Skip to content

Implement RFC 7523 JWT flows #1247

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 45 commits into from
Oct 29, 2025
Merged

Implement RFC 7523 JWT flows #1247

merged 45 commits into from
Oct 29, 2025
+463 −52

Conversation

@LucaButBoring
Copy link
Contributor

@LucaButBoring LucaButBoring commented Aug 7, 2025
edited
Loading

Implements support for the RFC 7523 authentication flows. This PR is a trimmed-down version of #1020, but will likely be superceded by a future authlib-based implementation (see #1240).

Compared to #1020, this implements the flow via a separate httpx.Auth subclass, which is in-line with prior maintainer feedback on how to grow these auth implementations.

Motivation and Context

Implementation example for modelcontextprotocol/modelcontextprotocol#1046.

How Has This Been Tested?

Unit tests (TBD: unit tests for section 2.2 flow). Planning to spot test with Keycloak setup once that gets published.

Breaking Changes

None.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

LucaButBoring and others added 30 commits June 23, 2025 10:52
@LucaButBoring
Implement client credentials auth flow
873bbe0
@LucaButBoring
Add example client and server for client_credentials flow
7c65d76
@LucaButBoring
Set issuer to AS URI for RFC8414 compliance in auth example
d927bc0
@LucaButBoring
Merge RS/AS in client_credentials example
20b5dfc
@LucaButBoring
Revert "Merge RS/AS in client_credentials example"
1a5f104 
This reverts commit 20b5dfc.
@LucaButBoring
Implement simplified RS+AS token mapping without DCR
fe548e5
@LucaButBoring
Update naming and docs for client credentials example
7e0dfaf
@LucaButBoring
Implement client_secret_post support in client credentials example
4ab922c
@LucaButBoring
Don't use client_credentials by default; fix test
e3a2b6d
@LucaButBoring
Merge branch 'main' of https://github.com/modelcontextprotocol/python…
ed2a486 
…-sdk into feat/client-credentials
@LucaButBoring
Add tests for client_credentials flow
a8067e1
@LucaButBoring
Merge branch 'main' into feat/client-credentials
0be70c4
@LucaButBoring
Update function name in PRM unit tests
13b3478
@LucaButBoring
Merge branch 'main' into feat/client-credentials
aaf2cc7
@LucaButBoring
Use client_metadata to determine if 2LO should be used
efecc7d
@LucaButBoring
Merge branch 'main' into feat/client-credentials
f1d1591
@LucaButBoring
Merge branch 'main' into feat/client-credentials
06177d1
@LucaButBoring
Merge branch 'main' into feat/client-credentials
2a2f562
@LucaButBoring
Fix Markdown formatting
31eeb63
@LucaButBoring
Merge branch 'main' of https://github.com/modelcontextprotocol/python…
ac75345 
…-sdk into feat/client-credentials
@LucaButBoring
Merge branch 'main' into feat/client-credentials
c3c6725
@LucaButBoring
Update auth tests to fix mock behavior
4a4c007
@LucaButBoring
Merge branch 'main' of https://github.com/modelcontextprotocol/python…
6677894 
…-sdk into feat/client-credentials
@LucaButBoring
Implement RFC 7523 authorization grant flow
fc8331c
@yannj-fr @LucaButBoring
Implement RFC 7523 Section 2.2 for client_credentials
39758e2
@LucaButBoring
Add case for preconfigured assertion in RFC7523 S2.2 flow
36532fd
@LucaButBoring
Remove 2LO example for now
ed23997 
No longer doing external integration examples as of modelcontextprotocol#1011. Will likely bring this back later as a standalone example.
@LucaButBoring
Remove 2LO in this branch, limit to RFC7523
e10f7c9
@LucaButBoring
Fix rfc8707 test error
bcc5b39 
Python default parameters reuse their references, so we can't use a collection like a dict as a default parameter value or we'll dirty our state.
@LucaButBoring
Merge branch 'main' into feat/rfc7523
b90a6c2
@ochafik ochafik linked an issue Sep 30, 2025 that may be closed by this pull request
Implement SEP-1046: Support OAuth client credentials flow in authorization #1342
Open
@felixweinberger felixweinberger added the auth Issues and PRs related to Authentication / OAuth label Oct 3, 2025
@felixweinberger felixweinberger marked this pull request as draft October 13, 2025 15:36
@felixweinberger
Copy link
Contributor

felixweinberger commented Oct 13, 2025

Marking this as a draft for now to remove from our review queue while we wait for the SEP approval - modelcontextprotocol/modelcontextprotocol#1047

Please reopen once the SEP has been accepted or if you specifically need input beforehand!

