DCR Handler Requires Both authorization_code and refresh_token Grant Types (RFC 7591 Non-Compliant)

[gazzadownunder]

Initial Checks

• I confirm that I'm using the latest version of MCP Python SDK
• I confirm that I searched for my issue in https://github.com/modelcontextprotocol/python-sdk/issues before opening this issue

Description

Description

The Dynamic Client Registration (DCR) handler in the MCP Python SDK incorrectly requires both authorization_code and refresh_token grant types during client registration. This contradicts RFC 7591 which states that refresh tokens should be optional.

Current Behavior

The validation in mcp/server/auth/handlers/register.py (lines 71-78) rejects client registrations that don't include both grant types:

if not {"authorization_code", "refresh_token"}.issubset(set(client_metadata.grant_types)):
    return PydanticJSONResponse(
        content=RegistrationErrorResponse(
            error="invalid_client_metadata",
            error_description="grant_types must be authorization_code and refresh_token",
        ),
        status_code=400,
    )

This means clients cannot register with only authorization_code as a grant type, even though this should be valid per the OAuth 2.0/2.1 specifications.

Expected Behavior

Per RFC 7591, refresh tokens are optional. The validation should only require authorization_code to be present:

if "authorization_code" not in client_metadata.grant_types:
    return PydanticJSONResponse(
        content=RegistrationErrorResponse(
            error="invalid_client_metadata",
            error_description="grant_types must include 'authorization_code'",
        ),
        status_code=400,
    )

Why This Matters

1. RFC Compliance: RFC 7591 explicitly states that refresh tokens are optional in OAuth flows
2. Client Flexibility: Some clients may not need or want refresh token capabilities
3. Security: Principle of least privilege - clients should only request the grant types they actually need
4. Interoperability: This restriction may prevent valid OAuth clients from using MCP servers

Proposed Solution

Modify the validation in mcp/server/auth/handlers/register.py to:

• Only require authorization_code in the grant_types list
• Allow refresh_token to be optional
• Update the error message to reflect the correct requirement

Impact

This change would:

• ✅ Make the MCP SDK compliant with RFC 7591
• ✅ Allow clients to register with only authorization_code if they don't need refresh tokens
• ✅ Not break existing clients that register with both grant types
• ✅ Improve security by allowing clients to request minimal permissions

Additional Context

This issue was originally reported against the fastmcp project: jlowin/fastmcp#2460

The fastmcp project depends on the MCP Python SDK and will need to update its test suite once this fix is implemented.

Affected Files

• mcp/server/auth/handlers/register.py (lines 71-78)

References

• RFC 7591 - OAuth 2.0 Dynamic Client Registration Protocol
• OAuth 2.1 - Authorization Code Grant

Example Code

Python & MCP Python SDK

Python Version: 3.13.1
MCP Python SDK Version: 1.6.0