Skip to content

OAuth Update: Adding the Client Credentials & Token Exchange Grant Types #882

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 122 commits into
base: main
Choose a base branch
from
Draft

OAuth Update: Adding the Client Credentials & Token Exchange Grant Types #882

wants to merge 122 commits into from
+1,113 −243

Conversation

SoldierSacha
Copy link

@SoldierSacha SoldierSacha commented Jun 4, 2025
edited
Loading

Motivation and Context

#881

In addition to implementing the Client Credentials grant (as referenced in the issue linked above), I have also integrated support for the Token Exchange grant.

Reasoning for Token Exchange: While the Client Credentials grant is suitable for machine-to-machine authorization, I realized that there are times where the client machine (acting as an MCP Client) might have to make requests on behalf of an end-user to the MCP Server. With that being said, in the current implementation, this did not exist because there was no way to securely identify the end-user.

Now it does through Token Exchange.

How Has This Been Tested?

Added test cases (all pass), and also currently using in my own mcp server and client. Everything is working as intended.

Breaking Changes

None

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

No

SoldierSacha added 18 commits June 3, 2025 16:19
@SoldierSacha
Add client credentials OAuth grant
833a105
@SoldierSacha
Merge pull request #1 from sacha-development-stuff/codex/add-support-…
66c7e67 
…for-oauth-client-credentials

Add OAuth client credentials grant
@SoldierSacha
Allow client credentials in dynamic registration
813168a
@SoldierSacha
Merge pull request #2 from sacha-development-stuff/codex/review-and-i…
dbbc6ce 
…mplement-client-credentials-support

Fix auth registration for client credentials
@SoldierSacha
Refactor OAuth helpers
3f2a351
@SoldierSacha
Merge pull request #3 from sacha-development-stuff/codex/review-imple…
62c729d 
…mentation-of-client-credentials-flow

Refactor auth helper methods
@SoldierSacha
clean up code
5212ce0
@SoldierSacha
linting
d9c751f
@SoldierSacha
Fix tests and pyright errors
7848e68
@SoldierSacha
Merge pull request
e325b95 
Fix failing tests and pyright
@SoldierSacha
work
3a45cf8
@SoldierSacha
test
2132cde
@SoldierSacha
test
5c87fb3
@SoldierSacha
test
103e201
@SoldierSacha
Fix async fixture usage in OAuth tests
ad59c92
@SoldierSacha
Merge pull request #5 from sacha-development-stuff/codex/fix-attribut…
e18e606 
…eerror-in-pytest-test-case

Fix OAuth tests using async fixtures
@SoldierSacha
Fix resumption token updates
49fa6c2
@SoldierSacha
Merge pull request
b46aac4 
Fix resumption token update logic
@SoldierSacha
Copy link
Author

@simonw @sheffler @comfuture @shimizukawa @ihrpr

@SoldierSacha
Copy link
Author

@Kludex @pcarleton

@felixweinberger felixweinberger requested review from pcarleton and removed request for ochafik September 17, 2025 14:49
@felixweinberger felixweinberger added needs more eyes Needs alignment among maintainers whether this is something we want to add auth Issues and PRs related to Authentication / OAuth pending SEP approval When a PR is attached as an implementation detail to a SEP, we mark it as such for triage. and removed needs more eyes Needs alignment among maintainers whether this is something we want to add labels Sep 17, 2025
felixweinberger
felixweinberger requested changes Sep 17, 2025
View reviewed changes
Copy link
Contributor

@felixweinberger felixweinberger left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @SoldierSacha thanks for this contribution! And apologies for the time it took to get back to this.

I checked with @pcarleton and it looks like this change is still pending SEP-1046: modelcontextprotocol/modelcontextprotocol#1047

I'm going to request changes for now as there will still be merge conflict resolution and potentially minor changes needed once that SEP is accepted.

@SoldierSacha
Copy link
Author

SoldierSacha commented Sep 17, 2025
edited
Loading

Hi @SoldierSacha thanks for this contribution! And apologies for the time it took to get back to this.

I checked with @pcarleton and it looks like this change is still pending SEP-1046: modelcontextprotocol/modelcontextprotocol#1047

I'm going to request changes for now as there will still be merge conflict resolution and potentially minor changes needed once that SEP is accepted.

Thanks for the update, @felixweinberger!

Understood — I’ll keep an eye on SEP-1046. Once that’s accepted and merged, I’ll rebase again and make any necessary adjustments.

For now, I’ve gone ahead and updated this branch with the latest changes from main to keep it current and reduce future conflicts.

Appreciate the review!

@felixweinberger felixweinberger marked this pull request as draft September 26, 2025 13:43
@felixweinberger
Copy link
Contributor

Converting this to a draft for now as the SEP is still being discussed - once accepted feel free to re-publish for review.

@ochafik ochafik linked an issue Sep 30, 2025 that may be closed by this pull request
Implement SEP-1046: Support OAuth client credentials flow in authorization #1342
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@felixweinberger felixweinberger felixweinberger requested changes

@pcarleton pcarleton Awaiting requested review from pcarleton

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
auth Issues and PRs related to Authentication / OAuth pending SEP approval When a PR is attached as an implementation detail to a SEP, we mark it as such for triage.
Projects
None yet
Milestone
OAuth Improvements & Fixes
Development

Successfully merging this pull request may close these issues.

Implement SEP-1046: Support OAuth client credentials flow in authorization
7 participants
@SoldierSacha @patrykks @ChrisBugliosi @jessesanford @LucaButBoring @felixweinberger @ihrpr