Skip to content

Fix OAuth metadata validation for compliant servers #778

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

jalehman
Copy link

@jalehman jalehman commented May 21, 2025

Problem

The OAuthMetadata validation in src/mcp/shared/auth.py was overly restrictive, rejecting valid OAuth 2.0 server configurations that advertise additional authentication methods beyond the minimum required set.

This caused connection failures with compliant MCP servers like Asana (mcp.asana.com) that support multiple OAuth authentication methods as allowed by the specifications.

Root Cause

The server returns:

  • token_endpoint_auth_methods_supported: ["client_secret_basic","client_secret_post","none"]
  • code_challenge_methods_supported: ["plain","S256"]

But the client validation only accepted:

  • token_endpoint_auth_methods_supported: ["none", "client_secret_post"]
  • code_challenge_methods_supported: ["S256"]

Solution

Expanded the validation to accept additional methods:

  • Added client_secret_basic to token_endpoint_auth_methods_supported
  • Added plain to code_challenge_methods_supported

Compliance Verification

MCP Specification Compliant: The MCP authorization specification does not restrict which authentication methods servers can support - it only requires PKCE support.

OAuth 2.0 Compliant: These are standard OAuth 2.0 authentication methods defined in relevant RFCs.

Testing

  • ✅ Successfully connects to https://mcp.asana.com/sse
  • ✅ OAuth flow completes without validation errors
  • ✅ Maintains backward compatibility with existing servers

Impact

This fix enables the MCP Python SDK to work with any compliant MCP server regardless of which optional OAuth authentication methods they advertise support for.

The OAuthMetadata validation was too restrictive, rejecting valid OAuth 2.0
server configurations that advertise additional authentication methods beyond
the minimum required set.

Changes:
- Allow 'client_secret_basic' in token_endpoint_auth_methods_supported
- Allow 'plain' in code_challenge_methods_supported

This fixes compatibility with MCP servers like Asana (mcp.asana.com) that
advertise support for multiple OAuth authentication methods as allowed by
the OAuth 2.0 specification and MCP specification.

The MCP specification does not restrict which authentication methods servers
can support, only requiring that PKCE is used. These changes ensure the
client can connect to any compliant MCP server regardless of which optional
authentication methods they also support.
@ihrpr ihrpr added this to the auth-spec milestone May 23, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants