[auth]: support oauth client_secret_basic / none / custom methods#720
Merged
[auth]: support oauth client_secret_basic / none / custom methods#720
Conversation
… during authorization code exchange.
… during refresh token exchange.
… refreshAuthorization to maintain compatibility.
… into ochafik/auth-merge-531-552
…ods' into ochafik/auth-merge-531-552
The applyBasicAuth function was incorrectly trying to set headers using array notation on a Headers object. Fixed by using the proper Headers.set() method instead of treating it as a plain object. This ensures that HTTP Basic authentication works correctly when client_secret_basic is the selected authentication method. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This was referenced Jul 1, 2025
Contributor
|
Thanks @ochafik ! This is looking pretty good. I'm experimenting with the branch right now, and have a suggested modification that I'll propose later tonight or tomorrow. |
9 tasks
Contributor
SightStudio
reviewed
Jul 7, 2025
Contributor
SightStudio
left a comment
SightStudio
left a comment
There was a problem hiding this comment.
I know my feedback came a bit late, but it looks good to me.
I don't have any major comments to add.
Thank you for reviewing it positively!
felixweinberger
approved these changes
Jul 9, 2025
Contributor
felixweinberger
left a comment
felixweinberger
left a comment
There was a problem hiding this comment.
only some nits, looks clean to me!
src/client/auth.test.ts
Outdated
Comment on lines
11
to
13
| type OAuthClientProvider, | ||
| } from "./auth.js"; | ||
| import { OAuthMetadata } from 'src/shared/auth.js'; |
Contributor
There was a problem hiding this comment.
nit: the project seems to use ../shared/auth.js as a pattern, i.e. relative imports (but I actually think this is better)
see discussion: https://anthropic.slack.com/archives/C0840HQ2Y2V/p1752075120212319
Contributor
Author
There was a problem hiding this comment.
Gone relative, thanks for the link
src/client/auth.ts
Outdated
Comment on lines
89
to
92
| * @param url - The token endpoint URL being called | ||
| * @param headers - The request headers (can be modified to add authentication) | ||
| * @param params - The request body parameters (can be modified to add credentials) | ||
| */ |
Contributor
There was a problem hiding this comment.
ultra-nit: @params are in a different order than the args
src/client/auth.ts
Outdated
| clientInformation: OAuthClientInformation, | ||
| supportedMethods: string[] | ||
| ): string { | ||
| const hasClientSecret = !!clientInformation.client_secret; |
Contributor
There was a problem hiding this comment.
nit: we don't seem to use !! notation anywhere, maybe prefer explicitness?
const hasClientSecret = clientInformation.client_secret !== undefined && clientInformation.client_secret !== '';
Contributor
Author
There was a problem hiding this comment.
Tightened this / only testing against undefined
src/client/auth.ts
Outdated
| function selectClientAuthMethod( | ||
| clientInformation: OAuthClientInformation, | ||
| supportedMethods: string[] | ||
| ): string { |
Contributor
There was a problem hiding this comment.
should this maybe return an enum?
enum ClientAuthMethod {
BASIC = "client_secret_basic",
POST = "client_secret_post",
NONE = "none"
}
src/client/auth.ts
Outdated
Comment on lines
175
to
188
| if (method === "client_secret_basic") { | ||
| applyBasicAuth(client_id, client_secret, headers); | ||
| return; | ||
| } | ||
|
|
||
| if (method === "client_secret_post") { | ||
| applyPostAuth(client_id, client_secret, params); | ||
| return; | ||
| } | ||
|
|
||
| if (method === "none") { | ||
| applyPublicAuth(client_id, params); | ||
| return; | ||
| } |
Contributor
There was a problem hiding this comment.
