Add client credentials support to everything-client

- Add ConformanceContextSchema with discriminated union for auth contexts
- Add runClientCredentialsJwt and runClientCredentialsBasic handlers
- Update runner to include scenario name in context for discriminated union parsing
- Update test helpers to set env vars for inline client runners
- Fix JWT audience validation to match SDK behavior (no trailing slash)
- Add Python client example for testing client credentials flows
- Remove client credentials scenarios from skip list

Author: pcarleton

examples/clients/python/client_credentials_client.py

@@ -0,0 +1,224 @@
+#!/usr/bin/env python3
+"""
+Client credentials conformance test client.
+
+This client handles the auth/client-credentials-jwt and auth/client-credentials-basic
+scenarios from the MCP conformance test suite.
+
+Usage:
+    MCP_CONFORMANCE_SCENARIO=auth/client-credentials-jwt \
+    MCP_CONFORMANCE_CONTEXT='{"name":"auth/client-credentials-jwt","client_id":"...","private_key_pem":"...","signing_algorithm":"ES256"}' \
+    python client_credentials_client.py http://localhost:12345/mcp
+"""
+
+import asyncio
+import json
+import os
+import sys
+import time
+from uuid import uuid4
+
+import httpx
+import jwt
+
+
+async def get_oauth_metadata(client: httpx.AsyncClient, server_url: str) -> dict:
+    """Fetch OAuth authorization server metadata."""
+    from urllib.parse import urljoin, urlparse
+
+    parsed = urlparse(server_url)
+    base_url = f"{parsed.scheme}://{parsed.netloc}"
+
+    # First try the protected resource metadata
+    prm_url = urljoin(base_url, f"/.well-known/oauth-protected-resource{parsed.path}")
+    resp = await client.get(prm_url)
+    if resp.status_code == 200:
+        prm = resp.json()
+        auth_server = prm.get("authorization_servers", [base_url])[0]
+    else:
+        auth_server = base_url
+
+    # Fetch authorization server metadata
+    metadata_url = urljoin(auth_server, "/.well-known/oauth-authorization-server")
+    resp = await client.get(metadata_url)
+    resp.raise_for_status()
+    return resp.json()
+
+
+def create_jwt_assertion(
+    client_id: str,
+    private_key_pem: str,
+    algorithm: str,
+    audience: str,
+) -> str:
+    """Create a JWT client assertion."""
+    now = int(time.time())
+    claims = {
+        "iss": client_id,
+        "sub": client_id,
+        "aud": audience,
+        "exp": now + 300,
+        "iat": now,
+        "jti": str(uuid4()),
+    }
+    return jwt.encode(claims, private_key_pem, algorithm=algorithm)
+
+
+async def run_client_credentials_jwt(server_url: str, context: dict) -> None:
+    """Run client credentials flow with private_key_jwt authentication."""
+    client_id = context["client_id"]
+    private_key_pem = context["private_key_pem"]
+    signing_algorithm = context.get("signing_algorithm", "ES256")
+
+    async with httpx.AsyncClient() as client:
+        # Get OAuth metadata
+        metadata = await get_oauth_metadata(client, server_url)
+        token_endpoint = metadata["token_endpoint"]
+        issuer = metadata["issuer"]
+
+        # Create JWT assertion
+        assertion = create_jwt_assertion(
+            client_id=client_id,
+            private_key_pem=private_key_pem,
+            algorithm=signing_algorithm,
+            audience=issuer,
+        )
+
+        # Request token
+        token_response = await client.post(
+            token_endpoint,
+            data={
+                "grant_type": "client_credentials",
+                "client_assertion": assertion,
+                "client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
+            },
+        )
+        token_response.raise_for_status()
+        tokens = token_response.json()
+        access_token = tokens["access_token"]
+
+        # Connect to MCP server
+        mcp_headers = {
+            "Authorization": f"Bearer {access_token}",
+            "Content-Type": "application/json",
