[scenario] OAuth basic & PRM variation (#11)

* readme for auth tests

* wip prm test

* add example helper for local oauth w/o browser

* working through dangling timeout issue

* add better test function

* pretty printing

* add mcp method

* some more logging tweaks

* refactor logger into 1 class

* use common request logger

* fix base scenario

* some renaming

* refactor into helpers

* refactor to support second test

* rm readme

* add comment about www-authenticate

Author: pcarleton

examples/clients/typescript/auth-test.ts

@@ -0,0 +1,79 @@
+#!/usr/bin/env node
+
+import { Client } from '@modelcontextprotocol/sdk/client/index.js';
+import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
+import { ConformanceOAuthProvider } from './helpers/ConformanceOAuthProvider.js';
+import { UnauthorizedError } from '@modelcontextprotocol/sdk/client/auth.js';
+
+async function main(): Promise<void> {
+  const serverUrl = process.argv[2];
+
+  if (!serverUrl) {
+    console.error('Usage: auth-test <server-url>');
+    process.exit(1);
+  }
+
+  console.log(`Connecting to MCP server at: ${serverUrl}`);
+
+  const client = new Client(
+    {
+      name: 'test-auth-client',
+      version: '1.0.0'
+    },
+    {
+      capabilities: {}
+    }
+  );
+
+  const authProvider = new ConformanceOAuthProvider(
+    'http://localhost:3000/callback',
+    {
+      client_name: 'test-auth-client',
+      redirect_uris: ['http://localhost:3000/callback']
+    }
+  );
+
+  let transport = new StreamableHTTPClientTransport(new URL(serverUrl), {
+    authProvider
+  });
+
+  // Try to connect - handle OAuth if needed
+  try {
+    await client.connect(transport);
+    console.log('✅ Successfully connected to MCP server');
+  } catch (error) {
+    if (error instanceof UnauthorizedError) {
+      console.log('🔐 OAuth required - handling authorization...');
+
+      // The provider will automatically fetch the auth code
+      const authCode = await authProvider.getAuthCode();
+
+      // Complete the auth flow
+      await transport.finishAuth(authCode);
+
+      // Close the old transport
+      await transport.close();
+
+      // Create a new transport with the authenticated provider
+      transport = new StreamableHTTPClientTransport(new URL(serverUrl), {
+        authProvider: authProvider
+      });
+
+      // Connect with the new transport
+      await client.connect(transport);
+      console.log('✅ Successfully connected with authentication');
+    } else {
+      throw error;
+    }
+  }
+
+  await client.listTools();
+  console.log('✅ Successfully listed tools');
+
+  await transport.close();
+  console.log('✅ Connection closed successfully');
+
+  process.exit(0);
+}
+
+main();

examples/clients/typescript/helpers/ConformanceOAuthProvider.ts

@@ -0,0 +1,95 @@
+import { OAuthClientProvider } from '@modelcontextprotocol/sdk/client/auth.js';
+import {
+  OAuthClientInformation,
+  OAuthClientInformationFull,
+  OAuthClientMetadata,
+  OAuthTokens
+} from '@modelcontextprotocol/sdk/shared/auth.js';
+
+export class ConformanceOAuthProvider implements OAuthClientProvider {
+  private _clientInformation?: OAuthClientInformationFull;
+  private _tokens?: OAuthTokens;
+  private _codeVerifier?: string;
+  private _authCode?: string;
+  private _authCodePromise?: Promise<string>;
+
+  constructor(
+    private readonly _redirectUrl: string | URL,
+    private readonly _clientMetadata: OAuthClientMetadata,
+    private readonly _clientMetadataUrl?: string | URL
+  ) {}
+
+  get redirectUrl(): string | URL {
+    return this._redirectUrl;
+  }
+
+  get clientMetadata(): OAuthClientMetadata {
+    return this._clientMetadata;
+  }
+
+  clientInformation(): OAuthClientInformation | undefined {
+    if (this._clientMetadataUrl) {
+      console.log('Using client ID metadata URL');
+      return {
+        client_id: this._clientMetadataUrl.toString()
+      };
+    }
+    return this._clientInformation;
+  }
+
+  saveClientInformation(clientInformation: OAuthClientInformationFull): void {
+    this._clientInformation = clientInformation;
+  }
+
+  tokens(): OAuthTokens | undefined {
+    return this._tokens;
+  }
+
+  saveTokens(tokens: OAuthTokens): void {
+    this._tokens = tokens;
+  }
+
+  async redirectToAuthorization(authorizationUrl: URL): Promise<void> {
+    try {
+      const response = await fetch(authorizationUrl.toString(), {
+        redirect: 'manual' // Don't follow redirects automatically
+      });
+
+      // Get the Location header which contains the redirect with auth code
+      const location = response.headers.get('location');
+      if (location) {
+        const redirectUrl = new URL(location);
+        const code = redirectUrl.searchParams.get('code');
+        if (code) {
+          this._authCode = code;
+          return;
+        } else {
+          throw new Error('No auth code in redirect URL');
+        }
+      } else {
+        throw new Error('No redirect location received');
+      }
+    } catch (error) {
+      console.error('Failed to fetch authorization URL:', error);
+      throw error;
+    }
+  }
+
+  async getAuthCode(): Promise<string> {
+    if (this._authCode) {
+      return this._authCode;
+    }
+    throw new Error('No authorization code');
+  }
+
+  saveCodeVerifier(codeVerifier: string): void {
+    this._codeVerifier = codeVerifier;
+  }
+
+  codeVerifier(): string {
+    if (!this._codeVerifier) {
+      throw new Error('No code verifier saved');
+    }
+    return this._codeVerifier;
+  }
+}

