add cimd test and negative test

Author: pcarleton

examples/clients/typescript/auth-test-no-cimd.ts

@@ -0,0 +1,44 @@
+#!/usr/bin/env node
+
+import { Client } from '@modelcontextprotocol/sdk/client/index.js';
+import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
+import { withOAuthRetry } from './helpers/withOAuthRetry.js';
+import { runAsCli } from './helpers/cliRunner.js';
+import { logger } from './helpers/logger.js';
+
+/**
+ * Client that doesn't use CIMD even when server supports it.
+ * BUG: Doesn't provide clientMetadataUrl, so falls back to DCR.
+ */
+export async function runClient(serverUrl: string): Promise<void> {
+  const client = new Client(
+    { name: 'test-auth-client-no-cimd', version: '1.0.0' },
+    { capabilities: {} }
+  );
+
+  // BUG: Not passing clientMetadataUrl, so client will use DCR
+  // even when server supports client_id_metadata_document_supported
+  const oauthFetch = withOAuthRetry(
+    'test-auth-client-no-cimd',
+    new URL(serverUrl)
+    // Missing: handle401, clientMetadataUrl
+  )(fetch);
+
+  const transport = new StreamableHTTPClientTransport(new URL(serverUrl), {
+    fetch: oauthFetch
+  });
+
+  await client.connect(transport);
+  logger.debug('Connected to MCP server (without CIMD)');
+
+  await client.listTools();
+  logger.debug('Successfully listed tools');
+
+  await client.callTool({ name: 'test-tool', arguments: {} });
+  logger.debug('Successfully called tool');
+
+  await transport.close();
+  logger.debug('Connection closed successfully');
+}
+
+runAsCli(runClient, import.meta.url, 'auth-test-no-cimd <server-url>');

examples/clients/typescript/auth-test.ts

@@ -2,10 +2,18 @@
 
 import { Client } from '@modelcontextprotocol/sdk/client/index.js';
 import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
-import { withOAuthRetry } from './helpers/withOAuthRetry.js';
+import { withOAuthRetry, handle401 } from './helpers/withOAuthRetry.js';
 import { runAsCli } from './helpers/cliRunner.js';
 import { logger } from './helpers/logger.js';
 
+/**
+ * Fixed client metadata URL for CIMD conformance tests.
+ * When server supports client_id_metadata_document_supported, this URL
+ * will be used as the client_id instead of doing dynamic registration.
+ */
+const CIMD_CLIENT_METADATA_URL =
+  'https://conformance-test.local/client-metadata.json';
+
 /**
  * Well-behaved auth client that follows all OAuth protocols correctly.
  */
@@ -17,7 +25,9 @@ export async function runClient(serverUrl: string): Promise<void> {
 
   const oauthFetch = withOAuthRetry(
     'test-auth-client',
-    new URL(serverUrl)
+    new URL(serverUrl),
+    handle401,
+    CIMD_CLIENT_METADATA_URL
   )(fetch);
 
   const transport = new StreamableHTTPClientTransport(new URL(serverUrl), {

examples/clients/typescript/helpers/ConformanceOAuthProvider.ts

@@ -27,13 +27,11 @@ export class ConformanceOAuthProvider implements OAuthClientProvider {
     return this._clientMetadata;
   }
 
+  get clientMetadataUrl(): string | undefined {
+    return this._clientMetadataUrl?.toString();
+  }
+
   clientInformation(): OAuthClientInformation | undefined {
-    if (this._clientMetadataUrl) {
-      console.log('Using client ID metadata URL');
-      return {
-        client_id: this._clientMetadataUrl.toString()
-      };
-    }
     return this._clientInformation;
   }
 

examples/clients/typescript/helpers/withOAuthRetry.ts

@@ -60,14 +60,16 @@ export const handle401 = async (
 export const withOAuthRetry = (
   clientName: string,
   baseUrl?: string | URL,
-  handle401Fn: typeof handle401 = handle401
+  handle401Fn: typeof handle401 = handle401,
+  clientMetadataUrl?: string
 ): Middleware => {
   const provider = new ConformanceOAuthProvider(
     'http://localhost:3000/callback',
     {
       client_name: clientName,
       redirect_uris: ['http://localhost:3000/callback']
-    }
+    },
+    clientMetadataUrl
   );
   return (next: FetchLike) => {
     return async (

