Merge main (CIMD conformance test) and resolve conflict

Author: felixweinberger

examples/clients/typescript/auth-test-bad-prm.ts

@@ -7,10 +7,10 @@ import {
   UnauthorizedError
 } from '@modelcontextprotocol/sdk/client/auth.js';
 import type { FetchLike } from '@modelcontextprotocol/sdk/shared/transport.js';
-import { withOAuthRetry } from './helpers/withOAuthRetry.js';
-import { ConformanceOAuthProvider } from './helpers/ConformanceOAuthProvider.js';
-import { runAsCli } from './helpers/cliRunner.js';
-import { logger } from './helpers/logger.js';
+import { withOAuthRetry } from './helpers/withOAuthRetry';
+import { ConformanceOAuthProvider } from './helpers/ConformanceOAuthProvider';
+import { runAsCli } from './helpers/cliRunner';
+import { logger } from './helpers/logger';
 
 /**
  * Broken client that always uses root-based PRM discovery.

examples/clients/typescript/auth-test-ignore-403.ts

@@ -8,10 +8,10 @@ import {
   UnauthorizedError
 } from '@modelcontextprotocol/sdk/client/auth.js';
 import type { FetchLike } from '@modelcontextprotocol/sdk/shared/transport.js';
-import { withOAuthRetry } from './helpers/withOAuthRetry.js';
-import { ConformanceOAuthProvider } from './helpers/ConformanceOAuthProvider.js';
-import { runAsCli } from './helpers/cliRunner.js';
-import { logger } from './helpers/logger.js';
+import { withOAuthRetry } from './helpers/withOAuthRetry';
+import { ConformanceOAuthProvider } from './helpers/ConformanceOAuthProvider';
+import { runAsCli } from './helpers/cliRunner';
+import { logger } from './helpers/logger';
 
 /**
  * Broken client that only responds to 401, not 403.

examples/clients/typescript/auth-test-ignore-scope.ts

@@ -8,10 +8,10 @@ import {
   UnauthorizedError
 } from '@modelcontextprotocol/sdk/client/auth.js';
 import type { FetchLike } from '@modelcontextprotocol/sdk/shared/transport.js';
-import { withOAuthRetry } from './helpers/withOAuthRetry.js';
-import { ConformanceOAuthProvider } from './helpers/ConformanceOAuthProvider.js';
-import { runAsCli } from './helpers/cliRunner.js';
-import { logger } from './helpers/logger.js';
+import { withOAuthRetry } from './helpers/withOAuthRetry';
+import { ConformanceOAuthProvider } from './helpers/ConformanceOAuthProvider';
+import { runAsCli } from './helpers/cliRunner';
+import { logger } from './helpers/logger';
 
 /**
  * Broken client that ignores the scope from WWW-Authenticate header.

examples/clients/typescript/auth-test-no-cimd.ts

@@ -0,0 +1,51 @@
+#!/usr/bin/env node
+
+import { Client } from '@modelcontextprotocol/sdk/client/index.js';
+import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
+import { withOAuthRetry } from './helpers/withOAuthRetry';
+import { runAsCli } from './helpers/cliRunner';
+import { logger } from './helpers/logger';
+
+/**
+ * Non-compliant client that doesn't use CIMD (Client ID Metadata Document).
+ *
+ * This client intentionally omits the clientMetadataUrl parameter when the server
+ * advertises client_id_metadata_document_supported=true. A compliant client should
+ * use CIMD when the server supports it, but this client falls back to DCR (Dynamic
+ * Client Registration) instead.
+ *
+ * Used to test that conformance checks detect clients that don't properly
+ * implement CIMD support.
+ */
+export async function runClient(serverUrl: string): Promise<void> {
+  const client = new Client(
+    { name: 'test-auth-client-no-cimd', version: '1.0.0' },
+    { capabilities: {} }
+  );
+
+  // Non-compliant: omitting clientMetadataUrl causes fallback to DCR
+  // A compliant client would pass a clientMetadataUrl here when the server
+  // advertises client_id_metadata_document_supported=true
+  const oauthFetch = withOAuthRetry(
+    'test-auth-client-no-cimd',
+    new URL(serverUrl)
+  )(fetch);
+
+  const transport = new StreamableHTTPClientTransport(new URL(serverUrl), {
+    fetch: oauthFetch
+  });
+
+  await client.connect(transport);
+  logger.debug('Connected to MCP server (without CIMD)');
+
+  await client.listTools();
+  logger.debug('Successfully listed tools');
+
+  await client.callTool({ name: 'test-tool', arguments: {} });
+  logger.debug('Successfully called tool');
+
+  await transport.close();
+  logger.debug('Connection closed successfully');
+}
+
+runAsCli(runClient, import.meta.url, 'auth-test-no-cimd <server-url>');

