fix: Prefer the token_endpoint_auth_method response from DCR registration#982
Closed
chipgpt wants to merge 0 commit intomodelcontextprotocol:mainfrom
Closed
fix: Prefer the token_endpoint_auth_method response from DCR registration#982chipgpt wants to merge 0 commit intomodelcontextprotocol:mainfrom
token_endpoint_auth_method response from DCR registration#982chipgpt wants to merge 0 commit intomodelcontextprotocol:mainfrom
Conversation
chipgpt
commented
Sep 29, 2025
src/client/auth.test.ts
Outdated
| (mockProvider.clientInformation as jest.Mock).mockResolvedValue({ | ||
| client_id: "test-client", | ||
| client_secret: "test-secret", | ||
| redirect_uris: ["http://localhost:3000/callback"], |
Contributor
Author
There was a problem hiding this comment.
Adding the redirect_uris to all the mock objects to match the new type OAuthClientInformationFull
chipgpt
commented
Sep 29, 2025
src/client/auth.ts
Outdated
Comment on lines
168
to
176
| // Prefer the method returned by the server during client registration if valid and supported | ||
| if ( | ||
| clientInformation.token_endpoint_auth_method && | ||
| isClientAuthMethod(clientInformation.token_endpoint_auth_method) && | ||
| supportedMethods.includes(clientInformation.token_endpoint_auth_method) | ||
| ) { | ||
| return clientInformation.token_endpoint_auth_method; | ||
| } | ||
|
|
Contributor
Author
There was a problem hiding this comment.
Should this throw an error if an invalid or unsupported token_endpoint_auth_method is returned? This implementation would simply skip it and fall through to the rest of the logic if it is invalid or unsupported.
On the other hand, should it even care if it's valid or supported in this context? or should it just use the token_endpoint_auth_method value without validating it at all?
chipgpt
force-pushed
the
fix/dcr-use-token-auth-method
branch
from
f3e904d to
c84ef24
Compare
9 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updates the OAuth authorization flow to prefer to use the
token_endpoint_auth_methodresult from the Dynamic Client Registration endpoint, if provided.Motivation and Context
When using dynamic client registration, the registration endpoint may return the
token_endpoint_auth_methodvalue to be used when exchanging tokens for access tokens. The current oauth implementation ignores this field and only uses the methods from the oauth authorization server metadata.How Has This Been Tested?
This has not been tested in a real application.
Breaking Changes
No breaking changes.
Types of changes
Checklist
Additional context
This is my first stab at a PR for this project. Go easy on me xD.