package-lock.json

@@ -4,6 +4,53 @@ import path from 'path';
 import { ConformanceCheck } from '../types.js';
 import { getScenario } from '../scenarios/index.js';
 
+// ANSI color codes
+const COLORS = {
+  RESET: '\x1b[0m',
+  GRAY: '\x1b[90m',
+  GREEN: '\x1b[32m',
+  YELLOW: '\x1b[33m',
+  RED: '\x1b[31m',
+  BLUE: '\x1b[36m'
+};
+
+function getStatusColor(status: string): string {
+  switch (status) {
+    case 'SUCCESS':
+      return COLORS.GREEN;
+    case 'FAILURE':
+      return COLORS.RED;
+    case 'INFO':
+      return COLORS.BLUE;
+    default:
+      return COLORS.RESET;
+  }
+}
+
+function formatPrettyChecks(checks: ConformanceCheck[]): string {
+  // Find the longest id and status for column alignment
+  const maxIdLength = Math.max(...checks.map((c) => c.id.length));
+  const maxStatusLength = Math.max(...checks.map((c) => c.status.length));
+
+  return checks
+    .map((check) => {
+      const timestamp = `${COLORS.GRAY}${check.timestamp}${COLORS.RESET}`;
+      const id = check.id.padEnd(maxIdLength);
+      const statusColor = getStatusColor(check.status);
+      const status = `${statusColor}${check.status.padEnd(maxStatusLength)}${COLORS.RESET}`;
+      const description = check.description;
+      const line = `${timestamp} [${id}] ${status} ${description}`;
+      // Add newline after outgoing responses for better visual separation
+      return (
+        line +
+        (check.id.includes('outgoing') && check.id.includes('response')
+          ? '\n'
+          : '')
+      );
+    })
+    .join('\n');
+}
+
 export interface ClientExecutionResult {
   exitCode: number;
   stdout: string;
@@ -110,6 +157,21 @@ export async function runConformanceTest(
       timeout
     );
 
+    // Print stdout/stderr if client exited with nonzero code
+    if (clientOutput.exitCode !== 0) {
+      console.error(`\nClient exited with code ${clientOutput.exitCode}`);
+      if (clientOutput.stdout) {
+        console.error(`\nStdout:\n${clientOutput.stdout}`);
+      }
+      if (clientOutput.stderr) {
+        console.error(`\nStderr:\n${clientOutput.stderr}`);
+      }
+    }
+
+    if (clientOutput.timedOut) {
+      console.error(`\nClient timed out after ${timeout}ms`);
+    }
+
     const checks = scenario.getChecks();
 
     await fs.writeFile(
@@ -175,6 +237,7 @@ async function main(): Promise<void> {
   const args = process.argv.slice(2);
   let command: string | null = null;
   let scenario: string | null = null;
+  let verbose = false;
 
   for (let i = 0; i < args.length; i++) {
     if (args[i] === '--command' && i + 1 < args.length) {
@@ -183,12 +246,14 @@ async function main(): Promise<void> {
     } else if (args[i] === '--scenario' && i + 1 < args.length) {
       scenario = args[i + 1];
       i++;
+    } else if (args[i] === '--verbose') {
+      verbose = true;
     }
   }
 
   if (!scenario) {
     console.error(
-      'Usage: runner --scenario <scenario> [--command "<command>"]'
+      'Usage: runner --scenario <scenario> [--command "<command>"] [--verbose]'
     );
     console.error(
       'Example: runner --scenario initialize --command "tsx examples/clients/typescript/test1.ts"'
@@ -216,7 +281,11 @@ async function main(): Promise<void> {
     const passed = result.checks.filter((c) => c.status === 'SUCCESS').length;
     const failed = result.checks.filter((c) => c.status === 'FAILURE').length;
 