src/scenarios/client/auth/basic-cimd.ts

@@ -0,0 +1,99 @@
+import type { Scenario, ConformanceCheck } from '../../../types.js';
+import { ScenarioUrls } from '../../../types.js';
+import { createAuthServer } from './helpers/createAuthServer.js';
+import { createServer } from './helpers/createServer.js';
+import { ServerLifecycle } from './helpers/serverLifecycle.js';
+import { SpecReferences } from './spec-references.js';
+
+/**
+ * Fixed client metadata URL that clients should use for CIMD tests.
+ * This URL doesn't need to resolve - the server will accept it as-is
+ * and use hardcoded metadata.
+ */
+export const CIMD_CLIENT_METADATA_URL =
+  'https://conformance-test.local/client-metadata.json';
+
+/**
+ * Scenario: Client ID Metadata Documents (SEP-991/URL-based client IDs)
+ *
+ * Tests that when a server advertises client_id_metadata_document_supported=true,
+ * clients SHOULD use a URL as their client_id instead of using dynamic client
+ * registration.
+ */
+export class AuthBasicCIMDScenario implements Scenario {
+  name = 'auth/basic-cimd';
+  description =
+    'Tests OAuth flow with Client ID Metadata Documents (SEP-991/URL-based client IDs). Server advertises client_id_metadata_document_supported=true and client should use URL as client_id instead of DCR.';
+  private authServer = new ServerLifecycle();
+  private server = new ServerLifecycle();
+  private checks: ConformanceCheck[] = [];
+
+  async start(): Promise<ScenarioUrls> {
+    this.checks = [];
+
+    const authApp = createAuthServer(this.checks, this.authServer.getUrl, {
+      clientIdMetadataDocumentSupported: true,
+      onAuthorizationRequest: (data) => {
+        // Check if client used URL-based client ID
+        const usedUrlClientId = data.clientId === CIMD_CLIENT_METADATA_URL;
+        this.checks.push({
+          id: 'cimd-client-id-used',
+          name: 'Client ID Metadata Document Usage',
+          description: usedUrlClientId
+            ? 'Client correctly used URL-based client ID when server supports client_id_metadata_document_supported'
+            : 'Client SHOULD use URL-based client ID when server advertises client_id_metadata_document_supported=true',
+          status: usedUrlClientId ? 'SUCCESS' : 'WARNING',
+          timestamp: data.timestamp,
+          specReferences: [
+            SpecReferences.MCP_CLIENT_ID_METADATA_DOCUMENTS,
+            SpecReferences.IETF_CIMD
+          ],
+          details: {
+            expectedClientId: CIMD_CLIENT_METADATA_URL,
+            actualClientId: data.clientId || 'none'
+          }
+        });
+      }
+    });
+
+    await this.authServer.start(authApp);
+
+    const app = createServer(
+      this.checks,
+      this.server.getUrl,
+      this.authServer.getUrl
+    );
+
+    await this.server.start(app);
+
+    return { serverUrl: `${this.server.getUrl()}/mcp` };
+  }
+
+  async stop() {
+    await this.authServer.stop();
+    await this.server.stop();
+  }
+
+  getChecks(): ConformanceCheck[] {
+    // Ensure we have the CIMD check - if not, the client didn't make an auth request
+    const hasCimdCheck = this.checks.some(
+      (c) => c.id === 'cimd-client-id-used'
+    );
+    if (!hasCimdCheck) {
+      this.checks.push({
+        id: 'cimd-client-id-used',
+        name: 'Client ID Metadata Document Usage',
+        description:
+          'Client did not make an authorization request to test CIMD support',
+        status: 'FAILURE',
+        timestamp: new Date().toISOString(),
+        specReferences: [
+          SpecReferences.MCP_CLIENT_ID_METADATA_DOCUMENTS,
+          SpecReferences.IETF_CIMD
+        ]
+      });
+    }
+
+    return this.checks;
+  }
+}

