Introduce MCP client oauth flow

[jlowin]

This is a first cut at adding oauth support to fastmcp clients, with the goal of enabling e.g. fastmcp run https://mcp.paypal.com/sse from the CLI (or Claude Desktop / Cursor / local client of choice) to interact with any remote + authenticated server.

This needs careful review for spec compliance and log verbosity.

Includes support for both SSE and SHTTP client transports. fastmcp run is not part of this PR.

Quick demo script to log in to the Paypal MCP server and list available tools:

from fastmcp import Client
from rich import print

async with Client("https://mcp.paypal.com/sse", auth="oauth") as client:
    tools = await client.list_tools()
    print(tools)

[jlowin]

MCP # 734 would allow us to avoid the ugly patch

[juan-abia]

modelcontextprotocol/python-sdk#752 was just merged. It allows customisation to avoid the ugly path

[Copilot]

Pull Request Overview

This PR introduces OAuth support for fastmcp clients by implementing and integrating a new OAuth flow into both client and server components. Key changes include new test cases covering OAuth flows, updates to server and HTTP routes to support an OAuthProvider, and modifications to client transports and OAuth client implementations.

Reviewed Changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
tests/client/test_oauth.py	Added comprehensive tests for OAuth flows including authorization and token exchange.
src/fastmcp/utilities/tests.py	Adjusted server startup retry logic by reducing max_attempts and adjusting sleep intervals.
src/fastmcp/settings.py	Removed the auth field from ServerSettings in favor of using an OAuthProvider directly.
src/fastmcp/server/server.py, src/fastmcp/server/http.py	Updated authentication-related parameters to use a unified OAuthProvider rather than two separate parameters.
src/fastmcp/client/transports.py	Modified transport constructors to support an "oauth" authentication option.
src/fastmcp/client/auth.py, src/fastmcp/client/oauth_callback.py	Added a new OAuth client implementation and callback server for handling OAuth redirects.
pyproject.toml	Updated dependency versions and added authlib for OAuth support.

Comments suppressed due to low confidence (2)

src/fastmcp/utilities/tests.py:97

• Reducing max_attempts from 100 to 10 may lead to premature failure in environments with high load; please verify that 10 attempts provide sufficient stability during server startup.

max_attempts = 10

src/fastmcp/server/server.py:188

• The removal of the consistency check between settings.auth and auth_server_provider streamlines configuration; please ensure that the new approach fully covers potential misconfigurations that were previously caught.

self.auth = auth