could make this a switch with the enum potentially
Comment on lines
+649
to
+656
| if (addClientAuthentication) { | ||
| addClientAuthentication(headers, params, authorizationServerUrl, metadata); | ||
| } else { | ||
| // Determine and apply client authentication method | ||
| const supportedMethods = metadata?.token_endpoint_auth_methods_supported ?? []; | ||
| const authMethod = selectClientAuthMethod(clientInformation, supportedMethods); | ||
|
|
||
| applyClientAuthentication(authMethod, clientInformation, headers, params); |
| const body = request.body as URLSearchParams; | ||
| expect(body.get("client_id")).toBe("client123"); | ||
| expect(body.get("client_secret")).toBe("secret123"); | ||
| }); |
Contributor
There was a problem hiding this comment.
should we have a test if it supports everything, that it chooses client_secret_basic
src/client/auth.test.ts
Outdated
Comment on lines
1642
to
1643
| expect(body.get("client_id")).toBeNull(); // should not be in body | ||
| expect(body.get("client_secret")).toBeNull(); // should not be in body |
Contributor
There was a problem hiding this comment.
nit: comments seem redundant
ochafik
commented
Jul 9, 2025
src/client/auth.test.ts
Outdated
Comment on lines
1642
to
1643
| expect(body.get("client_id")).toBeNull(); // should not be in body | ||
| expect(body.get("client_secret")).toBeNull(); // should not be in body |
| const body = request.body as URLSearchParams; | ||
| expect(body.get("client_id")).toBe("client123"); | ||
| expect(body.get("client_secret")).toBe("secret123"); | ||
| }); |
src/client/auth.ts
Outdated
Comment on lines
89
to
92
| * @param url - The token endpoint URL being called | ||
| * @param headers - The request headers (can be modified to add authentication) | ||
| * @param params - The request body parameters (can be modified to add credentials) | ||
| */ |
src/client/auth.ts
Outdated
| function selectClientAuthMethod( | ||
| clientInformation: OAuthClientInformation, | ||
| supportedMethods: string[] | ||
| ): string { |
src/client/auth.ts
Outdated
| clientInformation: OAuthClientInformation, | ||
| supportedMethods: string[] | ||
| ): string { | ||
| const hasClientSecret = !!clientInformation.client_secret; |
Contributor
Author
There was a problem hiding this comment.
Tightened this / only testing against undefined
src/client/auth.ts
Outdated
Comment on lines
175
to
188
| if (method === "client_secret_basic") { | ||
| applyBasicAuth(client_id, client_secret, headers); | ||
| return; | ||
| } | ||
|
|
||
| if (method === "client_secret_post") { | ||
| applyPostAuth(client_id, client_secret, params); | ||
| return; | ||
| } | ||
|
|
||
| if (method === "none") { | ||
| applyPublicAuth(client_id, params); | ||
| return; | ||
| } |
src/client/auth.test.ts
Outdated
Comment on lines
11
to
13
| type OAuthClientProvider, | ||
| } from "./auth.js"; | ||
| import { OAuthMetadata } from 'src/shared/auth.js'; |
Contributor
Author
There was a problem hiding this comment.
Gone relative, thanks for the link
Contributor
Author
|
Oh absolutely, fixed, thanks for bringing it up!
…On Thu, Jul 10, 2025 at 4:34 PM Dong Min Seol ***@***.***> wrote:
*SightStudio* left a comment (modelcontextprotocol/typescript-sdk#720)
<#720 (comment)>
https://github.com/modelcontextprotocol/typescript-sdk/releases/tag/1.15.1
@jerome3o-anthropic <https://github.com/jerome3o-anthropic>
It would be nice if co-authors could also be added to that list of
contributors.
--
--
Olivier
|
9 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an attempt to merge #531 and #552
Motivation and Context
This merges two sets of OAuth changes:
OAuthClientProvider.addClientAuthenticationcallback (renamed from PR's proposedauthToTokenEndpoint) for custom auth methodsclient_secret_basic,none)How Has This Been Tested?
WIP: testing in inspector
Breaking Changes
n/a
Types of changes
Checklist
Additional context