Implement SEP-990 Enterprise Managed OAuth

[sagar-okta]

This PR implements SEP-990 which adds support for Enterprise Managed OAuth using RFC 8693 Token Exchange and RFC 7523 JWT Bearer flows. This enables secure machine-to-machine authentication for MCP clients in enterprise environments without requiring user interaction.

Related: #1090

Motivation and Context

Enterprise environments often require more secure OAuth flows that don't involve user interaction for machine-to-machine communication. SEP-990 addresses this by implementing:

Token Exchange (RFC 8693): Allows exchanging an ID token from an enterprise IDP for an authorization grant
JWT Bearer Grant (RFC 7523): Enables exchanging the authorization grant for an access token to access MCP resources
This change is needed to support enterprise customers who need to integrate MCP clients into their existing OAuth infrastructure securely.

How Has This Been Tested?

Added comprehensive unit tests in xaa-util.test.ts (994 new test cases) covering:
Successful token exchange flows
Authorization grant request failures (400, 401, 500 errors)
Access token exchange failures
OAuth error handling (invalid_request, invalid_client, invalid_grant, etc.)
Edge cases and validation (empty responses, malformed JSON, special characters encoding)
Token type validation
Request body encoding
Added middleware tests in middleware.test.ts (55 additional test cases)
Added documentation in client.md

Breaking Changes

No breaking changes - This is an additive feature that introduces new functionality without modifying existing APIs.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

Implementation Details:

New utility module xaa-util.ts (593 lines) implementing the core token exchange logic
New middleware functions in middleware.ts for integrating XAA into the auth flow
Added qs dependency for proper URL encoding of OAuth request parameters
Comprehensive error handling for various OAuth error responses
Support for OAuth metadata discovery for both IDP and MCP authorization servers

[changeset-bot]

⚠️ No Changeset found

Latest commit: 82931fd

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1328

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1328

commit: 82931fd