src/scenarios/client/auth/helpers/createAuthServer.ts

@@ -10,13 +10,15 @@ export interface AuthServerOptions {
   loggingEnabled?: boolean;
   routePrefix?: string;
   scopesSupported?: string[];
+  clientIdMetadataDocumentSupported?: boolean;
   tokenVerifier?: MockTokenVerifier;
   onTokenRequest?: (requestData: {
     scope?: string;
     grantType: string;
     timestamp: string;
   }) => { token: string; scopes: string[] };
   onAuthorizationRequest?: (requestData: {
+    clientId?: string;
     scope?: string;
     timestamp: string;
   }) => void;
@@ -33,6 +35,7 @@ export function createAuthServer(
     loggingEnabled = true,
     routePrefix = '',
     scopesSupported,
+    clientIdMetadataDocumentSupported,
     tokenVerifier,
     onTokenRequest,
     onAuthorizationRequest
@@ -93,6 +96,12 @@ export function createAuthServer(
       metadata.scopes_supported = scopesSupported;
     }
 
+    // Add client_id_metadata_document_supported if provided
+    if (clientIdMetadataDocumentSupported !== undefined) {
+      metadata.client_id_metadata_document_supported =
+        clientIdMetadataDocumentSupported;
+    }
+
     // Add OpenID Configuration specific fields
     if (isOpenIdConfiguration) {
       metadata.jwks_uri = `${getAuthBaseUrl()}/.well-known/jwks.json`;
@@ -123,6 +132,7 @@ export function createAuthServer(
 
     if (onAuthorizationRequest) {
       onAuthorizationRequest({
+        clientId: req.query.client_id as string | undefined,
         scope: scopeParam,
         timestamp
       });

src/scenarios/client/auth/index.test.ts

@@ -5,6 +5,7 @@ import {
 } from './test_helpers/testClient.js';
 import { runClient as goodClient } from '../../../../examples/clients/typescript/auth-test.js';
 import { runClient as badPrmClient } from '../../../../examples/clients/typescript/auth-test-bad-prm.js';
+import { runClient as noCimdClient } from '../../../../examples/clients/typescript/auth-test-no-cimd.js';
 import { runClient as ignoreScopeClient } from '../../../../examples/clients/typescript/auth-test-ignore-scope.js';
 import { runClient as partialScopesClient } from '../../../../examples/clients/typescript/auth-test-partial-scopes.js';
 import { runClient as ignore403Client } from '../../../../examples/clients/typescript/auth-test-ignore-403.js';
@@ -76,4 +77,11 @@ describe('Negative tests', () => {
       'scope-step-up-escalation'
     ]);
   });
+
+  test('client uses DCR instead of CIMD when server supports it', async () => {
+    const runner = new InlineClientRunner(noCimdClient);
+    await runClientAgainstScenario(runner, 'auth/basic-cimd', [
+      'cimd-client-id-used'
+    ]);
+  });
 });

src/scenarios/client/auth/index.ts

@@ -1,5 +1,6 @@
 import { Scenario } from '../../../types';
 import { AuthBasicDCRScenario } from './basic-dcr.js';
+import { AuthBasicCIMDScenario } from './basic-cimd.js';
 import {
   AuthBasicMetadataVar1Scenario,
   AuthBasicMetadataVar2Scenario,
@@ -18,6 +19,7 @@ import {
 
 export const authScenariosList: Scenario[] = [
   new AuthBasicDCRScenario(),
+  new AuthBasicCIMDScenario(),
   new AuthBasicMetadataVar1Scenario(),
   new AuthBasicMetadataVar2Scenario(),
   new AuthBasicMetadataVar3Scenario(),

src/scenarios/client/auth/spec-references.ts

@@ -52,5 +52,13 @@ export const SpecReferences: { [key: string]: SpecReference } = {
   MCP_AUTH_ERROR_HANDLING: {
     id: 'MCP-Auth-error-handling',
     url: 'https://modelcontextprotocol.io/specification/draft/basic/authorization#error-handling'
+  },
+  MCP_CLIENT_ID_METADATA_DOCUMENTS: {
+    id: 'MCP-Client-ID-Metadata-Documents',
+    url: 'https://modelcontextprotocol.io/specification/draft/basic/authorization#client-id-metadata-documents'
+  },
+  IETF_CIMD: {
+    id: 'IETF-OAuth-Client-ID-Metadata-Document',
+    url: 'https://datatracker.ietf.org/doc/html/draft-ietf-oauth-client-id-metadata-document-00'
   }
 };