@yjouanin yjouanin mentioned this pull request Oct 20, 2025
Merged
@LucaButBoring
Copy link
Contributor Author

LucaButBoring commented Oct 20, 2025

SEP-1046 is accepted; reopening this (will fix merge conflicts).

@LucaButBoring LucaButBoring marked this pull request as ready for review October 20, 2025 18:00
@felixweinberger felixweinberger added needs maintainer action Potentially serious issue - needs proactive fix and maintainer attention and removed pending SEP approval When a PR is attached as an implementation detail to a SEP, we mark it as such for triage. needs sync Needs sync with latest main branch to ensure CI passes labels Oct 21, 2025
@LucaButBoring
Copy link
Contributor Author

LucaButBoring commented Oct 24, 2025

Per discussion on Discord, RFC7523OAuthClientProvider has been moved into a new mcp.client.auth.extensions.client_credentials module. Doing this required also renaming src/mcp/client/auth.py to src/mcp/client/auth/oauth2.py and re-exporting it from a new src/mcp/client/auth/__init__.py.

pcarleton
pcarleton requested changes Oct 28, 2025
View reviewed changes
src/mcp/client/auth/extensions/client_credentials.py
token_data["client_assertion_type"] = "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
# We need to set the audience to the token endpoint, the audience is difference from the one in claims
# it represents the resource server that will validate the token
token_data["audience"] = self.context.get_resource_url()
Copy link
Member

@pcarleton pcarleton Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe you'll want to use the issuer URL here:
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rfc7523bis-01#name-updates-to-rfc-7523

Copy link
Contributor Author

@LucaButBoring LucaButBoring Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the comment here didn't match the required change; I've updated it in the latest commit - I believe the aud claim is supposed to be updated to the issuer, not this.

issuer = str(self.context.oauth_metadata.issuer)
assertion = self.jwt_parameters.to_assertion(with_audience_fallback=issuer)

This line is actually setting the audience parameter in the token exchange request:

token_data["audience"] = self.context.get_resource_url()

as described in RFC 8693.

Copy link
Member

@pcarleton pcarleton Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah yep i had the wrong line. thanks!

pcarleton
pcarleton approved these changes Oct 29, 2025
View reviewed changes
Copy link
Member

@pcarleton pcarleton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@pcarleton pcarleton merged commit f161149 into modelcontextprotocol:main Oct 29, 2025
18 checks passed
Kludex
Kludex reviewed Oct 29, 2025
View reviewed changes
src/mcp/client/auth/__init__.py
Implements authorization code flow with PKCE and automatic token refresh.
"""

from mcp.client.auth.oauth2 import * # noqa: F403
Copy link
Member

@Kludex Kludex Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add the right imports here.

Copy link
Contributor

@yannj-fr yannj-fr Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you mean all classes one by one?

Copy link
Member

@Kludex Kludex Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes

Copy link
Contributor

@maxisbey maxisbey Oct 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed in #1532

@yannj-fr yannj-fr mentioned this pull request Oct 29, 2025
Merged
maxisbey added a commit that referenced this pull request Oct 29, 2025
@maxisbey
Fix pyright error and replace wildcard import with explicit imports
77286d8 
This addresses issues introduced in PR #1247:

1. Fixed pyright reportMissingTypeStubs error by adding __init__.py to the
   extensions directory, making it a proper Python package
2. Replaced wildcard import in auth/__init__.py with explicit imports as
   requested in code review

The changes ensure type checking passes and maintain backward compatibility
with existing code that imports from mcp.client.auth.
@maxisbey maxisbey mentioned this pull request Oct 29, 2025
Merged
9 tasks
@LucaButBoring LucaButBoring mentioned this pull request Oct 29, 2025
Closed
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kludex Kludex Kludex left review comments

@maxisbey maxisbey maxisbey left review comments

@pcarleton pcarleton pcarleton approved these changes

@ochafik ochafik Awaiting requested review from ochafik

+1 more reviewer

@yannj-fr yannj-fr yannj-fr left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

auth Issues and PRs related to Authentication / OAuth needs maintainer action Potentially serious issue - needs proactive fix and maintainer attention

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement SEP-1046: Support OAuth client credentials flow in authorization

6 participants

@LucaButBoring @yannj-fr @felixweinberger @pcarleton @Kludex @maxisbey