+            "Accept": "application/json, text/event-stream",
+        }
+
+        init_response = await client.post(
+            server_url,
+            headers=mcp_headers,
+            json={
+                "jsonrpc": "2.0",
+                "id": 1,
+                "method": "initialize",
+                "params": {
+                    "protocolVersion": "2024-11-05",
+                    "capabilities": {},
+                    "clientInfo": {"name": "conformance-python-client", "version": "1.0.0"},
+                },
+            },
+        )
+        init_response.raise_for_status()
+
+        # List tools
+        tools_response = await client.post(
+            server_url,
+            headers=mcp_headers,
+            json={
+                "jsonrpc": "2.0",
+                "id": 2,
+                "method": "tools/list",
+                "params": {},
+            },
+        )
+        tools_response.raise_for_status()
+
+        print("Successfully connected with private_key_jwt auth", file=sys.stderr)
+
+
+async def run_client_credentials_basic(server_url: str, context: dict) -> None:
+    """Run client credentials flow with client_secret_basic authentication."""
+    client_id = context["client_id"]
+    client_secret = context["client_secret"]
+
+    async with httpx.AsyncClient() as client:
+        # Get OAuth metadata
+        metadata = await get_oauth_metadata(client, server_url)
+        token_endpoint = metadata["token_endpoint"]
+
+        # Request token with Basic auth
+        token_response = await client.post(
+            token_endpoint,
+            auth=(client_id, client_secret),
+            data={"grant_type": "client_credentials"},
+        )
+        token_response.raise_for_status()
+        tokens = token_response.json()
+        access_token = tokens["access_token"]
+
+        # Connect to MCP server
+        mcp_headers = {
+            "Authorization": f"Bearer {access_token}",
+            "Content-Type": "application/json",
+            "Accept": "application/json, text/event-stream",
+        }
+
+        init_response = await client.post(
+            server_url,
+            headers=mcp_headers,
+            json={
+                "jsonrpc": "2.0",
+                "id": 1,
+                "method": "initialize",
+                "params": {
+                    "protocolVersion": "2024-11-05",
+                    "capabilities": {},
+                    "clientInfo": {"name": "conformance-python-client", "version": "1.0.0"},
+                },
+            },
+        )
+        init_response.raise_for_status()
+
+        # List tools
+        tools_response = await client.post(
+            server_url,
+            headers=mcp_headers,
+            json={
+                "jsonrpc": "2.0",
+                "id": 2,
+                "method": "tools/list",
+                "params": {},
+            },
+        )
+        tools_response.raise_for_status()
+
+        print("Successfully connected with client_secret_basic auth", file=sys.stderr)
+
+
+async def main() -> None:
+    """Main entry point."""
+    if len(sys.argv) < 2:
+        print("Usage: client_credentials_client.py <server-url>", file=sys.stderr)
+        sys.exit(1)
+
+    server_url = sys.argv[1]
+
+    context_str = os.environ.get("MCP_CONFORMANCE_CONTEXT")
+    if not context_str:
+        print("MCP_CONFORMANCE_CONTEXT not set", file=sys.stderr)
+        sys.exit(1)
+
+    context = json.loads(context_str)
+    scenario_name = context.get("name")
+
+    if scenario_name == "auth/client-credentials-jwt":
+        await run_client_credentials_jwt(server_url, context)
+    elif scenario_name == "auth/client-credentials-basic":
+        await run_client_credentials_basic(server_url, context)
+    else:
+        print(f"Unknown scenario: {scenario_name}", file=sys.stderr)
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    asyncio.run(main())