-    console.log(`Checks:\n${JSON.stringify(result.checks, null, 2)}`);
+    if (verbose) {
+      console.log(`Checks:\n${JSON.stringify(result.checks, null, 2)}`);
+    } else {
+      console.log(`Checks:\n${formatPrettyChecks(result.checks)}`);
+    }
 
     console.log(`\nTest Results:`);
     console.log(`Passed: ${passed}/${denominator}, ${failed} failed`);

src/runner/index.ts

@@ -0,0 +1,13 @@
+import { describe, test } from '@jest/globals';
+import { runClientAgainstScenario } from './helpers/testClient.js';
+import path from 'path';
+
+describe('PRM Path-Based Discovery', () => {
+  test('client discovers PRM at path-based location before root', async () => {
+    const clientPath = path.join(
+      process.cwd(),
+      'examples/clients/typescript/auth-test.ts'
+    );
+    await runClientAgainstScenario(clientPath, 'auth/basic-dcr');
+  });
+});

src/scenarios/client/auth/basic-dcr.test.ts

@@ -0,0 +1,63 @@
+import type { Scenario, ConformanceCheck } from '../../../types.js';
+import { ScenarioUrls } from '../../../types.js';
+import { createAuthServer } from './helpers/createAuthServer.js';
+import { createServer } from './helpers/createServer.js';
+import { ServerLifecycle } from './helpers/serverLifecycle.js';
+
+export class AuthBasicDCRScenario implements Scenario {
+  name = 'auth-basic-dcr';
+  description =
+    'Tests Basic OAuth flow with DCR, PRM at path-based location, OAuth metadata at root location, and no scopes required';
+  private authServer = new ServerLifecycle(() => this.authBaseUrl);
+  private server = new ServerLifecycle(() => this.baseUrl);
+  private checks: ConformanceCheck[] = [];
+  private baseUrl: string = '';
+  private authBaseUrl: string = '';
+
+  async start(): Promise<ScenarioUrls> {
+    this.checks = [];
+
+    const authApp = createAuthServer(this.checks, () => this.authBaseUrl);
+    this.authBaseUrl = await this.authServer.start(authApp);
+
+    const app = createServer(
+      this.checks,
+      () => this.baseUrl,
+      () => this.authBaseUrl
+    );
+    this.baseUrl = await this.server.start(app);
+
+    return { serverUrl: `${this.baseUrl}/mcp` };
+  }
+
+  async stop() {
+    await this.authServer.stop();
+    await this.server.stop();
+  }
+
+  getChecks(): ConformanceCheck[] {
+    const expectedSlugs = [
+      'prm-pathbased-requested',
+      'authorization-server-metadata',
+      'client-registration',
+      'authorization-request',
+      'token-request'
+    ];
+
+    for (const slug of expectedSlugs) {
+      if (!this.checks.find((c) => c.id === slug)) {
+        this.checks.push({
+          id: slug,
+          // TODO: these are redundant...
+          name: `Expected Check Missing: ${slug}`,
+          description: `Expected Check Missing: ${slug}`,
+          status: 'FAILURE',
+          timestamp: new Date().toISOString()
+          // TODO: ideally we'd add the spec references
+        });
+      }
+    }
+
+    return this.checks;
+  }
+}

src/scenarios/client/auth/basic-dcr.ts

@@ -0,0 +1,13 @@
+import { describe, test } from '@jest/globals';
+import { runClientAgainstScenario } from './helpers/testClient.js';
+import path from 'path';
+
+describe('OAuth Metadata at OpenID Configuration Path', () => {
+  test('client discovers OAuth metadata at OpenID configuration path', async () => {
+    const clientPath = path.join(
+      process.cwd(),
+      'examples/clients/typescript/auth-test.ts'
+    );
+    await runClientAgainstScenario(clientPath, 'auth/basic-metadata-var1');
+  });
+});