Adding Client Credentials & Token Exchange Grant Types to Auth

[SoldierSacha]

Motivation and Context

#881

In addition to adding the Client Credentials grant (from the issue linked above), I've also gone on to add the Token Exchange grant.

Reasoning for Token Exchange: Since the client credentials grant is for machine-to-machine authorization, I realized that there are times where the client machine (acting as an MCP Client) might have to make requests on behalf of an end-user to the MCP Server. With that being said, in the current implementation, this did not exist because there was no way to securely identify the end-user.

Now it does through Token Exchange.

How Has This Been Tested?

Added test cases (all pass), and also currently using in my own mcp server and client. Everything is working as intended.

Breaking Changes

None

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

No

[SoldierSacha]

@simonw @sheffler @comfuture @shimizukawa @ihrpr

[SoldierSacha]

@Kludex @pcarleton

[SoldierSacha]

Went ahead and updated the PR to also support the Token Exchange grant type (in addition to Client Credentials).

This is ready to be merged!! This PR is a huge win for this community.

@dsp-ant @jspahrsummers @calclavia @nick-merrill @jerome3o-anthropic

[SoldierSacha]

Please review this for merge... tired of keeping it in sync with current repo!!!

@Kludex @pcarleton @simonw @sheffler @comfuture @shimizukawa @ihrpr @dsp-ant @jspahrsummers @calclavia @nick-merrill @jerome3o-anthropic

[patrykks]

I have some questions:

1. First of all, thanks a lot for the contribution and for preparing the MR. From my perspective, this is one of the most important features of MCP Python SDK. It's actually a key reason why a significant number (if not the majority) of companies are still not using MCP. Exposing business data without proper authentication/authorization is simply not an option in most cases.
2. Is there an ETA for when the review will be done and the code can be merged? This would be critical for our project - we’re eagerly waiting for these changes to be available
3. Is there a simple example in submitted changes showing how to configure the client credentials flow on the server side (e.g., using popular SSO providers like Azure or Okta)?

[SoldierSacha]

I have some questions:

1. First of all, thanks a lot for the contribution and for preparing the MR. From my perspective, this is one of the most important features of MCP Python SDK. It's actually a key reason why a significant number (if not the majority) of companies are still not using MCP. Exposing business data without proper authentication/authorization is simply not an option in most cases.
2. Is there an ETA for when the review will be done and the code can be merged? This would be critical for our project - we’re eagerly waiting for these changes to be available
3. Is there a simple example in submitted changes showing how to configure the client credentials flow on the server side (e.g., using popular SSO providers like Azure or Okta)?

1. No problem! I needed these features myself too, so I decided to add them.

2. If you want to use these features in the meantime while the admins merge this PR, I've made a fork: https://github.com/sacha-development-stuff/mcp-python-sdk/releases/tag/v1.9.4%2Bfork

3. Regarding examples, everything can be found in /examples.