examples/clients/typescript/everything-client.ts

@@ -12,9 +12,15 @@
  * consolidating all the individual test clients into one.
  */
 
+import { fileURLToPath } from 'url';
 import { Client } from '@modelcontextprotocol/sdk/client/index.js';
 import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
+import {
+  ClientCredentialsProvider,
+  PrivateKeyJwtProvider
+} from '@modelcontextprotocol/sdk/client/auth-extensions.js';
 import { ElicitRequestSchema } from '@modelcontextprotocol/sdk/types.js';
+import { ConformanceContextSchema } from '../../../src/schemas/context.js';
 import { withOAuthRetry } from './helpers/withOAuthRetry.js';
 import { logger } from './helpers/logger.js';
 
@@ -175,6 +181,96 @@ async function runElicitationDefaultsClient(serverUrl: string): Promise<void> {
 
 registerScenario('elicitation-defaults', runElicitationDefaultsClient);
 
+// ============================================================================
+// Client Credentials scenarios
+// ============================================================================
+
+/**
+ * Parse the conformance context from MCP_CONFORMANCE_CONTEXT env var.
+ */
+function parseContext() {
+  const raw = process.env.MCP_CONFORMANCE_CONTEXT;
+  if (!raw) {
+    throw new Error('MCP_CONFORMANCE_CONTEXT not set');
+  }
+  return ConformanceContextSchema.parse(JSON.parse(raw));
+}
+
+/**
+ * Client credentials with private_key_jwt authentication.
+ */
+export async function runClientCredentialsJwt(
+  serverUrl: string
+): Promise<void> {
+  const ctx = parseContext();
+  if (ctx.name !== 'auth/client-credentials-jwt') {
+    throw new Error(`Expected jwt context, got ${ctx.name}`);
+  }
+
+  const provider = new PrivateKeyJwtProvider({
+    clientId: ctx.client_id,
+    privateKey: ctx.private_key_pem,
+    algorithm: ctx.signing_algorithm || 'ES256'
+  });
+
+  const client = new Client(
+    { name: 'conformance-client-credentials-jwt', version: '1.0.0' },
+    { capabilities: {} }
+  );
+
+  const transport = new StreamableHTTPClientTransport(new URL(serverUrl), {
+    authProvider: provider
+  });
+
+  await client.connect(transport);
+  logger.debug('Successfully connected with private_key_jwt auth');
+
+  await client.listTools();
+  logger.debug('Successfully listed tools');
+
+  await transport.close();
+  logger.debug('Connection closed successfully');
+}
+
+registerScenario('auth/client-credentials-jwt', runClientCredentialsJwt);
+
+/**
+ * Client credentials with client_secret_basic authentication.
+ */
+export async function runClientCredentialsBasic(
+  serverUrl: string
+): Promise<void> {
+  const ctx = parseContext();
+  if (ctx.name !== 'auth/client-credentials-basic') {
+    throw new Error(`Expected basic context, got ${ctx.name}`);
+  }
+
+  const provider = new ClientCredentialsProvider({
+    clientId: ctx.client_id,
+    clientSecret: ctx.client_secret
+  });
+
+  const client = new Client(
+    { name: 'conformance-client-credentials-basic', version: '1.0.0' },
+    { capabilities: {} }
+  );
+
+  const transport = new StreamableHTTPClientTransport(new URL(serverUrl), {
+    authProvider: provider
+  });
+
+  await client.connect(transport);
+  logger.debug('Successfully connected with client_secret_basic auth');
+
+  await client.listTools();
+  logger.debug('Successfully listed tools');
+
+  await transport.close();
+  logger.debug('Connection closed successfully');
+}
+
+registerScenario('auth/client-credentials-basic', runClientCredentialsBasic);
+
 // ============================================================================
 // Main entry point
 // ============================================================================
@@ -216,7 +312,10 @@ async function main(): Promise<void> {
   }
 }
 
-main().catch((error) => {
-  console.error('Unhandled error:', error);
-  process.exit(1);
-});
+// Only run main when this file is executed directly, not when imported as a module
+if (process.argv[1] === fileURLToPath(import.meta.url)) {
+  main().catch((error) => {
+    console.error('Unhandled error:', error);
+    process.exit(1);
+  });
+}

src/runner/client.ts

@@ -35,7 +35,11 @@ async function executeClient(
   const env = { ...process.env };
   env.MCP_CONFORMANCE_SCENARIO = scenarioName;
   if (context) {
-    env.MCP_CONFORMANCE_CONTEXT = JSON.stringify(context);
+    // Include scenario name in context for discriminated union parsing
+    env.MCP_CONFORMANCE_CONTEXT = JSON.stringify({
+      name: scenarioName,
+      ...context
+    });
   }
 
   return new Promise((resolve) => {

src/scenarios/client/auth/client-credentials.ts

@@ -51,9 +51,8 @@ export class ClientCredentialsJwtScenario implements Scenario {
       tokenEndpointAuthSigningAlgValuesSupported: ['ES256'],
       onTokenRequest: async ({ grantType, body, timestamp, authBaseUrl }) => {
         // Per RFC 7523bis, the audience MUST be the issuer identifier
-        const issuerUrl = authBaseUrl.endsWith('/')
-          ? authBaseUrl
-          : `${authBaseUrl}/`;
+        // The SDK uses metadata.issuer as audience, which matches authBaseUrl
+        const issuerUrl = authBaseUrl;
         if (grantType !== 'client_credentials') {
           this.checks.push({
             id: 'client-credentials-grant-type',