Fix OAuth metadata validation for compliant servers #778
+2
−2
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
The
OAuthMetadata
validation insrc/mcp/shared/auth.py
was overly restrictive, rejecting valid OAuth 2.0 server configurations that advertise additional authentication methods beyond the minimum required set.This caused connection failures with compliant MCP servers like Asana (
mcp.asana.com
) that support multiple OAuth authentication methods as allowed by the specifications.Root Cause
The server returns:
token_endpoint_auth_methods_supported
:["client_secret_basic","client_secret_post","none"]
code_challenge_methods_supported
:["plain","S256"]
But the client validation only accepted:
token_endpoint_auth_methods_supported
:["none", "client_secret_post"]
code_challenge_methods_supported
:["S256"]
Solution
Expanded the validation to accept additional methods:
client_secret_basic
totoken_endpoint_auth_methods_supported
plain
tocode_challenge_methods_supported
Compliance Verification
✅ MCP Specification Compliant: The MCP authorization specification does not restrict which authentication methods servers can support - it only requires PKCE support.
✅ OAuth 2.0 Compliant: These are standard OAuth 2.0 authentication methods defined in relevant RFCs.
Testing
https://mcp.asana.com/sse
Impact
This fix enables the MCP Python SDK to work with any compliant MCP server regardless of which optional OAuth authentication methods they advertise support for.