP has been accepted or if you specifically need input beforehand!

@yjouanin yjouanin mentioned this pull request Oct 20, 2025
Merged
@LucaButBoring
Copy link
Contributor Author

SEP-1046 is accepted; reopening this (will fix merge conflicts).

@LucaButBoring LucaButBoring marked this pull request as ready for review October 20, 2025 18:00
@felixweinberger felixweinberger added needs maintainer action Potentially serious issue - needs proactive fix and maintainer attention and removed pending SEP approval When a PR is attached as an implementation detail to a SEP, we mark it as such for triage. needs sync Needs sync with latest main branch to ensure CI passes labels Oct 21, 2025
@LucaButBoring
Copy link
Contributor Author

Per discussion on Discord, RFC7523OAuthClientProvider has been moved into a new mcp.client.auth.extensions.client_credentials module. Doing this required also renaming src/mcp/client/auth.py to src/mcp/client/auth/oauth2.py and re-exporting it from a new src/mcp/client/auth/__init__.py.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ochafik ochafik Awaiting requested review from ochafik

@pcarleton pcarleton Awaiting requested review from pcarleton

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

auth Issues and PRs related to Authentication / OAuth needs maintainer action Potentially serious issue - needs proactive fix and maintainer attention

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement SEP-1046: Support OAuth client credentials flow in authorization

3 participants

@LucaButBoring @yannj-fr @felixweinberger