merge fix

pcarleton · pcarleton · commit 32a5e6dd3501 · 2025-11-20T20:32:20.000Z
diff --git a/src/mcp/client/auth/oauth2.py b/src/mcp/client/auth/oauth2.py
@@ -19,7 +19,7 @@
 import httpx
 from pydantic import BaseModel, Field, ValidationError
 
-from mcp.client.auth import OAuthFlowError, OAuthTokenError
+from mcp.client.auth.exceptions import OAuthFlowError, OAuthRegistrationError, OAuthTokenError
 from mcp.client.auth.utils import (
     build_oauth_authorization_server_metadata_discovery_urls,
     build_protected_resource_metadata_discovery_urls,
@@ -193,7 +193,7 @@ def prepare_token_auth(
 
         auth_method = self.client_info.token_endpoint_auth_method
 
-        if auth_method == "client_secret_basic" and self.client_info.client_secret:
+        if auth_method == "client_secret_basic" and self.client_info.client_id and self.client_info.client_secret:
             # URL-encode client ID and secret per RFC 6749 Section 2.3.1
             encoded_id = quote(self.client_info.client_id, safe="")
             encoded_secret = quote(self.client_info.client_secret, safe="")
@@ -426,7 +426,7 @@ async def _refresh_token(self) -> httpx.Request:
         if not self.context.current_tokens or not self.context.current_tokens.refresh_token:
             raise OAuthTokenError("No refresh token available")  # pragma: no cover
 
-        if not self.context.client_info:
+        if not self.context.client_info or not self.context.client_info.client_id:
             raise OAuthTokenError("No client info available")  # pragma: no cover
 
         if self.context.oauth_metadata and self.context.oauth_metadata.token_endpoint:
@@ -435,7 +435,7 @@ async def _refresh_token(self) -> httpx.Request:
             auth_base_url = self.context.get_authorization_base_url(self.context.server_url)
             token_url = urljoin(auth_base_url, "/token")
 
-        refresh_data = {
+        refresh_data: dict[str, str] = {
             "grant_type": "refresh_token",
             "refresh_token": self.context.current_tokens.refresh_token,
             "client_id": self.context.client_info.client_id,
diff --git a/src/mcp/server/auth/middleware/client_auth.py b/src/mcp/server/auth/middleware/client_auth.py
@@ -106,8 +106,8 @@ async def authenticate_request(self, request: Request) -> OAuthClientInformation
             # arguments to bytes.
             if not hmac.compare_digest(
                 client.client_secret.encode(), request_client_secret.encode()
-            ):  # pragma: no cover
-                raise AuthenticationError("Invalid client_secret")
+            ):
+                raise AuthenticationError("Invalid client_secret")  # pragma: no cover
 
             if client.client_secret_expires_at and client.client_secret_expires_at < int(time.time()):
                 raise AuthenticationError("Client secret has expired")  # pragma: no cover
diff --git a/src/mcp/shared/auth.py b/src/mcp/shared/auth.py
@@ -43,9 +43,9 @@ class OAuthClientMetadata(BaseModel):
 
     redirect_uris: list[AnyUrl] | None = Field(..., min_length=1)
     # supported auth methods for the token endpoint
-    token_endpoint_auth_method: Literal[
-        "none", "client_secret_post", "client_secret_basic", "private_key_jwt"
-    ] | None = None
+    token_endpoint_auth_method: (
+        Literal["none", "client_secret_post", "client_secret_basic", "private_key_jwt"] | None
+    ) = None
     # supported grant_types of this implementation
     grant_types: list[
         Literal["authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:jwt-bearer"] | str
diff --git a/tests/client/test_auth.py b/tests/client/test_auth.py
@@ -707,7 +707,7 @@ async def test_basic_auth_token_exchange(self, oauth_provider: OAuthClientProvid
             token_endpoint_auth_method="client_secret_basic",
         )
 
-        request = await oauth_provider._exchange_token("test_auth_code", "test_verifier")
+        request = await oauth_provider._exchange_token_authorization_code("test_auth_code", "test_verifier")
 
         # Should use basic auth (registered method)
         assert "Authorization" in request.headers
@@ -784,7 +784,7 @@ async def test_none_auth_method(self, oauth_provider: OAuthClientProvider):
             token_endpoint_auth_method="none",
         )
 
-        request = await oauth_provider._exchange_token("test_auth_code", "test_verifier")
+        request = await oauth_provider._exchange_token_authorization_code("test_auth_code", "test_verifier")
 
         # Should NOT have Authorization header
         assert "Authorization" not in request.headers

Original file line number	Diff line number	Diff line change
`@@ -707,7 +707,7 @@ async def test_basic_auth_token_exchange(self, oauth_provider: OAuthClientProvid`
`707`	`707`	`token_endpoint_auth_method="client_secret_basic",`
`708`	`708`	`)`
`709`	`709`
`710`		`- request = await oauth_provider._exchange_token("test_auth_code", "test_verifier")`
	`710`	`+ request = await oauth_provider._exchange_token_authorization_code("test_auth_code", "test_verifier")`
`711`	`711`
`712`	`712`	`# Should use basic auth (registered method)`
`713`	`713`	`assert "Authorization" in request.headers`
`@@ -784,7 +784,7 @@ async def test_none_auth_method(self, oauth_provider: OAuthClientProvider):`
`784`	`784`	`token_endpoint_auth_method="none",`
`785`	`785`	`)`
`786`	`786`
`787`		`- request = await oauth_provider._exchange_token("test_auth_code", "test_verifier")`
	`787`	`+ request = await oauth_provider._exchange_token_authorization_code("test_auth_code", "test_verifier")`
`788`	`788`
`789`	`789`	`# Should NOT have Authorization header`
`790`	`790`	`assert "Authorization" not in request.headers`