[auth]: support oauth client_secret_basic / none / custom methods #720
+569
−42
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… during authorization code exchange.
… during refresh token exchange.
… refreshAuthorization to maintain compatibility.
… into ochafik/auth-merge-531-552
…ods' into ochafik/auth-merge-531-552
The applyBasicAuth function was incorrectly trying to set headers using array notation on a Headers object. Fixed by using the proper Headers.set() method instead of treating it as a plain object. This ensures that HTTP Basic authentication works correctly when client_secret_basic is the selected authentication method. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This was referenced Jul 1, 2025
|
Thanks @ochafik ! This is looking pretty good. I'm experimenting with the branch right now, and have a suggested modification that I'll propose later tonight or tomorrow. |
9 tasks
SightStudio
reviewed
Jul 7, 2025
felixweinberger
approved these changes
Jul 9, 2025
src/client/auth.test.ts
Outdated
Comment on lines
11
to
13
| type OAuthClientProvider, | ||
| } from "./auth.js"; | ||
| import { OAuthMetadata } from 'src/shared/auth.js'; |
There was a problem hiding this comment.
nit: the project seems to use ../shared/auth.js as a pattern, i.e. relative imports (but I actually think this is better)
see discussion: https://anthropic.slack.com/archives/C0840HQ2Y2V/p1752075120212319
There was a problem hiding this comment.
Gone relative, thanks for the link
src/client/auth.ts
Outdated
Comment on lines
89
to
92
| * @param url - The token endpoint URL being called | ||
| * @param headers - The request headers (can be modified to add authentication) | ||
| * @param params - The request body parameters (can be modified to add credentials) | ||
| */ |
There was a problem hiding this comment.
ultra-nit: @params are in a different order than the args
src/client/auth.ts
Outdated
| clientInformation: OAuthClientInformation, | ||
| supportedMethods: string[] | ||
| ): string { | ||
| const hasClientSecret = !!clientInformation.client_secret; |
There was a problem hiding this comment.
nit: we don't seem to use !! notation anywhere, maybe prefer explicitness?
const hasClientSecret = clientInformation.client_secret !== undefined && clientInformation.client_secret !== '';
There was a problem hiding this comment.
Tightened this / only testing against undefined
src/client/auth.ts
Outdated
| function selectClientAuthMethod( | ||
| clientInformation: OAuthClientInformation, | ||
| supportedMethods: string[] | ||
| ): string { |
There was a problem hiding this comment.
should this maybe return an enum?
enum ClientAuthMethod {
BASIC = "client_secret_basic",
POST = "client_secret_post",
NONE = "none"
}
src/client/auth.ts
Outdated
Comment on lines
175
to
188
| if (method === "client_secret_basic") { | ||
| applyBasicAuth(client_id, client_secret, headers); | ||
| return; | ||
| } | ||
|
|
||
| if (method === "client_secret_post") { | ||
| applyPostAuth(client_id, client_secret, params); | ||
| return; | ||
| } | ||
|
|
||
| if (method === "none") { | ||
| applyPublicAuth(client_id, params); | ||
| return; | ||
| } |
There was a problem hiding this comment.
could make this a switch with the enum potentially
Comment on lines
+649
to
+656
| if (addClientAuthentication) { | ||
| addClientAuthentication(headers, params, authorizationServerUrl, metadata); | ||
| } else { | ||
| // Determine and apply client authentication method | ||
| const supportedMethods = metadata?.token_endpoint_auth_methods_supported ?? []; | ||
| const authMethod = selectClientAuthMethod(clientInformation, supportedMethods); | ||
|
|
||
| applyClientAuthentication(authMethod, clientInformation, headers, params); |
| const body = request.body as URLSearchParams; | ||
| expect(body.get("client_id")).toBe("client123"); | ||
| expect(body.get("client_secret")).toBe("secret123"); | ||
| }); |
There was a problem hiding this comment.
should we have a test if it supports everything, that it chooses client_secret_basic
src/client/auth.test.ts
Outdated
Comment on lines
1642
to
1643
| expect(body.get("client_id")).toBeNull(); // should not be in body | ||
| expect(body.get("client_secret")).toBeNull(); // should not be in body |
There was a problem hiding this comment.
nit: comments seem redundant
ochafik
commented
Jul 9, 2025
src/client/auth.test.ts
Outdated
Comment on lines
1642
to
1643
| expect(body.get("client_id")).toBeNull(); // should not be in body | ||
| expect(body.get("client_secret")).toBeNull(); // should not be in body |
| const body = request.body as URLSearchParams; | ||
| expect(body.get("client_id")).toBe("client123"); | ||
| expect(body.get("client_secret")).toBe("secret123"); | ||
| }); |
src/client/auth.ts
Outdated
Comment on lines
89
to
92
| * @param url - The token endpoint URL being called | ||
| * @param headers - The request headers (can be modified to add authentication) | ||
| * @param params - The request body parameters (can be modified to add credentials) | ||
| */ |
src/client/auth.ts
Outdated
| function selectClientAuthMethod( | ||
| clientInformation: OAuthClientInformation, | ||
| supportedMethods: string[] | ||
| ): string { |
src/client/auth.ts
Outdated
| clientInformation: OAuthClientInformation, | ||
| supportedMethods: string[] | ||
| ): string { | ||
| const hasClientSecret = !!clientInformation.client_secret; |
There was a problem hiding this comment.
Tightened this / only testing against undefined
src/client/auth.ts
Outdated
Comment on lines
175
to
188
| if (method === "client_secret_basic") { | ||
| applyBasicAuth(client_id, client_secret, headers); | ||
| return; | ||
| } | ||
|
|
||
| if (method === "client_secret_post") { | ||
| applyPostAuth(client_id, client_secret, params); | ||
| return; | ||
| } | ||
|
|
||
| if (method === "none") { | ||
| applyPublicAuth(client_id, params); | ||
| return; | ||
| } |
src/client/auth.test.ts
Outdated
Comment on lines
11
to
13
| type OAuthClientProvider, | ||
| } from "./auth.js"; | ||
| import { OAuthMetadata } from 'src/shared/auth.js'; |
There was a problem hiding this comment.
Gone relative, thanks for the link
|
Oh absolutely, fixed, thanks for bringing it up!
…On Thu, Jul 10, 2025 at 4:34 PM Dong Min Seol ***@***.***> wrote:
*SightStudio* left a comment (modelcontextprotocol/typescript-sdk#720)
<#720 (comment)>
https://github.com/modelcontextprotocol/typescript-sdk/releases/tag/1.15.1
@jerome3o-anthropic <https://github.com/jerome3o-anthropic>
It would be nice if co-authors could also be added to that list of
contributors.
--
--
Olivier
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an attempt to merge #531 and #552
Motivation and Context
This merges two sets of OAuth changes:
OAuthClientProvider.addClientAuthenticationcallback (renamed from PR's proposedauthToTokenEndpoint) for custom auth methodsclient_secret_basic,none)How Has This Been Tested?
WIP: testing in inspector
Breaking Changes
n/a
Types of changes
Checklist
Additional context