examples/clients/typescript/auth-test-partial-scopes.ts

@@ -8,10 +8,10 @@ import {
   UnauthorizedError
 } from '@modelcontextprotocol/sdk/client/auth.js';
 import type { FetchLike } from '@modelcontextprotocol/sdk/shared/transport.js';
-import { withOAuthRetry } from './helpers/withOAuthRetry.js';
-import { ConformanceOAuthProvider } from './helpers/ConformanceOAuthProvider.js';
-import { runAsCli } from './helpers/cliRunner.js';
-import { logger } from './helpers/logger.js';
+import { withOAuthRetry } from './helpers/withOAuthRetry';
+import { ConformanceOAuthProvider } from './helpers/ConformanceOAuthProvider';
+import { runAsCli } from './helpers/cliRunner';
+import { logger } from './helpers/logger';
 
 /**
  * Broken client that only requests a subset of scopes.

examples/clients/typescript/auth-test.ts

@@ -2,9 +2,17 @@
 
 import { Client } from '@modelcontextprotocol/sdk/client/index.js';
 import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
-import { withOAuthRetry } from './helpers/withOAuthRetry.js';
-import { runAsCli } from './helpers/cliRunner.js';
-import { logger } from './helpers/logger.js';
+import { withOAuthRetry, handle401 } from './helpers/withOAuthRetry';
+import { runAsCli } from './helpers/cliRunner';
+import { logger } from './helpers/logger';
+
+/**
+ * Fixed client metadata URL for CIMD conformance tests.
+ * When server supports client_id_metadata_document_supported, this URL
+ * will be used as the client_id instead of doing dynamic registration.
+ */
+const CIMD_CLIENT_METADATA_URL =
+  'https://conformance-test.local/client-metadata.json';
 
 /**
  * Well-behaved auth client that follows all OAuth protocols correctly.
@@ -17,7 +25,9 @@ export async function runClient(serverUrl: string): Promise<void> {
 
   const oauthFetch = withOAuthRetry(
     'test-auth-client',
-    new URL(serverUrl)
+    new URL(serverUrl),
+    handle401,
+    CIMD_CLIENT_METADATA_URL
   )(fetch);
 
   const transport = new StreamableHTTPClientTransport(new URL(serverUrl), {

examples/clients/typescript/helpers/ConformanceOAuthProvider.ts

@@ -27,13 +27,11 @@ export class ConformanceOAuthProvider implements OAuthClientProvider {
     return this._clientMetadata;
   }
 
+  get clientMetadataUrl(): string | undefined {
+    return this._clientMetadataUrl?.toString();
+  }
+
   clientInformation(): OAuthClientInformation | undefined {
-    if (this._clientMetadataUrl) {
-      console.log('Using client ID metadata URL');
-      return {
-        client_id: this._clientMetadataUrl.toString()
-      };
-    }
     return this._clientInformation;
   }
 

examples/clients/typescript/helpers/withOAuthRetry.ts

@@ -60,14 +60,16 @@ export const handle401 = async (
 export const withOAuthRetry = (
   clientName: string,
   baseUrl?: string | URL,
-  handle401Fn: typeof handle401 = handle401
+  handle401Fn: typeof handle401 = handle401,
+  clientMetadataUrl?: string
 ): Middleware => {
   const provider = new ConformanceOAuthProvider(
     'http://localhost:3000/callback',
     {
       client_name: clientName,
       redirect_uris: ['http://localhost:3000/callback']
-    }
+    },
+    clientMetadataUrl
   );
   return (next: FetchLike) => {
     return async (

src/checks/client.ts

@@ -1,4 +1,4 @@
-import { ConformanceCheck, CheckStatus } from '../types.js';
+import { ConformanceCheck, CheckStatus } from '../types';
 
 export function createServerInfoCheck(serverInfo: {
   name: string;

src/checks/index.ts

@@ -1,4 +1,4 @@
 // Namespaced exports for client checks
-import * as client from './client.js';
+import * as client from './client';
 
 export const clientChecks = client;