From 91b992ba3fb15a72c4c7b97df44d94575c7680a0 Mon Sep 17 00:00:00 2001 From: Josh Lehman Date: Wed, 21 May 2025 14:47:20 -0700 Subject: [PATCH] fix: expand OAuth metadata validation to support compliant servers The OAuthMetadata validation was too restrictive, rejecting valid OAuth 2.0 server configurations that advertise additional authentication methods beyond the minimum required set. Changes: - Allow 'client_secret_basic' in token_endpoint_auth_methods_supported - Allow 'plain' in code_challenge_methods_supported This fixes compatibility with MCP servers like Asana (mcp.asana.com) that advertise support for multiple OAuth authentication methods as allowed by the OAuth 2.0 specification and MCP specification. The MCP specification does not restrict which authentication methods servers can support, only requiring that PKCE is used. These changes ensure the client can connect to any compliant MCP server regardless of which optional authentication methods they also support. --- src/mcp/shared/auth.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/mcp/shared/auth.py b/src/mcp/shared/auth.py index 22f8a971d..32006c337 100644 --- a/src/mcp/shared/auth.py +++ b/src/mcp/shared/auth.py @@ -117,7 +117,7 @@ class OAuthMetadata(BaseModel): list[Literal["authorization_code", "refresh_token"]] | None ) = None token_endpoint_auth_methods_supported: ( - list[Literal["none", "client_secret_post"]] | None + list[Literal["none", "client_secret_post", "client_secret_basic"]] | None ) = None token_endpoint_auth_signing_alg_values_supported: None = None service_documentation: AnyHttpUrl | None = None @@ -134,4 +134,4 @@ class OAuthMetadata(BaseModel): list[Literal["client_secret_post"]] | None ) = None introspection_endpoint_auth_signing_alg_values_supported: None = None - code_challenge_methods_supported: list[Literal["S256"]] | None = None + code_challenge_methods_supported: list[Literal["S256", "plain"]] | None = None